ISO 27701 Checklist

ISO 27701 Certification

ISO 27701:2019 Checklist

Privacy Information Management

1.0 Context


2.0 Planning

Need a Quick Quote?

Get Your Free ISO Checklist

Training Sessions

Our training course are designed to provide a basic and contextualised introduction to ISO certification as well as provide a practical overview of how it applies to your business.

Contact Us

Speak to one of our helpful team about your certification needs.

3.0 Information Security Policies

4.0 Organisation of Information Security

5.0 Human Resource Community

6.0 Asset Management

7.0 Access Control

8.0 Cryptographic Controls

9.0 Physical and Environmental Security

10.0 Communications Security

11.0 Operations Security

12.0 Systems Acquisition, Development & Maintenance

13.0 Information Security Management

  • Description
  • Time Period
  • Consequence
  • Who reported it
  • To whom it was reported
  • How it was resolved
  • Description of the loss/unavailability of PII

14.0 Compliance

15.0 Supplier Relationships

ANNEX – Additional Information

7.2 Conditions for collecting and processing
Documented legality & purposes for data collection.
Documented processes for obtaining consent from the PII.
Roles and responsibilities of any joint PII controller(s).

7.3 Obligations to PII Principals
Documented legal, regulatory, and business obligations to PII principals Method by which the PII Principal can access, correct
and/or erase data and modify or withdraw consent or object to processing, and have changes communicated to any third parties.
Ability to provide a copy of processed data to the PII Principal on request.
Documented policies and procedures on handling legitimate PII Principal requests.

7.4 Privacy by design and privacy by default
Limit data collection and processing to only what information is relevant and necessary. Documented data minimisation objectives and mechanisms to meet objectives. Delete or de-identify PII upon completion of processing and. Only retain PII for as long as necessary. Documented policies and procedures for secure disposal of PII

7.5 PII sharing, transfer and disclosure
Documented justification for the transfer of PII between jurisdictions as well as which countries and international organisations PII may be allowed to be transferred. Record transfers of PII between third parties
8.2 Conditions for collecting and processing
The contract to process PII addresses your role in providing assistance with the customer’s obligations
Ensure PII are only processed for the purposes expressed by the customer and inform the customer if a processing instruction infringes any applicable legislation and/or regulation. Document and maintain records in support of demonstrating compliance with the obligations as specified in the contract

8.3 Obligations to PII Principals
Provide the customer with the means to comply with obligations related to PII principals. Provide PII Principals with the appropriate information
relating to processing of their PII

8.4 Privacy by design and privacy by default
Temporary files created as a result of the processing of PII are disposed of securely Documented policy on secure return, transfer, and disposal of PII available to the customer controls in place for the transmission of PII to ensure the information reaches the intended destination

8.5 PII sharing, transfer and disclosure
Obligation to inform the customer of the justification for any intended transfers between jurisdictions, giving the customer the option to object. Maintain records of what PII has been disclosed to third parties as well as to whom and when. Obligation to notify the customer of any legally binding requests for PII to be disclose. Reject non-legally binding requests for disclosure of PII or consult the customer before disclosing PII
Disclose any use of subcontractors to the customer and engage with subcontractors in accordance with the agreement with the customer, and inform the customer of intended changes regarding the use of subcontractors giving the customer the option to object.

What is Privacy Information Management Systems?

ISO 27701 Privacy Information Management Systems is an extension of ISO 27001 designed to help organisations meet these everchanging legal requirements surrounding data collection and privacy.

Why do I need ISO 27701 Privacy Certification?

Certification to ISO 27701 provides you with an independent endorsement that your Privacy Information Management System meets international standards, giving your stakeholders confidence that you take privacy seriously.

What are the benefits of Privacy Certification?

ISO 27701 Privacy Certification provides your organisation with an independent endorsement to stakeholders that your organisation takes privacy seriously and has adequate systems in place to manage sensitive information.

How can I get certified?

Getting ISO certification is a lot easier than you might think, We take you through the three step audit process from your initial enquiry to the final certification decision.

ISO 27701 Certification Throughout Australia

Compass Assurance Services have offices and staff located throughout Australia including Brisbane, Melbourne, Perth and, Adelaide, Sydney, to help those all over Australia receive their ISO 27701 certification.

Want to speak to someone?

Contact Us

Contact us and speak to one of our helpful team about your ISO certification needs. We can offer certification to smaller, niche standards and to other non-accredited (non ISO) standards as well.

Request a Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Our Values

Our Policies