Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Privacy Information Management System. ISO/IEC 27701:2025

Name: Privacy Information Management System. ISO/IEC 27701:2025
Rating: 4.6 (2931 reviews)

Upgrade your data privacy expertise. Master the requirements of ISO/IEC 27701 and boost your compliance career

Bestseller

Highest Rated

Created byCristian Vlad Lupa, rigcert.education

Last updated 5/2026

English

What you'll learn

What is a PIMS and what it should include
The requirements of ISO/IEC 27701:2025
The controls that PII controllers and processors should implement
The information security controls that should be part of a PIMS
Key privacy concepts and principles

Course content

5 sections • 123 lectures • 11h 37m total length

Introduction5:28
Useful information about this course and its structure
What is privacy?6:00
Generic information about the concept of privacy and how it shoud be regarded in the context of our society
Basic privacy concepts8:18
Definitions for key privacy concepts used throughout the course, including PII processing, PII principlals, PII processors and PII controllers
11 privacy principles9:57
A short presentation of 11 key principles that should be considered in the design of any privacy programme
About ISO/IEC 277015:50
General information about ISO/IEC 27701, including its history, its structure and its relationship with ISO/IEC 27001 and ISO/IEC 27002
Relationship between ISO/IEC 27701 and the GDPR5:27
A presentation of the relationship between ISO/IEC 27701 and the GDPR including similarities and differences
Certification to ISO/IEC 277015:24
Details about the certification of organizations for their PIMS according to ISO/IEC 27701 and the certification of individuals as evidence of competence in the field of privacy information management

Management system requirements for the PIMS. General aspects2:34
Generic information about the management system requirements in ISO/IEC 27701:2025
Understanding the organization and its context (4.1)8:58
About the identification of internal and external issues that make up the context of the organization and can have an impact on the PIMS
Understanding the needs and expectations of interested parties (4.2)8:15
About the needs and expectations of stakeholders and their identification
Determining the scope of the PIMS (4.3)5:42
Privacy information management system (4.4)5:20
Generic requirements about the establishment, implementation, maintenance and continual improvement of the PIMS
Leadership and commitment (5.1)6:18
Privacy policy (5.2)6:17
About the content of the privacy policy and its implementation
Roles, responsibilities and authorities (5.3)6:01
About the assignment and communication of roles and responsibilities relevant for privacy protection
Actions to address risks and opportunities. General (6.1.1)6:34
Privacy risk assessment part 1 (6.1.2)9:15
Information about the privacy risk assessment, including methodology and its application
Privacy risk assessment part 2 (6.1.2)7:01
More details about the process of risk assessment, including risk identification, analysis and evaluation
Privacy risk treatment (6.1.3)6:19
About the options available for treating privacy risks and their implementation through controls
The Statement of Applicability (SoA) and Risk Treatment Plan7:16
Two key documents of the privacy information management system, the SoA (Statement of Applicability) and the Risk treatment plan
Privacy objectives and planning to achieve them (6.2)6:08
Requirements for the privacy objectives and how to plan for their achievement
Planning of changes (6.3)4:27
Resources (7.1)4:09
The organization must identify and provide the resources needed for the PIMS
Competence (7.2)5:03
Details about the process to ensure competence for those who work for the organization and may impact its privacy performance
Awareness (7.3)3:58
The organization must ensure adequate privacy awareness for employees and other parties that may affect its privacy performance
Communication (7.4)4:25
The internal and communications relevant for privacy information management must be effective
PIMS documented information (7.5.1)5:03
What the PIMS documentation shall include and how this documentation can vary from one organization to another
Creating, updating and controlling documents (7.5.2. & 7.5.3)7:11
Operational planning and control (8.1)5:50
General aspects about establishing and controlling the processes of the PIMS
Privacy risk assessment and treatment (8.2 and 8.3)5:41
The organization must conduct privacy impact assessments at planned intervals and in case of significant changes and implement the risk treatment plan
Monitoring, measurement, analysis and evaluation (9.1)5:18
The privacy performance and the PIMS must be monitored and measured with adequate KPIs
Internal audit (9.2)7:46
The oragnization shall conduct internal audits of the PIMS at planned intervals
Management review (9.3)6:59
Top management must review the PIMS regularly to ensure its continuing suitability, adequacy and effectiveness
Continual improvement (10.1)5:56
How the organization's privacy performance and the PIMS can be improved continually
Nonconformity and corrective action (10.2)6:54
About the process to manage nonconformities and address their root causes with corrective actions
Recapitulation management system requirements for the PIMS7:32
A recapitulation of the management system requirements in ISO/IEC 27701:2025
Quiz 1 _ PIMS

