Safely move on from COVID-19

Privacy Information Management Systems (PIMS)

Enhance your Information Security Management System to incorporate a Privacy Information Management System

Build on ISO 27001 to deliver a Privacy Information Management System with ISO 27701

With increasing threats and consequences from poor privacy practices, there is a growing interest in the protection of personal data and personally identifiable information (PII).  Despite the growing regulatory regime around privacy globally, there is no universally recognised way of achieving compliance or showing an organisation can be trusted for its approach to privacy.   Growth in what is becoming known as Privacy Information Management Systems (PIMS) is forecast, but it can mean different things to different people. The International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) are both offering new approaches to privacy management.  ISO has released ISO/IEC 27701:2019 security techniques for privacy information management.  NIST has released its preliminary draft of the NIST Privacy Framework. Whilst ISO 27701 is now formally established there is no ability to get independently certified on it yet.* However powerful customers will almost certainly start to mandate their supply chain move towards its compliance and ultimate certification (unlike NIST which does not offer that independent certification.)

Rather than duplicate effort or create silos (and greater risk) with separate cybersecurity, information security management & privacy compliance approaches, smart organisations are joining the whole lot up. One way of achieving that joined-up approach is by extending an existing ISO 27001 certified information security management system (ISMS) to go even deeper into the privacy processes and controls affecting personal data or personally identifiable information by following ISO 27701:2019.

See how to achieve ISO 27701 and ISO 27001

Are you starting your Privacy Information Management System from nothing or building on existing foundations for GDPR and ISO 27001?

Most organisations will have already undertaken investment in the General Data Protection Regulation (GDPR). Some, in particular those in the UK, will have already followed routes to compliance such as that recommended by the UK Supervisory Authority, The Information Commissioner’s Office (ICO). Those 7 GDPR checklists created by the ICO are already built into and mapped to ISO 27001 for a fast and efficient means of success in the overlapping areas of information security. Achieving ISO 27701 in addition to those approaches will then be very quick and easy by following the complementary framework we have built into   It is the same with the NHS Data Security Protection Toolkit (DSPT) for dealing with UK patient health data.  That method draws on ISO 27001 and the ICO checklists, so it is all very easy to link up with the new ISO 27701 framework.

Even if you are starting from nothing and looking to achieve ISO 27001 then add ISO 27701 later, makes it really easy to do. Those smart and powerful organisations mentioned earlier will recognise that privacy includes great information security management and probably expect a certified ISO 27001 ISMS first and foremost, then encourage achievement of ISO 27701 on top soon after.

*ISO 27701 is not yet a standard that can actually be independently certified as there are no accredited Certification Bodies appointed for it from UKAS or other accreditation services internationally. We understand that will take 6-12 months so it is a good opportunity for organisations to focus on achievement and compliance, then aim for certification once that is available. 


Simplifying the approach to information security and privacy standards with regulation compliance

  • Are you already doing or thinking about achieving ISO 27001 ISMS, ISO 27701 PIMS, ISO 22301 BCMS, PCI DSS, GDPR, CCPA, POPI and other standards or regulations?
  • Demonstrating compliance across multiple frameworks can be complex, time-consuming and costly.
  • Streamlining your approach makes perfect sense and will cut out duplication and repetition,
    and help you achieve your goals faster at lower total cost and risk. makes light work of multiple compliance regimes…

Link together the requirements to eliminate duplication. provides one place to easily demonstrate compliance to them all.

Using our powerful tools to develop and manage policies, identify and address risks and control other common management system processes will reduce valuable resource time and ensure everything is captured and coordinated in one secure workspace.

Achieve privacy and information security management success now


Phone:   +44 (0)1273 041140