Skip to content
Framework · ISO/IEC 27701

Extend your ISMS into
a privacy management system.

ISO/IEC 27701 adds privacy to ISO/IEC 27001. If you run your security management system in 01GRC, the same engine — risk, controls, Statement of Applicability, audit, management review and evidence — already does most of the heavy lifting for a PIMS. On top of it, 01GRC keeps the operational privacy record: your records of processing, data map, retention and processor relationships.

Request a demo Back to platform
PIMS on your ISMS · records of processing · built by GRC practitioners
Why 01GRC for ISO 27701

A PIMS is an ISMS plus privacy.

Every claim here maps to a shipped feature. 01GRC is strong on the management-system side of a PIMS and on the operational privacy record — it is not a consent, data-subject-rights, or DPIA platform.

Extend, don't rebuild

01GRC already operates the ISO 27001 management system. ISO 27701 reuses that machinery, so you extend your ISMS into a PIMS rather than starting over.

The privacy record lives here

Records of processing, personal and special-category data inventory, retention, international transfers and processors are maintained as live data, not stale spreadsheets.

Evidence and accountability built in

Activity logging, immutable management-review sign-offs, controlled documents and attached evidence demonstrate that your PIMS is operating.

Honest about the boundary

We tell you plainly which PIMS requirements the platform supports and which — consent, data-subject rights, DPIA — sit outside it.

The PIMS management system

ISO 27701 extending ISO 27001.

ISO 27701's management-system requirements are the ISO 27001 clauses adapted for privacy. 01GRC performs these as real workflows.

PIMS requirement
What 01GRC delivers
Risk management, including privacy risk
A repeatable risk process — threats, vulnerabilities, inherent and residual scoring, treatment — in which data-protection risks are documented and treated alongside security risks.
Statement of Applicability
The ISO 27001 SoA draft export, extendable to the privacy controls you bring into scope.
Controls & effectiveness testing
A control framework with tests, KPIs and effectiveness history, so privacy controls are not just declared but verified.
Internal audit & management review
Audit programs, findings and corrective actions, plus periodic management review with immutable, attested sign-off.
Documented information
Privacy policies and notices managed with versioning, approval, review cycles and acknowledgement campaigns.
Awareness & training
Assign, deliver and evidence privacy training through the built-in Learning module.
The operational privacy record

The privacy data a PIMS runs on.

Behind the management system sits the living record ISO 27701 expects — maintained as data, not documents.

PIMS area
What 01GRC delivers
Records of processing — controller & processor views
Generate records of processing as PDF or XLSX, built from your data-flow inventory (exported today as the platform's Article 30 register). The same processing map serves whether you act as a PII controller or oversee processing as a PII processor.
Personal & special-category data inventory
Catalogue the data itself as data elements grouped into categories, each flagged for personal data and special-category data — the foundation ISO 27701 expects behind a record of processing, a transfer review, or a data-protection risk assessment.
Retention, review & storage limitation
Set retention periods and a retention basis at the data-element and category level, with per-flow overrides and review-cycle scheduling — supporting the retention and review expectations within ISO 27701's privacy-by-design and minimisation controls. (The platform documents and schedules retention, it does not itself execute automated deletion across your systems.)
PII sharing, transfer & disclosure
Data flows record the third party that receives data and whether a flow is an international transfer, and surface those transfers in the processing register — so the processing that needs a transfer mechanism is visible.
Processor & sub-processor management
A processor register with derived criticality, due-diligence questionnaires with evidence, and sub-processor mapping with data-access level and materiality — supporting both controller-side oversight of processors and a processor's own record of the sub-processors it engages.
Safeguarding PII — security of processing
The ISO 27001 control backbone protects the personal data in scope: control framework with effectiveness testing, asset classification and CIA values, role-based access control, encryption of stored evidence, malware-scanned uploads, and immutable activity logging.
Accountability & evidence
Activity logging on every entity, controlled policy and notice documents, immutable management-review sign-offs, scheduled privacy and governance reviews against business processes, and evidence attached throughout.
Honest scope

What 01GRC is — and is not.

We are explicit about the boundary, because your auditor and your privacy team will be.

01GRC does — PIMS support
01GRC does not
Operate the PIMS management system — risk, SoA, controls, audit, management review, training, corrective action
Run data-subject / PII-principal rights workflows — access, correction, erasure, portability, objection (A.7.3 / B.8.3)
Maintain records of processing, data inventory, retention and transfer visibility
Provide consent management or capture lawful basis / purpose per processing operation (A.7.2)
Manage processors and sub-processors, security of processing, and accountability evidence
Provide a structured DPIA / privacy impact assessment workflow (A.7.2.5)
Document and treat privacy risks
Determine the legal assessments ISO 27701 and applicable law require

01GRC supports the management system and the operational privacy record of a PIMS. It does not replace your privacy office, a consent platform, or a data-subject-rights solution.

Platform

Strengths that make ISO 27701 easier.

Business-first model

Department → Process → Asset → Data Flow → Vendor, with dependency mapping and derived process/vendor criticality, so the personal data in scope is traceable end to end.

Immutable evidence

Activity logs, snapshotted sign-offs, encrypted and virus-scanned attachments, soft deletes by default.

Role-based access & multi-tenancy

Granular permissions, organisation-scoped data, MFA, session controls, IP blocklisting.

Deploy anywhere

Self-contained with no external dependencies — deploy on-premises, in your private cloud, or fully air-gapped.

Who it helps

One PIMS, every privacy stakeholder.

Privacy / DPO function

A maintained processing record, data and processor inventory, and the accountability evidence to show the PIMS is operating.

Security & Compliance

Privacy controls managed and tested within the same ISMS, with internal audit and management review.

Risk owners

Data-protection risks documented and treated alongside security risk.

01GRC helps organisations operate the management system and the operational privacy record of an ISO/IEC 27701 Privacy Information Management System — extending the ISO/IEC 27001 ISMS with records of processing, personal-data inventory, retention, transfer visibility, processor and sub-processor oversight, security of processing, training and accountability evidence. It does not provide consent management, data-subject-rights automation, lawful-basis records, or DPIA workflows. Certification to ISO/IEC 27701 is awarded to your organisation by an accredited body, and the legal assessments the standard requires remain your organisation's responsibility.

More frameworks

One platform, every standard you answer to.

ISO 27701 is one of several frameworks built in — and you can add your own. More framework guides are on the way.

See your privacy management system
the way it should look.

Book a personalised walkthrough — we'll demo the PIMS management system, your records of processing, processor oversight and security of processing on data shaped like yours.

Request a demo