CalVant
ISO 27701 · Privacy Information Management System

Extend your ISMS into a Privacy Information Management System.

CalVant combines ISO 27001 and ISO 27701 so you can manage security and privacy together—covering personal data, data subjects, and regulators in one integrated program.

ISO 2770172%PRIVACY READINESS
40+PII controls
2Key roles
1Unified PIMS
Privacy posture
92%

PII processing mapped across systems, vendors and regions with live status.

PIMS readiness
99.2
ISO 27701 alignment
ISO27701
Privacy controls
32 Implemented
6 In progress
2 Gaps to close

What is ISO 27701?

ISO/IEC 27701 extends ISO 27001 and ISO 27002 with additional requirements and guidance for a Privacy Information Management System (PIMS) focused on processing personally identifiable information (PII).

Extension to ISO 27001

ISO 27701 is not a standalone standard; it builds on your existing ISMS to add privacy‑specific controls, documentation and roles for controllers and processors.

Focus on personal data

It defines how organizations identify PII, data subjects and processing purposes, then manage privacy risks across the data lifecycle from collection to deletion.

Supports global privacy laws

A robust PIMS helps demonstrate accountability against privacy regulations such as GDPR and similar laws, without being tied to a single jurisdiction.

PIMS‑specific requirements

ISO 27701 tailors the ISMS to privacy by adding requirements around PII processing context, roles, and risk management for controllers and processors.

PIMS context

Define your PII environment

Understand which systems, locations, partners and data subjects are in scope for your PIMS on top of the ISMS scope.

  • Identify PII types, data subjects and processing purposes.
  • Map PII flows between controllers, processors and sub‑processors.
  • Align PIMS boundaries with your legal and contractual obligations.
Roles & responsibilities

Controller and processor focus

Clarify whether you act as a PII controller, processor, or both in different processing activities.

  • Assign accountability for privacy within leadership and operational teams.
  • Define responsibilities for PII controllers versus processors in contracts.
  • Ensure sub‑processors operate under equivalent privacy requirements.
Privacy risk

Risk to individuals, not only assets

Extend risk assessments to consider impacts on data subjects, not just the organization, when PII is misused or disclosed.

  • Evaluate likelihood and harm from loss of confidentiality, integrity or availability of PII.
  • Prioritize controls that mitigate risks to individuals' rights and freedoms.
  • Link privacy risks to DPIAs or similar assessments where required.

Key ISO 27701 privacy controls

ISO 27701 adds controller‑ and processor‑oriented controls that sit alongside your Annex A controls, turning your ISMS into a combined security and privacy management system.

PII governance

Policies, roles and documentation that describe how personal data is handled and why it is processed.

  • Document lawful bases and purposes for processing.
  • Maintain records of processing activities (RoPA).
  • Define retention, archival and deletion rules for PII.
  • Set up privacy impact assessment criteria and process.

Data subject rights

Operational procedures to respond to individuals exercising their privacy rights.

  • Handle access, rectification, deletion and portability requests within defined timelines.
  • Verify identity and record decisions for each request.
  • Communicate outcomes and reasons clearly to data subjects.

Privacy by design & default

Integrate privacy considerations into products, services and changes from the start.

  • Include privacy criteria in design, development and change management.
  • Minimize PII collected, used and retained to what is necessary.
  • Enable configuration choices that respect user expectations by default.

Processor management

Controls for organizations processing PII on behalf of controllers.

  • Ensure contracts clearly define processing instructions.
  • Support audits and information requests from controllers.
  • Notify controllers promptly about breaches or incidents involving PII.

Incident & breach response

Privacy‑focused detection and response processes aligned with legal reporting duties.

  • Classify incidents that involve PII and assess risk to individuals.
  • Coordinate notifications to authorities, customers and data subjects when required.
  • Feed lessons learned back into your PIMS and security controls.

Why add ISO 27701 to ISO 27001?

Together, ISO 27001 and ISO 27701 create a unified system for managing security and privacy risks using shared governance, controls and evidence.

Security + privacy assurance

Show customers and regulators that you protect both information assets and personal data under a single, certified management system.

Support multiple laws at once

ISO 27701 provides a neutral framework that can be mapped to GDPR and other privacy laws, avoiding one‑off, region‑specific privacy projects.

Clarify controller–processor duties

Reduce ambiguity in contracts and relationships by aligning on clear roles, responsibilities and reporting obligations for PII processing.

Stronger evidence for audits

Use combined ISMS/PIMS documentation, risk registers and activity logs as proof of accountability during privacy or security reviews.

Reuse controls and tooling

Many technical and organizational controls serve both ISO 27001 and 27701, so you can reuse monitoring, training, and vendor management workflows.

Speed up enterprise privacy reviews

A certified PIMS reduces the time security and legal teams spend on privacy questionnaires and due‑diligence exercises.

Your ISO 27701 rollout plan

CalVant layers PIMS capabilities on top of your existing ISO 27001 program so you can move from security‑only to security‑and‑privacy without starting from scratch.

1

Assess your ISMS baseline

Confirm ISO 27001 scope, risks and Annex A controls, then identify where privacy comes into play.

  • Review existing assets and processing activities.
  • Identify systems that store or process PII.
  • Highlight overlaps with security controls and policies.
2

Define PIMS scope and roles

Determine which products, regions and business units fall under your PIMS and who acts as controller or processor.

  • Document PII categories and data subjects.
  • Assign privacy owners in legal, security and product.
  • Align processor and sub‑processor responsibilities in contracts.
3

Map PII and privacy risks

Extend risk assessments to consider harms to individuals and regulators when PII is mishandled.

  • Run DPIAs for high‑risk processing where appropriate.
  • Score risks using privacy‑specific impact criteria.
  • Link controls and safeguards to each identified risk.
4

Implement ISO 27701 controls

Roll out controller and processor controls across governance, data subject rights, and supplier management.

  • Update policies, notices and records of processing.
  • Embed DSAR, consent and retention workflows in tools.
  • Enforce privacy requirements in vendor onboarding and reviews.
5

Operate, monitor and improve PIMS

Measure how well privacy processes are working and integrate them with existing ISMS monitoring and reviews.

  • Track DSARs, breaches and PII‑related incidents.
  • Include privacy metrics in management reviews and board updates.
  • Continuously refine controls as laws and risks evolve.
6

Prepare for integrated audits

Work with certification bodies that can assess ISO 27001 and ISO 27701 together for a combined audit experience.

  • Package shared ISMS/PIMS evidence in one place.
  • Address non‑conformities and observations across both standards.
  • Leverage certification to accelerate customer trust.

See ISO 27001 and 27701 running together

Connect your stack to CalVant and manage security and privacy evidence from a single cockpit—ready for auditors, customers and regulators.