ISO 27701 and Conformance with Privacy Information Management (Part 3)

We’ve previously discussed ISO 27701 and how it refines two essential security standards and control libraries (ISO 27001 and ISO 27002). But, the entire purpose of ISO 27701 is to align IT systems with privacy requirements found under GDPR. 

Here, we’ll discuss the third section of this document that defines additional guidelines for organizations acting as data controllers in the EU.

GDPR, Controllers, and Processors

GDPR laws in the EU distinguish organizations under their jurisdiction into controllers and processors. 

Controllers

A “controller” is an organization or individual that makes decisions about processing PII. As the party, or one of the parties, responsible for these decisions, GDPR laws governing controllers emphasize a few different priorities that primarily focus on that controller’s obligations to processors and the consumers from which PII is collected. 

Processors

Processors are an organization or individual that processes PII on behalf of a controller. A processor doesn’t operate outside of a relationship with a controller, even if it still has specific responsibilities and obligations to consumers. 

Because of the specific nature of how these categories are defined under GDPR, there cannot be a processing organization that is not working for or also functioning as a controller. A processor and controller can be one in the same organization, but any organization that makes decisions regarding processing PII is, by default, also a controller. 

ISO 27701 and Additional Guidelines for GDPR Controllers

The third section of ISO 27701 focuses on the organization’s responsibilities when functioning as a controller in the EU. These responsibilities are governed above and beyond specific modifications to ISO 27001 or ISO 27002 controls and typically cover GDPR-specific data collection, reporting, and consent acquisition requirements.

Conditions for Collection and Processing

Controllers may not function as processors, but they have several obligations when defining business decisions around working with processors. This includes defining the collection types and processing they may outsource to these partner organizations.

• Implementation: Controllers must have well-documented information about the reasoning and purposes of any data collection or processing. This requirement is necessary for any other requirements to be meaningfully enforced. 
• Lawful Basis: Controllers must be able to demonstrate the lawfulness of their data collection efforts, including how they will gain consent, how these efforts meet legal and compliance obligations, that these efforts meet specific business requirements, and that they protect the interests and privacy of the PII principle (the individual from which the data is collected). 
• Consent: Processes for gaining and recording consent must be documented and verifiable to adhere to all privacy requirements in GDPR (it must be freely given, specific to the business task, and explicit). These consent mechanisms must meet local as well as EU regulations. Consent must only be obtained via these documented processes.
• Privacy Impact Assessment: The controlling organization must perform a privacy impact assessment whenever changing or implementing new processing standards. 
• Contracts with Processors: When a controller agrees with a processor, these contracts must define the specific scope of processing, any relevant controls, and the impact on the contract that may stem from risk assessments.
• Records: The controller must maintain all relevant records related to the type and purposes of the processing, categories of PII principles, descriptions of security measures, and a Privacy Impact Report.

Obligations to PII Principles

Controllers have a responsibility to inform PII principles about their rights regarding the processing of their information. 

• Determining Obligations: Controllers must document any information they may gather from PII principles and, following that, any information they must provide to those principles to detail the processing to take place and their rights in relation to their data. 
• Providing Information to Principles: PII principals must receive or have clear access to, information identifying the controller (with contact information) and the types of processing taking place.
  
• Withdrawal of Consent or Object: Controllers must provide principles with readily-accessible mechanisms to modify or withdraw their consent. These requests must be documented in the same manner as the consent was recorded.
• Informing Third Parties: In cases where controllers have shared data with other organizations (such as processors), they must inform those partners in cases of any changes to provide information or when consent is withdrawn.
• Providing Copies of Information: Controllers must provide records of any of their PII currently being processed when asked by PII principles. Procedures for handling these requests should be documented within the organization.
• Automation: All of these obligations must be adjusted accordingly for automated PII processes.

Privacy by Design and Default

Not all IT systems are designed with security in mind, and there is a stark difference between those modified for compliance and those built for it. ISO 27701 requirements for processing PII prioritize systems and processes made under privacy principles by design and default.

• Limit Collection: The controller must have limits in place for data collection such that it only aligns with identified business processes. There should be no optional data collection options made available to the principal that is enabled by default; rather, these must be disabled and specifically enabled by the principal (privacy by default). 
• Limit Processing: The controller must have limits in place for data processing such that it only aligns with identified business processes.
  
• Accuracy: Policies should be in place to ensure that principle PII is accurate, complete, and up-to-date. 
• Minimization: System configurations, policies, and procedures must contain mechanisms that minimize data collection and processing only to that which is necessary for clearly-defined business purposes.
• Deletion and Temporary Files: Once stated business purposes are completed, or PII is no longer necessary, then the controller must delete PII or render it to a form that prohibits the identification of principles. Temporary files created during the processing of PII must also be destroyed.
• Retention: Controllers may not retain PII beyond its use within the defined purposes provided by the PII principle.
• Disposal: Controllers must have policies in place to dispose of media that has stored PII, including shredding, burning, or hard drive destruction.

Transferring, Sharing, and Disclosing PII

Any sharing or transfer of PII must be recorded for audit purposes. Additionally, documentation must identify outside countries or international organizations where data may be transferred during processing.

Stay Ahead of Evolving ISO Requirements with Lazarus Alliance

The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s crucial to understand how those changes result in a unique PIMS infrastructure.

Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→