What does Clause 5 require?
Clause 5 establishes the leadership and governance foundations for your Privacy Information Management System (PIMS). It ensures that privacy is driven from the top of the organisation, with clear accountability, a defined policy and assigned responsibilities. The clause has three sub-clauses covering commitment, policy and roles.
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the PIMS by:
- Ensuring the privacy policy and privacy objectives are established and are compatible with the strategic direction of the organisation
- Ensuring the integration of the PIMS requirements into the organisation’s business processes
- Ensuring the resources needed for the PIMS are available
- Communicating the importance of effective privacy management and of conforming to PIMS requirements
- Ensuring the PIMS achieves its intended outcomes
- Directing and supporting persons to contribute to the effectiveness of the PIMS
- Promoting continual improvement
- Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility
These eight responsibilities make it clear that privacy is not a delegated IT function. Top management must be actively engaged and accountable.
5.2 Privacy policy
Top management shall establish a privacy policy that:
- Is appropriate to the purpose of the organisation
- Provides a framework for setting privacy objectives
- Includes a commitment to satisfy applicable requirements
- Includes a commitment to continual improvement of the PIMS
The privacy policy must also meet three availability requirements:
- Be available as documented information
- Be communicated within the organisation
- Be available to interested parties, as appropriate
Note that the privacy policy referenced here is the management system policy document, not the external privacy notice provided to data subjects. Both are needed, but they serve different purposes.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
5.3 Roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for roles relevant to the PIMS are assigned and communicated within the organisation. Specifically, top management shall assign the responsibility and authority for:
- Ensuring conformity — That the PIMS conforms to the requirements of ISO 27701:2025
- Reporting performance — That performance of the PIMS is reported to top management
This does not mean one person must do everything. Responsibilities can be distributed across roles such as a Data Protection Officer (DPO), privacy manager, PIMS lead or compliance team. The key requirement is that responsibilities are clearly defined, documented and communicated.
How does this relate to GDPR?
Clause 5 supports several GDPR requirements:
- Article 24 — Responsibility of the controller to implement appropriate measures and be able to demonstrate compliance
- Article 37 to 39 (related provisions, not formally mapped in Annex D) (related provisions, not formally mapped in Annex D) — Designation, position and tasks of the Data Protection Officer, which aligns with the role assignment requirements in 5.3
- Recital 39 — Transparency principle, supported by having a clear privacy policy
Organisations subject to GDPR should ensure their DPO role (where appointed) is reflected in the PIMS role assignments under Clause 5.3.
What changed from ISO 27701:2019?
Key changes in Clause 5 compared to the 2019 edition:
For a broader overview of changes, see what’s new in ISO 27701:2025.
- Self-contained requirements — In 2019, Clause 5.3 supplemented ISO 27001 Clause 5. Now the leadership requirements are complete and standalone
- Privacy-specific policy — The policy requirements now explicitly reference privacy rather than relying on an amended information security policy
- Eight commitment areas — The leadership commitment requirements are now clearly enumerated, making it easier for auditors to assess
- Simplified role requirements — The 2025 edition focuses on conformity assurance and performance reporting, rather than listing specific privacy roles
For the full mapping, see the Annex F correspondence table.
What evidence do auditors expect?
When assessing Clause 5 compliance, auditors will typically look for:
The privacy policy requirement connects directly to A.3.3 Policies for Information Security in the Annex A control set.
- Management review minutes — Evidence of top management engagement with PIMS performance and decisions
- Privacy policy document — An approved, current policy that meets all four content requirements and three availability requirements
- Resource allocation — Budget and staffing evidence showing adequate resources are provided for the PIMS
- Role descriptions — Documented assignments of PIMS responsibilities, including who reports to top management
- Communication records — Evidence the policy and its importance have been communicated to staff
- Organisational chart — Showing where privacy roles sit within the organisation’s structure
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Related clauses
| Clause | Relationship |
|---|---|
| Clause 4: Context | The privacy policy and leadership direction must be compatible with the context analysis |
| Clause 6: Planning | The policy provides the framework for setting privacy objectives (6.2) |
| Clause 7: Support | Resources, competence and awareness requirements depend on leadership providing adequate support |
| Clause 9: Performance Evaluation | Management review (9.3) is where top management exercises its leadership role in practice |
See also Clause 8 (Operation) for how leadership directives are operationalised.
Why choose ISMS.online for Clause 5 compliance?
ISMS.online provides the tools to demonstrate leadership and governance:
For certification planning, see the standalone certification guide.
- Policy management — Create, approve and version control your privacy policy with full audit trail and distribution tracking
- Role assignment — Define and document PIMS roles with responsibilities, authorities and reporting lines
- Management review — Structured templates for management review meetings with agenda items, inputs and action tracking
- Communication tracking — Record and evidence how privacy policies and expectations are communicated to staff
- Dashboard reporting — Provide top management with at-a-glance PIMS performance data for informed decision making
FAQs
Who counts as “top management” for Clause 5?
Top management is defined as the person or group of people who direct and control the organisation at the highest level. In practice, this typically means the CEO, board of directors, senior leadership team or equivalent. The key test is whether they have the authority to allocate resources, set policy direction and make strategic decisions about the PIMS.
Is the privacy policy the same as a privacy notice?
No. The privacy policy required by Clause 5.2 is an internal management system document that sets the overall direction and principles for privacy management. A privacy notice (or privacy statement) is an external document provided to data subjects explaining how their PII is processed. Both are needed, but they serve different audiences and purposes.
Does the organisation need a designated Data Protection Officer?
ISO 27701:2025 does not mandate a DPO. It requires that responsibilities and authorities are assigned and communicated. However, if your applicable legislation (such as GDPR Articles 37 to 39) requires a DPO, then this role should be reflected in your Clause 5.3 role assignments. Even where not legally required, designating a privacy lead or equivalent is good practice.