Privacy controls for PII controllers. Generic aspects3:00
Generic information about the controls for PII controllers in ISO/IEC 27701
Identify and document purpose (A.1.2.2)6:07
The organization must have a clear identification of the purpose for PII processing
Identify lawful basis (A.1.2.3)8:41
All processing of personal data must have a legal basis that is clearly identified
Determine when and how consent is to be obtained (A.1.2.4)6:09
About the process for obtaining consent from PII principals
Obtain and record consent (A.1.2.5)4:43
How consent must be recorded and which are the requirements to ensure that consent from PII principals is valid
Privacy impact assessment (A.1.2.6)10:06
The organization must determine whehter a Privacy Impact Assessment is required and conduct the assessment
Contracts with PII processors (A.1.2.7)5:46
There should be written agreements signed with all PII processors engaged by the organization
Joint PII controller (A.1.2.8)7:06
The organization must clarify responsibilities whenever there are multiple PII controllers participating in the processing of personal data
Records related to processing PII (A.1.2.9)8:05
About keeping records of PII processing the demonstrate compliance
Detemining and fulfiling obligations to PII principals (A.1.3.2)5:35
The organization must have a very good understanding of its obligations towards PII principals
Determining information for PII principals (A.1.3.3)6:05
The information that should be provided to PII principals must be clearly identified
Providing information to PII principals (A.1.3.4)2:26
The organization should provide information to PII principals in accessible and easy to understand form
Providing mechanism to modify or withdraw consent (A.1.3.5)4:57
PII principals should be able to withdraw or modify consent for PII processing
Providing mechanism to object to PII processing (A.1.3.6)5:08
The organization should make available to individuals a mechanism to object to personal data processing
Access, correction or erasure (A.1.3.7)6:01
PII principals should be provided with access to their PII, including options to correct or erase personal data
PII controllers' obligations to inform third parties (A.1.3.8)3:00
The organization must identify its obligations in relation to informing third parties relevant for data processing
Providing copy of PII processed (A.1.3.9)4:24
Whenver possible the organization should be able to provide PII principals with a copy of their PII
Handling requests (A.1.3.10)3:33
There should be a process in place to handle requests from PII principals including complaints
Automated decision making (A.1.3.11)7:02
Whenver decisions are made based solely on automated PII processing the organization should follow the provisions of the relevant legislation
Limit collection (A.1.4.2)4:57
The collection of PII must be limited to what is strictly necessary to achieve the intended processing purpose
Limit processing (A.1.4.3)3:33
The organization must limit the processing of PII to the minimum that is strictly necessary considering the processing purpose
Accuracy and quality (A.1.4.4)4:26
PII must remain accurate over time to prevent processing errors
PII minimization objectives (A.1.4.5)6:15
The organization must define and pursue PII minimization objectives, such as PII de-identification
PII de-identification and deletion at the end of processing (A.1.4.6)4:25
Whenver PII is no longer needed it should be de-identified and deleted according to procedures
Temporary files (A.1.4.7)4:29
The organization must ensure that temporary files are removed when no longer necessary
Retention (A.1.4.8)4:26
There should be rules in place for the retention of PII. The organization must document retention schedules
Disposal (A.1.4.9)4:31
The organization must dipose of PII securely when no longer needed
PII transmission controls (A.1.4.10)6:17
The organization must have clear rules for PII transmission to prevent data interception
Identify basis for PII transfer between jurisdictions (A.1.5.2)7:17
There should be a clear documented legal basis for transferring PII between jurisdictions
Countries and international organizations to which PII can be transferred (A.1.54:17
The organization must identify the countries and international organizations where PII can be transferred as part of normal operations
Records of transfer of PII (A.1.5.4)4:15
There should be a record of PII transfers kept for traceability and accountability reasons
Records of PII disclosures to third parties (A.1.5.5)3:41
The organization must maintain records of PII disclosures to third parties
Recapitulation - Privacy controls for PII controllers8:05
A recapitulation of the privacy controls for PII controllers in ISO/IEC 27701:2025
Quiz_2 PIMS

