Skip to content
ISMS.online

ISO 27701 – Clause 5.8 – Improvement

ISO 27701 Clause 5.8 focuses on continuous improvement of a Privacy Information Management System (PIMS) by identifying, addressing, and resolving nonconformities to enhance privacy practices and compliance.

Author
Toby Cane
Updated September 19, 2025
4/5 Stars

Enhancing Privacy Management: Continuous Improvement Under ISO 27701 Clause 5.8

For the purposes of ISO adherence – across all information security and privacy protection standards – nonconformity can broadly be defined as any failure to meet a clause-specific standard.

Nonconformities can occur within internal or external guidance points, either towards an organisation’s own set of policies and procedures, or as applicable towards their regulatory and/or legal requirements as a PII processor.

What’s Covered in ISO 27701 Clause 5.8

ISO 27701 Clause 5.8 deals with an organisation’s ability to detect, manage, resolve and evaluate nonconformities within the scope of a PIMS, and its broader privacy protection policy.

The guidance revolves around two key stages – dealing with nonconformities at point of discovery, and what should happen in order to prevent them from recurring.

Both of ISO 27701 5.8’s sub-clauses contain information provided within ISO 27001, but in the case of ISO 27701, are instead applicable to nonconformities within privacy protection and PIMS management.

  • ISO 27701 5.8.1 – Nonconformity and corrective action (References ISO 27001 Control 10.1)
  • ISO 27701 5.8.2 – Continual improvement (References ISO 27001 Control 10.2)

ISO 27701 5.8 doesn’t contain any additional guidance for PIMS-related activities, other than what is provided in the context of ISO 27001, and doesn’t hold any relevance within GDPR.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


ISO 27701 Clause 5.8.1 – Nonconformity and Corrective Action

References ISO 27001 Control 10.1

When the organisation discovers a nonconformity, they should:

  1. Minimise the risks involved and take corrective actions as appropriate.
  2. Carefully consider any consequences, and take steps to address them.
  3. Keep in mind the need to both eliminate the nonconformity and prevent it from happening again. This should be done by:

    • Establishing why it happened.
    • Exploring the potential of similar occurrences where privacy is paramount, and PII is a consideration.

  4. Evaluate the effectiveness of any remedial steps taken.
  5. Amend the PIMS to account for any changes that have been made, or need to be made in order to improve its effectiveness.

ISO stipulates that any corrective action taken should be proportionate to the risks caused by the nonconformity itself.

Documented evidence should be retained to evidence:

  • The underlying nature of the nonconformity.
  • Any remedial actions that have been taken.
  • How those actions have impacted upon privacy protection, PII and the ongoing development of a PIMS.


climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


ISO 27701 Clause 5.8.2 – Continual Improvement

References ISO 27001 Control 10.2

Organisations should ask themselves three questions when seeking to improve their PIMS, and by proxy, their privacy protection policy:

  • Suitability – Is the PIMS a good fit for the nature of their operation, and the kind of PII and information they process on a regular basis?
  • Adequacy – Does the PIMS have sufficient operational capacity to carry out its role, and does it contain features relevant to the organisation’s responsibilities?
  • Effectiveness – Is the PIMS doing its job, within the scope of what’s required of it?

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27001 Requirement Associated GDPR Articles
5.8.1 Nonconformity and Corrective Action
10.1 – Nonconformity and Corrective Action for ISO 27001
 		None
5.8.2 Continual Improvement
10.2 – Continual Improvement for ISO 27001
 		None

How ISMS.online Helps

By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27001 and ISO 27701 at the click of a button.

Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online by booking a demo.

Toby Cane

Partner Customer Success Manager

Toby Cane is the Senior Partner Success Manager for ISMS.online. He has worked for the company for close to 4 years and has performed a range of roles, including hosting their webinars. Prior to working in SaaS, Toby was a Secondary School teacher.

LinkedIn

ISO 27701 Clauses

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Fall 2025
High Performer, Small Business - Fall 2025 UK
Regional Leader - Fall 2025 Europe
Regional Leader - Fall 2025 EMEA
Regional Leader - Fall 2025 UK
High Performer - Fall 2025 Europe Mid-market

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on crystal

Ready to get started?

Book a demo