What does Clause 4 require?
Clause 4 establishes the foundation for your Privacy Information Management System (PIMS) by requiring you to understand the context in which your organisation operates, who your interested parties are, and what scope your PIMS covers. It consists of four sub-clauses that build upon each other to create a complete picture of your privacy landscape.
4.1 Understanding the organisation and its context
The organisation must determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the PIMS. This includes:
- External issues — Privacy legislation and regulations (such as GDPR), industry requirements, contractual obligations, technological developments and the competitive environment
- Internal issues — Organisational culture, governance structure, existing policies, resource availability and staff competence
- Climate change (Clauses 4.1 and 4.2) — A new addition in the 2025 edition, requiring organisations to determine whether climate change is a relevant issue that could affect the PIMS
- Controller or processor role — The organisation must determine whether it acts as a PII controller, PII processor, or both, as this determines which Annex A controls apply
4.2 Understanding the needs and expectations of interested parties
The organisation must identify the interested parties relevant to its PIMS and understand their requirements. Key interested parties typically include:
- PII principals — The individuals whose personal data is being processed
- Customers — Whether acting as PII controllers engaging your organisation as a processor, or as processor customers providing data
- Regulators and supervisory authorities — Data protection authorities with oversight responsibilities
- Employees and contractors — Staff involved in PII processing activities
- Third parties and subcontractors — Entities involved in the supply chain who may process PII
For each interested party, you must determine which of their requirements are relevant to the PIMS and which will be addressed through the management system.
4.3 Determining the scope of the PIMS
The organisation must determine the boundaries and applicability of the PIMS to establish its scope. When determining scope, the organisation shall consider:
- The external and internal issues identified in 4.1
- The requirements of interested parties identified in 4.2
- The interfaces and dependencies between activities performed by the organisation and those performed by other organisations
- The PII processing activities within scope, including types of PII, categories of PII principals and processing purposes
The scope must be documented and made available as documented information.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
4.4 Privacy Information Management System
The organisation must establish, implement, maintain and continually improve a PIMS, including the processes needed and their interactions, in accordance with the requirements of the standard. This is the overarching requirement that ties together all subsequent clauses.
How does this relate to GDPR?
Clause 4 supports several GDPR requirements:
- Article 24 — Responsibility of the controller, requiring organisations to implement appropriate measures considering the nature, scope, context and purposes of processing
- Article 25 — Data protection by design and by default, which is supported by understanding context and scope upfront
- Article 26 — Joint controllers, relevant when determining your role as controller or processor
- Article 28 — Processor requirements, which depend on correctly identifying your role under Clause 4.1
- Article 30 — Records of processing activities, which requires understanding the scope of PII processing
What changed from ISO 27701:2019?
Key changes in Clause 4 compared to the 2019 edition:
- Standalone requirements — In 2019, Clause 5.2 supplemented ISO 27001 Clause 4. Now the requirements are self-contained and complete
- Climate change consideration — New requirement in Clauses 4.1 and 4.2 to assess whether climate change is a relevant issue
- Explicit role determination — The requirement to determine controller or processor status is now clearly embedded in the context analysis
- PII processing scope — Greater emphasis on documenting the types and categories of PII within scope
For the full mapping between 2019 and 2025 clauses, see the Annex F correspondence table.
What evidence do auditors expect?
When assessing Clause 4 compliance, auditors will typically look for:
- Context analysis document — A formal assessment of internal and external issues relevant to the PIMS
- Interested parties register — A documented list of relevant interested parties, their requirements and how these are addressed
- PIMS scope statement — A clear, documented scope defining the boundaries and applicability of the PIMS
- Role determination — Documented evidence of how you determined whether you act as controller, processor or both
- PII inventory — A register of PII types, categories of PII principals and processing purposes within scope
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Related clauses
| Clause | Relationship |
|---|---|
| Clause 5: Leadership | Leadership commitment and privacy policy are informed by the context analysis |
| Clause 6: Planning | Risk assessment and objectives are based on the scope and context established here |
| Clause 8: Operation | Operational processes must operate within the defined scope |
Why choose ISMS.online for Clause 4 compliance?
ISMS.online provides structured tools for establishing your PIMS context:
- Context analysis templates — Pre-built frameworks for identifying and documenting internal and external issues relevant to privacy
- Interested parties register — Maintain a dynamic register of stakeholders with their requirements and how you address them
- Scope management — Define and document your PIMS scope with clear boundaries, including PII processing activities
- Role mapping — Document your controller and processor roles across different processing activities
- Gap analysis — Identify where your current practices meet Clause 4 requirements and where improvements are needed
FAQs
Can the PIMS scope be narrower than the whole organisation?
Yes. The scope can cover specific business units, locations, processing activities or product lines. However, the scope must be justified and documented, and you need to address how interfaces with out-of-scope areas are managed. Auditors will check that the scope is appropriate and not artificially narrow to avoid addressing key privacy risks.
How does the climate change requirement work in practice?
The requirement is to determine whether climate change is a relevant issue, not to conduct a full environmental assessment. For most organisations, this means briefly considering whether climate-related events (such as extreme weather, regulatory changes or supply chain disruptions) could affect the PIMS. Document your consideration and conclusions as part of your context analysis.
What if our organisation acts as both a controller and processor?
Many organisations act as both depending on the processing activity. You must identify which role applies to each processing activity and document this clearly. Both sets of Annex A controls (Table A.1 for controllers and Table A.2 for processors) will then apply to the relevant activities, along with the shared controls in Table A.3.