Privacy controls for PII processors. General aspects3:25
General aspects about the privacy controls that PII processors should implement as part of the PIMS
Customer agreement (A.2.2.2)7:15
There should be a contract with every customer for which the organization processes PII and the responsibilities of each party must be documented in the contract
Organization's purposes (A.2.2.3)4:46
The organization must be be aware of the processing purpose and support its customer in fulfilling their obligations
Marketing and advertising use (A.2.2.4)5:23
The PII processor must not use PII processed for a customer for marketing and advertising unless proper consent has been obtained from PII principals
Infringing instruction (A.2.2.5)5:54
The PII processor should notify its customer whenever a processing instruction does not comply with legal requirements
Customer obligations (A.2.2.6)4:00
The PII processor must support its customer in meeting their obligations
Records related to processing PII (A.2.2.6)5:30
The PII processor should keep adequate records in relation to PII processing
Comply with obligations to PII principals (A.2.3.2)5:52
The PII processor should support its customer in meeting their obligations toward PII principals
Temporary files (A.2.4.2)3:34
The PII processor must ensure that temporary files do not become a source of PII disclosure
Return, transfer or disposal of PII (A.2.4.3)5:40
The PII processor must return, transfer or dispose of PII when no longer needed, in accordance with the customer's requirements
PII transmission controls (A.2.4.4)6:09
The PII processor must submit PII transmitted over a network to adequate controls as agreed with its customer
Basis for PII transfer between jurisdictions (A.2.5.2)5:30
There should be a solid legal basis for transferring PII between jurisdictions
Countries and international organizations to which PII can be transferred (A.2.55:23
The PII processor must document the list of countries and international organizations to which PII can be transferred and make this list available to customers
Records of PII disclosures to third parties (A.2.5.4)4:03
Notification of PII disclosure requests (A.2.5.5)3:16
The PII processor must notify its customer about any requests to disclose PII
Legally binding PII disclosures (A.2.5.6)5:19
The PII processor must reject all non-binding PII disclosure requests and inform its customer before disclosing any PII to third parties
Disclosure of subcontractors used to process PII (A.2.5.7)5:47
The PII processor must disclose to its customer all subcontractors used to process PII
Engagement of a subcontractor to process PII (A.2.5.8)4:39
The PII processor must have an established process for engaging a subcontractor to process PII and inform its customer before the subcontractor starts processing PII
Change of subcontractor to process PII (A.2.5.9)5:08
The customer must be informed about any changes of subcontractors and have the right the object to the change
Recapitulation - Privacy controls for PII processors10:36
A recapitulation of the privacy controls for PII processors in ISO/IEC 27701:2025
Quiz_3 PIMS

Security controls for PII controllers and PII processors. General aspects2:55
Policies for information security (A.3.3)5:26
Information security roles and responsibilities (A.3.4)6:12
Classification of information (A.3.5)6:14
Labelling of information (A.3.6)4:30
Information transfer (A.3.7)5:00
Identity management (A.3.8)5:46
Access rights (A.3.9)6:04
Addressing information security within supplier agreements (A.3.10)4:50
Information security incident management planning and preparation (A.3.11)6:40
Response to information security incidents (A.3.12)5:57
Legal, statutory, regulatory and contractual requirements (A.3.13)6:08
Protection of records (A.3.14)4:56
Independent review of information security (A.3.15)4:46
Compliance with policies, rules and standards for information security (A.3.16)4:52
Information security awareness, education and training (A.3.17)5:49
Confidentiality or non-disclosure agreements (A.3.18)3:41
Clear desk and clear screen (A.3.19)5:32
Storage media (A.3.20)4:58
Secure disposal or re-use of equipment (A.3.21)5:09
User endpoint devices (A.3.22)5:15
Secure authentication (A.3.23)4:47
Information backup (A.3.24)5:07
Logging (A.3.25)5:26
Use of cryptography (A.3.26)5:56
Secure development life cycle (A.3.27)5:33
Application security requirements (A.3.28)4:38
Secure system architecture and engineering principles (A.3.29)6:26
Outsourced development (A.3.30)5:30
Test information (A.3.31)4:45
Recapitulation - Security controls for PII controllers and processors10:49
Quiz_4 PIMS
Some final considerations5:06
Thank you and good bye!5:07
Bonus lecture - My other courses7:23

