Skip to content
ISMS.online

ISO 27701:2025 Annex C: Mapping to ISO/IEC 29100 Privacy Principles

Annex C maps ISO 27701:2025 controls to the 11 privacy principles defined in ISO/IEC 29100. This mapping shows how your PIMS implementation aligns with internationally recognised privacy fundamentals.

Author
Max Edwards
Updated March 19, 2026
4/5 Stars

What is ISO/IEC 29100 and why does it matter?

ISO/IEC 29100 defines a privacy framework including 11 privacy principles that provide a high-level foundation for protecting personally identifiable information. These principles are technology and jurisdiction neutral, making them a reference point for privacy legislation worldwide.

Annex C of ISO 27701:2025 maps the standard’s controls to these principles, showing how a practical PIMS implementation supports fundamental privacy objectives. The mapping is informative (not normative) and is presented in two tables: Table C.1 for PII controllers and Table C.2 for PII processors.

How do PII controller controls map to privacy principles?

ISO 29100 Privacy Principle Related ISO 27701:2025 Controls
1. Consent and choice A.1.2.2 Identify and Document Purpose, A.1.2.3 Identify Lawful Basis, A.1.2.4 Determine Consent, A.1.2.5 Obtain and Record Consent, A.1.2.6 Privacy Impact Assessment, A.1.3.5 Modify or Withdraw Consent, A.1.3.6 Object to PII Processing, A.1.3.8 Inform Third Parties
2. Purpose legitimacy and specification A.1.2.2 Identify and Document Purpose, A.1.2.3 Identify Lawful Basis, A.1.2.6 Privacy Impact Assessment, A.1.3.3 Information for PII Principals, A.1.3.4 Providing Information, A.1.3.11 Automated Decision Making
3. Collection limitation A.1.2.6 Privacy Impact Assessment, A.1.4.2 Limit Collection
4. Data minimization A.1.4.3 Limit Processing, A.1.4.5 PII Minimisation, A.1.4.6 De-identification and Deletion
5. Use, retention and disclosure limitation A.1.4.5 PII Minimisation, A.1.4.6 De-identification and Deletion, A.1.4.7 Temporary Files, A.1.4.8 Retention, A.1.4.9 Disposal, A.1.5.2 Basis for PII Transfer, A.1.5.5 Records of PII Disclosures
6. Accuracy and quality A.1.4.4 Accuracy and Quality
7. Openness, transparency and notice A.1.3.3 Information for PII Principals, A.1.3.4 Providing Information
8. Individual participation and access A.1.3.2 Obligations to PII Principals, A.1.3.4 Providing Information, A.1.3.7 Access, Correction or Erasure, A.1.3.9 Providing Copy of PII, A.1.3.10 Handling Requests
9. Accountability A.1.2.7 Contracts with PII Processors, A.1.2.8 Joint PII Controller, A.1.2.9 Records of Processing PII, A.1.3.10 Handling Requests, A.1.5.2 Basis for PII Transfer, A.1.5.3 Countries for PII Transfer, A.1.5.4 Records of PII Transfer
10. Information security A.1.2.7 Contracts with PII Processors, A.1.4.10 PII Transmission Controls
11. Privacy compliance A.1.2.6 Privacy Impact Assessment


Find your compliance confidence, with ISMS.online

Get started easily with a personal product demo

One of our onboarding specialists will walk you through our platform to help you get started with confidence.

Book your demo


How do PII processor controls map to privacy principles?

ISO 29100 Privacy Principle Related ISO 27701:2025 Controls
1. Consent and choice A.2.2.6 Customer Obligations
2. Purpose legitimacy and specification A.2.2.2 Customer Agreement, A.2.2.3 Organisation Purposes, A.2.2.4 Marketing and Advertising, A.2.2.5 Infringing Instruction, A.2.3.2 Obligations to PII Principals
3. Collection limitation N/A
4. Data minimization A.2.4.2 Temporary Files
5. Use, retention and disclosure limitation A.2.5.4 Records of PII Disclosures, A.2.5.5 PII Disclosure Requests, A.2.5.6 Legally Binding Disclosures
6. Accuracy and quality N/A
7. Openness, transparency and notice A.2.5.7 Disclosure of Subcontractors, A.2.5.8 Engaging Subcontractors, A.2.5.9 Change of Subcontractor
8. Individual participation and access A.2.3.2 Obligations to PII Principals
9. Accountability A.2.2.7 Records of Processing PII, A.2.4.3 Return, Transfer or Disposal, A.2.5.2 Basis for PII Transfer, A.2.5.3 Countries for PII Transfer
10. Information security A.2.4.4 PII Transmission Controls
11. Privacy compliance A.2.2.6 Customer Obligations

Note that “Collection limitation” and “Accuracy and quality” show N/A for processors. This reflects the reality that these principles are primarily the responsibility of the PII controller, not the processor.

How should you use this mapping?

The ISO 29100 mapping is useful for:

  • Training and awareness: Helping staff understand the “why” behind specific controls by connecting them to fundamental privacy principles
  • Management reporting: Presenting PIMS progress in terms of privacy principles rather than technical control numbers
  • Multi-jurisdictional compliance: Since the 29100 principles are jurisdiction neutral, this mapping can support organisations operating across different privacy regulatory regimes
  • Gap identification: Principles with few mapped controls may indicate areas where your PIMS needs additional operational procedures beyond the standard’s minimum requirements


ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


Why choose ISMS.online for privacy principle alignment?

ISMS.online helps you demonstrate how your PIMS supports fundamental privacy principles:

  • Multi-framework mapping — See how each control links to ISO 29100 principles, GDPR articles and other regulatory requirements
  • Principle-based reporting — Generate views grouped by privacy principle rather than control number
  • Evidence linking — Attach the same evidence to multiple controls and frameworks without duplication
  • Gap analysis — Identify which principles need additional attention based on your control implementation status
  • Audit support — Present auditors with clear traceability from principles to controls to evidence

FAQs

What is the relationship between ISO 29100 and ISO 27701?

ISO/IEC 29100 defines the privacy framework and principles that underpin ISO 27701. ISO 29100 is a normative reference for ISO 27701:2025, meaning its terms and definitions apply. Annex C shows how the standard’s specific, auditable controls map back to these foundational principles.

Do I need to implement ISO 29100 separately?

No. ISO 29100 is a framework document that defines principles and terminology. It is not a certifiable management system standard. By implementing ISO 27701:2025, you are applying these principles through specific, actionable controls.

Why do some principles show N/A for PII processors?

Principles like “Collection limitation” and “Accuracy and quality” are primarily the responsibility of the PII controller, who determines the purposes and means of processing. PII processors act under the controller’s instructions, so these principles are addressed through the controller’s controls rather than the processor’s.

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.