Skip to content
ISMS.online

ISO 27701:2025 Clause 9: Performance Evaluation

Clause 9 covers the "Check" phase of the PDCA cycle. It requires you to monitor and measure PIMS performance, conduct internal audits and carry out management reviews to ensure your privacy management system remains effective.

Author
Max Edwards
Updated March 23, 2026
4/5 Stars

What does Clause 9 require?

Clause 9 is the “Check” phase of the Plan-Do-Check-Act cycle. It establishes how your organisation evaluates the performance and effectiveness of the Privacy Information Management System (PIMS) through three mechanisms: monitoring and measurement, internal audit and management review.

Internal audits assess conformity against the Annex A controls and management system requirements.

9.1 Monitoring, measurement, analysis and evaluation

The organisation shall determine:

  • What needs to be monitored and measured — Including privacy processes, controls and objectives
  • The methods — For monitoring, measurement, analysis and evaluation to ensure valid results
  • When — The monitoring and measurement shall be performed
  • When — The results shall be analysed and evaluated

The organisation must retain documented information as evidence of the results. Effective monitoring goes beyond simple compliance checking. It should assess whether privacy controls are achieving their intended outcomes and whether the PIMS as a whole is delivering the desired privacy performance.

Common metrics include:

  • Data subject request response times and completion rates
  • Privacy incident counts, severity levels and resolution times
  • Training completion rates and awareness assessment scores
  • Risk treatment plan implementation progress
  • Supplier compliance assessment results
  • Privacy impact assessment completion rates for new processing activities

9.2 Internal audit

9.2.1 General

The organisation shall conduct internal audits at planned intervals to provide information on whether the PIMS:

  • Conforms to the organisation’s own requirements for its PIMS
  • Conforms to the requirements of ISO 27701:2025
  • Is effectively implemented and maintained

9.2.2 Internal audit programme

The organisation shall plan, establish, implement and maintain an audit programme, including:

  • Frequency — Audit intervals (typically annual for a full cycle, with targeted audits more frequently)
  • Methods — How audits will be conducted (document review, interviews, observation, testing)
  • Responsibilities — Who will conduct the audits (must be objective and impartial)
  • Planning requirements — Consideration of the importance of the processes concerned and the results of previous audits
  • Criteria and scope — What is being audited and against what requirements
  • Reporting — Results must be reported to relevant management

The audit programme and results must be retained as documented information.



ISMS.online's powerful dashboard

Start your free trial

Want to explore?

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Get started


9.3 Management review

9.3.1 General

Top management shall review the PIMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

9.3.2 Management review inputs

The management review shall include consideration of:

  • The status of actions from previous management reviews
  • Changes in external and internal issues that are relevant to the PIMS
  • Changes in needs and expectations of interested parties that are relevant to the PIMS
  • Information on PIMS performance, including trends in nonconformities and corrective actions, monitoring and measurement results, and audit results
  • Opportunities for continual improvement

9.3.3 Management review results

The outputs of the management review shall include decisions and actions related to:

  • Continual improvement opportunities
  • Any need for changes to the PIMS

Documented information must be retained as evidence of management review results. These records demonstrate that top management is actively engaged in overseeing the PIMS, a key requirement that auditors will examine closely.

How does this relate to GDPR?

  • Article 5(2) — The accountability principle requires demonstrating compliance, which monitoring and audit directly support
  • Article 39(1)(b) — DPO monitoring of compliance aligns with the internal audit programme requirements
  • Article 32(1)(d) — A process for regularly testing, assessing and evaluating the effectiveness of measures, directly supported by Clause 9
  • Article 24 — Controller responsibility to review and update measures where necessary, supported by management review

For the complete mapping, see the GDPR compliance guide.

What changed from ISO 27701:2019?

  • Self-contained requirements — In 2019, Clause 5.7 supplemented ISO 27001 Clause 9. Now the performance evaluation requirements are complete and standalone
  • Privacy-specific inputs — Management review inputs now explicitly include PIMS performance information and trends in nonconformities, monitoring results and audit results
  • Clearer audit scope — Internal audits are explicitly scoped to PIMS conformity and effectiveness rather than extending an ISMS audit programme
  • Structured review inputs — The management review inputs are more detailed, with specific items rather than general references to ISO 27001 inputs

For a broader overview, see what’s new in ISO 27701:2025.

See the Annex F correspondence table for the full mapping.

What evidence do auditors expect?

  • Monitoring records — Dashboards, reports or logs showing what is being monitored and the results over time
  • Audit programme — A planned schedule of internal audits covering all PIMS requirements over the audit cycle
  • Audit reports — Completed audit reports with findings, nonconformities and observations
  • Auditor independence — Evidence that auditors did not audit their own work
  • Management review minutes — Records showing all required inputs were considered and decisions were made
  • Action tracking — Evidence that actions from management reviews and audits are tracked to completion
  • Trend analysis — Evidence that monitoring data is analysed for trends, not just reviewed as isolated data points


climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


Related clauses

Clause Relationship
Clause 5: Leadership Management review is where top management exercises its leadership commitment in practice
Clause 6: Planning Privacy objectives (6.2) are monitored for achievement; risk assessment results feed into management review
Clause 8: Operation Operational processes are subject to monitoring and internal audit
Clause 10: Improvement Audit findings and review outputs feed directly into the corrective action and improvement process

See also Clause 4 (Context) for context and Clause 7 (Support) for supporting resources.

Why choose ISMS.online for Clause 9 compliance?

ISMS.online provides integrated tools for evaluating PIMS performance:

For certification planning, see the standalone certification guide.

  • Performance dashboards — Real time monitoring of key privacy metrics with trend analysis and alerting
  • Internal audit management — Plan, schedule and execute audits with templates, finding tracking and evidence collection
  • Management review templates — Structured agendas covering all required inputs, with action tracking and minutes recording
  • Corrective action tracking — Link audit findings and review actions to corrective action workflows with owner assignment and deadlines
  • Reporting — Generate performance reports for management review inputs and certification audit evidence

FAQs

How often should management reviews be conducted?

The standard requires reviews at “planned intervals” without specifying a frequency. Most organisations conduct management reviews at least annually, with many opting for quarterly reviews especially in the first year of implementation. The frequency should be appropriate to the maturity of your PIMS and the pace of change in your privacy landscape. Whatever interval you choose, it must be documented and consistently followed.

Can internal audits be conducted by in-house staff?

Yes, provided they are objective and impartial. The key requirement is that auditors do not audit their own work. In practice, this means the person responsible for implementing a particular control or process should not be the one auditing it. Smaller organisations may need to use external auditors for some areas to maintain independence. Auditors should also have appropriate competence in privacy management and audit techniques.

What privacy metrics should be monitored?

Start with metrics that are meaningful for your organisation and achievable to collect. Common examples include data subject request volumes and response times, privacy incident rates and resolution times, training completion percentages, risk treatment plan progress, supplier assessment completion rates and audit finding closure rates. The metrics should evolve as your PIMS matures, moving from basic compliance metrics to effectiveness and outcome based measures.

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.