Requirements

No specific prior knowledge required
Familiarity with the ISO/IEC 27000 series is useful
Knowledge of privacy and information security concepts helps

Description

Protecting data privacy is not just an IT issue. It is a critical business imperative. According to IBM's recent reports, the average cost of a data breach has surpassed $4.4 million, and global legal obligations are becoming increasingly stringent.

As the digital landscape evolves, governments worldwide are enforcing strict privacy regulations, such as the European Union’s GDPR, California's CCPA, and others.

ISO/IEC 27701:2025 is the globally recognized standard that helps businesses meet these complex requirements, regardless of their jurisdiction.

About This Course

This course details the requirements and guidelines of ISO/IEC 27701:2025.

Designed as a stand-alone standard, rather than a privacy extension to ISO/IEC 27001, ISO/IEC 27701:2025 defines the management system requirements and controls that any organization processing Personally Identifiable Information (PII) must consider. Whether your company acts as PII controller, PII processor or both this standard applies to you—regardless of your company's size, sector or location.

Course Structure

This course is divided into 5 sections to take you from fundamentals to advanced implementation:

Section 1: Introduction to Privacy details core concepts, definitions, privacy principles and general aspects about the standard in the context of the ISO/IEC 27000 series.
Section 2: Management System Requirements. A deep dive into the core requirements for a PIMS, including the Context of the Organization, Leadership, Planning, Support, Operation, Performance Evaluation, and Continual Improvement.
Section 3: Controls for PII controllers. A detailed breakdown of the 31 privacy controls that apply to organizations who act as PII controllers. The topics discussed include the organization's obligations toward PII principals, Privacy by design and privacy by default, Conditions for collecting and processing personal data or Requirements for sharing and transferring PII.
Section 4: Controls for PII processors. Specific controls that should be considered by those organizations who process personal data on behalf and in accordance with the instructions of customers.
Section 5: Information Security Controls. A selection of 29 controls that refer to information security and address subjects such as Information classification and labelling, Cryptography, Incident management, Access rights, Backups, Logging or the Development of software and systems. These security controls are discussed with a focus on protecting personal data.

What You Can Do With This Knowledge?

By the end of this course, you will possess a deep understanding of what a Privacy Information Management System (PIMS) is and how it functions. You can use this expertise to:

Launch or advance your career as a Privacy Consultant or Data Protection Officer (DPO).
Participate in internal and external PIMS audits.
Enhance an existing ISO/IEC 27001 Information Security Management System (ISMS) to meet privacy requirements.
Spearhead the implementation of a PIMS within your own organization.
Gain a crystal-clear understanding of the ISO approach to processing personally identifiable information.

Why Enroll Today?

You will receive concise, highly actionable information that you can immediately apply in the real world. Plus, Udemy offers lifetime access, meaning you can revisit these lectures whenever you need a refresher. Upon completion, you will also receive a Certificate of Completion to showcase your updated competence to employers and clients.

Enroll now to secure your organization's data and advance your compliance career with the new ISO/IEC 27701:2025 standard!

This course contains a promotion.

Who this course is for:

Data protection officers
Privacy managers
Information security managers
Privacy consultants
Risk managers
Management system auditors
People involved in the implementation of management systems
ISO specialists

Privacy Information Management System. ISO/IEC 27701:2025

What you'll learn

Explore related topics

Course content

Introduction to privacy7 lectures • 46min

Management system requirements of ISO/IEC 2770129 lectures • 2hr 58min

Controls for PII controllers33 lectures • 2hr 59min

Controls for PII processors20 lectures • 1hr 47min

Security controls for PII controllers and PII processors34 lectures • 3hr 7min

Requirements

Description

Who this course is for: