Skip to content
ISMS.online

ISO 27701 – Clause 5.5.5 – Documented Information

ISO 27701 Clause 5.5.5 outlines requirements for managing documented information in a Privacy Information Management System (PIMS), ensuring accessibility, accuracy, security, and compliance with ISO 27001. It mandates structured document creation, updating, and control processes to maintain data integrity and confidentiality.

Author
Toby Cane
Updated September 19, 2025
4/5 Stars

Understanding ISO 27701 Clause 5.5.5: Documented Information Requirements

Document control is a crucial part of any privacy protection system, or indeed any broader information security policy.

Throughout its various standards, ISO recognises document management as an ongoing process that is used to demonstrate adherence both to ISO standards, and the organisation’s own privacy protection objectives.

ISO asks organisations to not merely view documented information as an administrative function, but instead use it as a recurring means to improve privacy protection adherence through the structured storage of guidelines that provide clear direction on PII-related activities.

What’s Covered in ISO 27701 Clause 5.5.5

ISO 27701 5.5.5 deals with documented information through three sub-clauses. Each deals with a different set of privacy and PII specific guidance points that link back to ISO 27001:

  • ISO 27701 Clause 5.5.5.1 – General (References ISO 27001 Control 7.5.1)
  • ISO 27701 Clause 5.5.5.2 – Creating and updating (References ISO 27001 Control 7.5.2)
  • ISO 27001 Clause 5.5.5.3 – Control of documented information (References ISO 27001 Control 7.5.3)

ISO 27701 5.5.5 doesn’t contain any supplementary guidance on PIMS-specific requirements, nor is it particularly relevant to any specific GDPR articles.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


ISO 27701 Clause 5.5.5.1 – General

References ISO 27001 Control 7.5.1

The organisation’s PIMS should include documented information that:

  • Is required for ISO 27701 and ISO 27001 adherence;
  • Improves the efficiency of the PIMS and accompanying privacy protection systems.

ISO 27701 Clause 5.5.5.2 – Creating and Updating

References ISO 27001 Control 7.5.2

Throughout the process of drafting and amending documentation, organisations should:

  1. Include a clear identifying field, with an accompanying description;
  2. Ensure that documents are formatted correctly and are available from the appropriate sources – both physical and electronic;
  3. Adhere to a structured amendment process that reviews documents based on their ability to convey the relevant information.


climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


ISO 27701 Clause 5.5.5.3 – Control of Documented Information

References ISO 27001 Control 7.5.3

Organisation’s should exercise adequate levels of control and security over their internal document structure that ensures documents are:

  • Accessible, as and when required, by the relevant authorities and/or personnel.
  • Secure and protected against unauthorised use, breach of confidentiality or any other loss of data integrity;

ISO 27701 Control 5.5.5 asks organisations to consider four main activities, when exercising control over privacy protection-related documents:

  1. Distribution (including access and use).
  2. Storage (including document preservation).
  3. Version controls.
  4. Retention.

Alongside the management of internal documents, ISO asks organisations to consider how best to manage their interactions with and control of external documents that are required for the planning and implementation of a PIMS or other privacy/PII-related activities.

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27001 Requirement Associated GDPR Articles
5.5.5.1 General
7.5.1 – General Documentation for ISO 27001
 		None
5.5.5.2 Creating and Updating
7.5.2 – Creating and Updating Documented Information for ISO 27001
 		None
5.5.5.3 Control of Documented Information
7.5.3 – Control of Documented Information for ISO 27001
 		None

How ISMS.online Helps

In order to achieve ISO 27701 you must build a Privacy Information Management System (PIMS).

With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.

See it in action with by booking a demo.

Toby Cane

Partner Customer Success Manager

Toby Cane is the Senior Partner Success Manager for ISMS.online. He has worked for the company for close to 4 years and has performed a range of roles, including hosting their webinars. Prior to working in SaaS, Toby was a Secondary School teacher.

LinkedIn

ISO 27701 Clauses

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Fall 2025
High Performer, Small Business - Fall 2025 UK
Regional Leader - Fall 2025 Europe
Regional Leader - Fall 2025 EMEA
Regional Leader - Fall 2025 UK
High Performer - Fall 2025 Europe Mid-market

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on crystal

Ready to get started?

Book a demo