What evidence do auditors expect for ISO 27701:2025?
ISO 27701:2025 certification audits follow a structured, evidence-based approach. Auditors do not simply take your word for it — they need documented proof that your Privacy Information Management System (PIMS) meets every applicable requirement of the standard.
Evidence falls into three broad categories:
- Documentary evidence — Policies, procedures, process documents, risk assessments and the Statement of Applicability
- Records and logs — Meeting minutes, training records, audit reports, incident logs, data processing records and corrective action logs
- Demonstrated practice — Interviews with staff, live system walkthroughs and observation of processes in action
The 2025 edition is now a standalone certifiable standard, which means your evidence pack must cover the full management system requirements in Clauses 4 to 10 as well as the applicable Annex A controls.
What evidence is required for each clause area?
Each clause of ISO 27701:2025 requires specific types of evidence. The table below maps the key evidence items auditors look for against each management system clause.
| Clause | Area | Key Evidence Required |
|---|---|---|
| Clause 4 | Context of the Organisation | Scope statement, interested party analysis, PII processing context, PIMS boundaries documentation |
| Clause 5 | Leadership | Privacy policy (signed by top management), roles and responsibilities matrix, management commitment records |
| Clause 6 | Planning | Privacy risk assessment methodology, risk register, risk treatment plan, Statement of Applicability, privacy objectives |
| Clause 7 | Support | Competence records, training logs, awareness programme evidence, documented information control procedure |
| Clause 8 | Operation | Operational planning records, risk assessment results, risk treatment implementation evidence |
| Clause 9 | Performance Evaluation | Monitoring and measurement results, internal audit reports, management review minutes |
| Clause 10 | Improvement | Nonconformity and corrective action records, evidence of continual improvement activities |
Beyond the management system clauses, auditors also assess evidence for each Annex A control you have declared applicable in your Statement of Applicability. This includes controller-specific controls, processor-specific controls and shared security controls.
How do Stage 1 and Stage 2 evidence requirements differ?
The ISO 27701:2025 certification audit is split into two stages, each with different evidence expectations:
Stage 1: Documentation review
The Stage 1 audit focuses on whether your documented PIMS is adequate. Auditors review:
- Your PIMS scope and boundaries
- Privacy policy and privacy objectives
- Risk assessment methodology and risk treatment plan
- Statement of Applicability
- Key procedures and process documentation
- Internal audit programme and management review schedule
Stage 1 is primarily a readiness check. The auditor confirms that your documentation is complete enough to proceed to Stage 2 and identifies any areas that need attention before the implementation audit.
Stage 2: Implementation assessment
Stage 2 is the full implementation audit. Auditors verify that your PIMS is not just documented but actually operating. Evidence at this stage includes:
- Completed risk assessments with current results
- Training records showing staff have been trained and assessed
- Internal audit reports with findings addressed
- Management review minutes with decisions recorded
- Incident response records (even if no incidents have occurred, the process must be evidenced)
- Data subject request handling records
- Supplier and processor management records
For more detail on the full certification process, see our certification guide.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What are the most common evidence gaps?
Certain evidence gaps appear repeatedly across ISO 27701:2025 audits. Knowing what catches organisations out helps you avoid the same mistakes.
| Common Gap | Why It Happens | How to Fix It |
|---|---|---|
| No evidence of management review | Reviews happen informally without minutes | Schedule formal reviews with agenda, attendees and recorded decisions |
| Training records missing or incomplete | Training happens but is not logged | Use a training management system that tracks completion and competence assessment |
| Risk assessment not current | Initial assessment done but not updated | Schedule regular reviews and update after significant changes |
| No internal audit evidence | Organisation relies on external consultants and skips internal audits | Conduct at least one full internal audit cycle before the certification audit |
| Statement of Applicability missing justifications | Controls marked as not applicable without explanation | Document the rationale for every exclusion in the SoA |
| Supplier agreements lack privacy clauses | Contracts predate the PIMS implementation | Review and update supplier contracts to include data processing and privacy terms |
| Incident response not tested | No incidents have occurred, so the process is untested | Run tabletop exercises and record the results |
How should you organise your evidence pack?
