ISO 27701 extends ISO 27001 with privacy controls to build a Privacy Information Management System (PIMS).

Do we need a new privacy tool?

No. We embed workflows in your Microsoft 365 stack and store evidence in SharePoint with retention and versioning.

ISO 27701 (PIMS) & Privacy Consulting — Australia

ISO 27701 (Privacy)

Extend your ISO 27001 with a Privacy Information Management System (PIMS) covering DPIAs, ROPA, rights handling, privacy controls and third-party clauses — with audit-ready evidence in Microsoft 365 & SharePoint. No new platform.

DPIAsROPARights handling Privacy controlsThird-party clausesTraining

Why align ISO 27701 with ISO 27001

ISO 27701 builds on ISO 27001 — it’s like adding a “privacy layer” to your existing information security program. When managed together under one framework, your business gains stronger protection, less duplication, and a clearer story for customers and regulators.

One framework, two outcomes - Manage both security and privacy risks together under a single system — fewer meetings, fewer spreadsheets, and consistent processes across teams.

Save time and audit costs - Auditors review your combined policies, risk register, and evidence once — not twice — reducing effort and certification costs.

Build trust faster - Demonstrate to clients and partners that you protect data end-to-end — from how it’s stored to how it’s shared or deleted.

Future-ready compliance - ISO 27701 supports Australian Privacy Principles (APPs), GDPR, HIPAA, and emerging AI-related laws — helping you stay ahead of regulatory change.

Unified dashboards and reporting - View security and privacy performance in the same Power BI or SharePoint dashboard, so executives see the full picture in one place.

In short — ISO 27001 protects information, ISO 27701 protects personal data. Together they deliver one integrated assurance framework your stakeholders can trust.

Controller vs Processor in ISO 27701

ISO 27701 extends your ISMS with a Privacy Information Management System (PIMS). It separates requirements for organisations that act as a Controller (deciding the purposes/means of processing) and a Processor (processing personal data on behalf of a controller).

Controller (Annex A)

You determine the why and how of personal data processing, handle data-subject rights, publish notices, and manage third parties.

Lawful basis & transparency
Data-subject rights (access/erasure/objection)
Privacy by design & DPIA thresholds
Third-party/onward transfer controls

View Controller controls (Annex A — 31)

Processor (Annex B)

You process data on a controller’s instructions, with contract-backed safeguards, sub-processor oversight, and breach notification duties.

Process only on documented instructions
Confidentiality & access restrictions
Sub-processor approvals & flow-down
Assist with rights requests & DPIAs

View Processor controls (Annex B — 18)

Many organisations are both controller and processor depending on the dataset or service line. We scope each processing activity in your ROPA and apply the right annex set per activity.

Annex A — Controller controls (31)

We map each control to Microsoft 365 artefacts so evidence is generated by the process, not after it.

Transparency & Notices

Evidence hub: /Evidence/27701/Controller/Notices/
Artefacts: published privacy notice, collection statements, consent logs.

Data-Subject Rights

Evidence hub: /Evidence/27701/Controller/DSR/
Artefacts: request intake, ID verification, fulfilment logs, timelines.

Privacy by Design / DPIA

Evidence hub: /Evidence/27701/Controller/DPIA/
Artefacts: screening, DPIA reports, mitigations, approvals in SharePoint.

Annex B — Processor controls (18)

Contract-backed safeguards, sub-processor management, and notification timelines wired into Microsoft 365.

Controller Instructions

Evidence hub: /Evidence/27701/Processor/Agreements/
Artefacts: DPAs, SoWs, approved processing instructions, change logs.

Sub-processors

Evidence hub: /Evidence/27701/Processor/Sub-processors/
Artefacts: approvals, flow-down clauses, notice history, risk reviews.

Incident Support

Evidence hub: /Evidence/27701/Processor/IR/
Artefacts: notification templates, timelines, post-incident reports.

What’s included

DPIA framework

Templates, thresholds, routing & approvals for privacy impact.

ROPA & lifecycle

Processing records, retention, deletion and minimisation.

Privacy controls

Purpose limitation, lawful basis, rights handling and incidents.

Third-party management

Due diligence, DPA clauses and ongoing monitoring.

Training & awareness

Role-based content, onboarding & annual refreshers.

Audit-ready evidence

SharePoint evidence mapped to ISO 27701 requirements.