What does Clause 7 require?
Clause 7 ensures your Privacy Information Management System (PIMS) has the supporting infrastructure it needs to function effectively. While Clause 5 sets the direction from the top, Clause 7 makes sure the practical foundations are in place: people, skills, awareness, communication channels and documentation.
7.1 Resources
The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the PIMS. Resources include:
- People — Sufficient staff with appropriate time allocated to privacy management activities
- Budget — Financial resources for tools, training, consultancy and certification
- Technology — Systems and tools to support privacy operations, monitoring and reporting
- Infrastructure — Physical and logical environments needed for secure PII processing
7.2 Competence
The organisation shall:
- Determine the necessary competence of persons doing work under its control that affects privacy performance
- Ensure these persons are competent on the basis of appropriate education, training or experience
- Where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of those actions
- Retain appropriate documented information as evidence of competence
Competence requirements should cover not just dedicated privacy staff but also anyone whose work affects PII processing, including developers, customer service teams, HR and marketing personnel.
7.3 Awareness
Persons doing work under the organisation’s control shall be aware of:
- The privacy policy
- Their contribution to the effectiveness of the PIMS, including the benefits of improved privacy performance
- The implications of not conforming with the PIMS requirements
Awareness goes beyond formal training. It means ensuring that everyone understands why privacy matters, what their role is in protecting PII and what happens when things go wrong.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
7.4 Communication
The organisation shall determine the need for internal and external communications relevant to the PIMS, including:
- What to communicate
- When to communicate
- With whom to communicate
- How to communicate
This covers communications with PII principals (data subjects), regulators, customers, staff and other interested parties. Effective communication planning ensures that privacy information reaches the right people at the right time.
7.5 Documented information
7.5.1 General
The PIMS shall include documented information required by the standard and documented information the organisation determines is necessary for the effectiveness of the PIMS. The extent of documentation can vary depending on organisation size, activities, processes and staff competence.
7.5.2 Creating and updating
When creating and updating documented information, the organisation shall ensure appropriate:
- Identification and description (title, date, author, reference number)
- Format (language, software version, graphics) and media (paper, electronic)
- Review and approval for suitability and adequacy
7.5.3 Control of documented information
Documented information required by the PIMS shall be controlled to ensure it is:
- Available and suitable for use, where and when it is needed
- Adequately protected (from loss of confidentiality, improper use or loss of integrity)
Control activities include distribution, access, retrieval, use, storage, preservation, control of changes, retention and disposition. This is particularly important for privacy documentation, which may itself contain sensitive information about processing activities.
How does this relate to GDPR?
- Article 39(1)(b) — DPO tasks include monitoring awareness-raising and training of staff, aligning with 7.2 and 7.3
- Article 30 — Records of processing activities requirements align with the documented information controls in 7.5
- Article 5(2) — Accountability principle requires the ability to demonstrate compliance, supported by comprehensive documentation
- Article 32(4) — Ensuring persons acting under authority have appropriate competence and awareness
For the complete GDPR mapping, see the GDPR compliance guide.
What changed from ISO 27701:2019?
- Self-contained requirements — In 2019, Clause 5.5 supplemented ISO 27001 Clause 7. Now the support requirements are complete and standalone
- Privacy-specific competence — The competence requirements now explicitly reference privacy performance rather than information security
- Clearer documentation scope — The documented information requirements are now specifically scoped to the PIMS rather than extending an ISMS
For a broader overview, see what’s new in ISO 27701:2025.
See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
- Resource allocation records — Budget approvals, staffing plans and tool procurement decisions
- Training records — Evidence of privacy-related training, certifications and continuing professional development
- Competence assessments — Records showing how competence was evaluated for privacy-relevant roles
- Awareness programme — Evidence of awareness activities (induction, refresher training, communications campaigns)
- Communication plan — A documented plan covering internal and external privacy communications
- Document control procedures — Evidence that documented information is properly identified, approved, controlled and protected
- Document register — A list of all PIMS documented information with version control and review dates
The awareness and competence requirements connect to A.3.17 Awareness and Training in the shared security controls.
Related clauses
| Clause | Relationship |
|---|---|
| Clause 5: Leadership | Top management must ensure resources are available (5.1) and the policy is communicated |
| Clause 6: Planning | Risk treatment plans and objectives must be documented per 7.5 requirements |
| Clause 8: Operation | Operational processes rely on documented procedures and competent staff |
| Clause 9: Performance Evaluation | Internal audit and management review results must be retained as documented information |
See also Clause 4 (Context) for context and Clause 10 (Improvement) for continual improvement.
Why choose ISMS.online for Clause 7 compliance?
ISMS.online provides comprehensive support tools for your PIMS:
- Document management — Full version control, approval workflows, access controls and audit trails for all PIMS documentation
- Training tracker — Record training activities, certifications and competence assessments with automated reminders for refresher training
- Awareness campaigns — Create, distribute and track privacy awareness materials with completion tracking
- Communication log — Record internal and external communications with timestamps and evidence links
- Template library — Pre-built templates for policies, procedures, records and forms aligned to ISO 27701:2025
FAQs
What privacy training do staff need?
Training requirements depend on the role. All staff should receive general privacy awareness training covering the privacy policy, their responsibilities and how to report incidents. Staff in privacy-specific roles (DPO, privacy analysts, incident responders) need deeper technical and regulatory training. Developers and IT staff need training on privacy by design principles. Training should be documented and regularly refreshed.
How much documentation does a PIMS require?
The standard requires specific documented information (privacy policy, risk assessments, SoA, audit results, management review outputs) plus whatever additional documentation you determine is necessary. The extent varies by organisation size and complexity. Focus on documentation that adds value and supports effective privacy management, rather than creating documents purely for compliance purposes.
Can electronic document management replace paper records?
Yes. The standard does not prescribe any particular format or media for documented information. Electronic systems are typically preferred as they offer better version control, access management, search capabilities and audit trails. Whatever system you use, it must meet the control requirements in 7.5.3, including availability, protection, access control and retention management.