A well-organised evidence pack makes audits smoother and reduces the risk of findings caused by evidence that exists but cannot be located. Follow these principles:
- Map evidence to requirements — Create an evidence matrix that links each clause and Annex A control to the specific documents, records and screenshots that demonstrate compliance
- Use consistent naming conventions — Name documents clearly so auditors can identify them without your help (e.g., PIMS-Risk-Assessment-2026-Q1.pdf)
- Maintain version control — Every document should show its version, approval date and owner. Auditors will check that you are working from current, approved documents
- Keep records timestamped — Training logs, meeting minutes and audit reports must show when they occurred. Undated records are difficult for auditors to accept
- Centralise storage — Scattered evidence across email inboxes, shared drives and individual laptops creates risk. Use a single, controlled location
Organisations that align their evidence to the Annex D GDPR mapping can also use the same evidence pack to demonstrate regulatory compliance, creating efficiency across both privacy certification and data protection obligations.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
How does ISMS.online support audit evidence management?
ISMS.online is purpose-built to help organisations collect, organise and maintain the evidence needed for ISO 27701:2025 certification. Key capabilities include:
- Pre-built evidence framework — Evidence requirements mapped to every clause and Annex A control, so you know exactly what you need before the auditor arrives
- Document management with version control — Upload, approve and track all policies, procedures and supporting documents with full audit trails
- Risk management — Conduct and record risk assessments directly in the platform, with risk registers that link to treatment plans and control implementations
- Training and awareness tracking — Assign training, track completion and record competence assessments with timestamped evidence
- Internal audit management — Plan, conduct and record internal audits with findings linked to corrective actions
- Management review support — Structured review templates that capture inputs, decisions and actions in a format auditors expect
- Supplier management — Track processor agreements, conduct due diligence and maintain oversight records
Rather than building an evidence pack from scratch, ISMS.online gives you a ready-made structure that accumulates evidence as you work through your implementation. By the time your audit comes around, your evidence is already organised and accessible.
To understand the full scope of what your PIMS needs to cover, see our guide to getting started with implementation.
Why Choose ISMS.online for Audit Evidence Management?
- Evidence mapped to the standard — Every clause and Annex A control has a linked evidence requirement, so nothing gets missed
- Automated audit trails — Changes to documents, risk assessments and actions are logged automatically with timestamps and user attribution
- Centralised, auditor-ready evidence — Everything your auditor needs is in one place, accessible via secure, role-based permissions
- Pre-configured templates — Policies, risk assessment methodologies and SoA templates aligned to ISO 27701:2025 reduce setup time
- Corrective action tracking — Link nonconformities to corrective actions with due dates, owners and status tracking
- Real-time compliance dashboards — See your readiness status at a glance, identify gaps and prioritise work before the audit
- Trusted by thousands of organisations — ISMS.online supports companies of all sizes in achieving and maintaining ISO certification
FAQs
What is the minimum evidence needed for ISO 27701:2025 certification?
At minimum, you need documented policies, a risk assessment and treatment plan, Statement of Applicability, internal audit results, management review minutes and records demonstrating that your Annex A controls are operating. The exact scope depends on your organisation and the controls you have declared applicable.
How far back should audit evidence go?
For initial certification, auditors typically want to see at least three months of operational evidence, including a complete internal audit cycle and at least one management review. For surveillance audits, evidence should cover the period since the last audit.
Can we use digital evidence or does it need to be printed?
Digital evidence is fully accepted and often preferred by auditors. Screenshots, system exports, timestamped records and documents stored in platforms like ISMS.online are all valid. The key requirement is that evidence is authentic, accessible and version-controlled.
What happens if the auditor finds missing evidence?
Missing evidence typically results in a nonconformity finding. Minor nonconformities allow you to provide the evidence within an agreed timeframe (usually 90 days). Major nonconformities may require a follow-up audit visit before certification can be granted.
Do we need separate evidence for ISO 27701 and ISO 27001?
If you hold both certifications, much of the management system evidence overlaps (risk management, internal audit, management review). However, ISO 27701 requires additional privacy-specific evidence such as PII processing records, data subject request handling and privacy impact assessments. ISMS.online allows you to manage both standards in an integrated system.
