Free Readiness Assessment
Score your Privacy Information Management System (PIMS) against ISO 27701 in 15 minutes. Tell us about your environment, answer 17 focused questions, and download a PDF roadmap with your top privacy gaps and recommended next steps.
17 focused questions across 5 PIMS domains, plus a quick environment context block.
Calibrated to the PIMS controls — the same criteria privacy certification auditors sample.
Score breakdown, top privacy gaps, and a prioritised action plan. Emailed copy + instant download.
A few details to tailor your roadmap. Required fields are marked *.
Scope, ownership, policies and measurable targets.
A clear scope statement is the first thing an auditor checks. Vague or missing scope is the most common Stage 1 finding.
Auditors want evidence that privacy is owned at a named level — not just delegated generically to IT or legal.
Policies must be version-controlled, dated and demonstrably acknowledged. A policy no one follows is a finding.
Leadership can see whether privacy is improving or declining — not just whether incidents happened.
Your ROPA, data flows, and DPIA methodology.
The ROPA is your single source of truth for data processing. Auditors will sample it against your actual systems.
You need to understand how data moves across systems and vendors before you can control it.
DPIAs for high-risk processing are mandatory under ISO 27701. Not running them is a common major nonconformity.
Minimisation, retention, consent, SRRs and training.
Controls must actually be configured in your systems, not just stated in policy. Auditors will sample system configuration.
Consent decisions must be traceable and defensible — a checkbox with no timestamp is not sufficient.
SRR handling is one of the most sampled controls in a PIMS audit. You need a ticket trail and response records.
Training awareness is mandatory evidence. Auditors will ask to see completion reports and curriculum scope.
Processor due diligence, DPAs and transfer safeguards.
Supply chain privacy risk is heavily scrutinised. A vendor with access to PII and no DPA is a significant finding.
Offshore access or hosting without transfer assessment is a common audit gap — especially for cloud-hosted platforms.
Evidence management, metrics, internal audit and review.
Evidence is the PIMS backbone. Centralised, structured evidence reduces audit stress significantly.
Metrics support informed decision-making and demonstrate active governance. Auditors will ask to see reporting history.
Internal audit is mandatory under ISO 27701. Findings must be owned, dated and verified closed.
Management review minutes are mandatory evidence and one of the first documents auditors request.
Available once all questions are answered
Your PDF has downloaded automatically. A copy of your responses has been sent to our team — we'll follow up if you'd like to discuss the results.
We use analytics cookies (Google Analytics & Clarity) to understand site usage — no advertising or personalisation. Cookie policy
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
