Upcoming Webinar | From Advisory to Audit: Navigating ISO 42001 Implementation and Certification on November 13th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Scoping a Privacy Information Management System (PIMS) With ISO 27701:2025 Blog Feature
Emily Heintz

By: Emily Heintz

Print/Save as PDF

Scoping a Privacy Information Management System (PIMS) With ISO 27701:2025

Privacy Assessments | ISO Certifications

Published: Nov 12, 2025

ISO 27701 is a globally recognized standard for establishing a privacy information management system (PIMS), outlining the requirements and supporting controls that should be fulfilled and implemented. Compliance with ISO 27701 indicates that an organization has implemented a system to manage risks related to data privacy and the processing of personally identifiable information (PII).  

As a result of recent developments, organizations can now take a new approach to scoping a PIMS for certification. In this article, Schellman Privacy Technical Fellow, Emily Heintz, outlines considerations to keep in mind when determining how to scope a PIMS independently from the ISMS. 

The Uncoupling of the ISMS and PIMS 

Until recently, the PIMS was an extension of the information security management system (ISMS), established based on the requirements outlined in ISO 27001, and the scope of the PIMS was required to mirror or be a subset of the larger ISMS scope. However, after its publication on October 14, ISO 27701:2025 now separates the two management systems and allows organizations to scope the PIMS independently of the ISMS.   

This division is an exciting advancement for privacy compliance. Individual privacy is often conflated with confidentiality and for decades has been overshadowed by the benefits of emerging technology, including social media, behavioral targeting, and artificial intelligence (AI).  

We’re all well aware of how invasive technology has become. Our every move is tracked and analyzed, and this data is used to create advertisements that influence our purchasing decisions, attention span, and actions. Despite this, it’s still important to uphold and respect individuals’ basic right to make their own choices without outside intervention. ISO 27701:2025 grants privacy compliance with the spotlight it deserves.  

Key Considerations for Scoping a PIMS Independently From the ISMS 

As with Gwyneth Paltrow and Chris Martin in 2014, businesses need to start consciously uncoupling their ISMS and PIMS to prepare for the transition for compliance with ISO 27701:2025. Below are three key considerations for this new approach scoping a PIMS: 

1. Apply Flexibility to Focus on Processing Activities Relevant to Privacy Concerns 

Prior to the release of ISO 27701:2025, the PIMS was limited to the scope of the ISMS. Security is the practice of protecting systems, networks, and data from unauthorized access. The ISMS, scoped to reflect this, is designed to help organizations manage and protect their information assets with a focus on critical systems and activities that help provide services to customers.  

Privacy, however, examines how authorized actors collect, use, and share data, and the PIMS was designed to assist organizations in managing PII practices and demonstrating accountability for PII handling. While there is overlap between the two, it’s not necessarily a one-to-one match. Processes that may raise privacy concerns may not raise security concerns and vice versa.  

You might know the old saying, “You can have security without privacy, but you can’t have privacy without security.” While security is an important part of privacy, it’s not the entirety of privacy. Authorized users may pose privacy concerns through their use of data, potentially resulting in noncompliance with applicable legislation or regulation, customer agreements, and/or internal or external policy, or causing customer distrust.  

Internal processes that slice, dice, and mix data for better insights can feel just as creepy as sharing data with third parties. ISO 27701:2025 enables organizations to define the scope of their PIMS to focus on activities that are central to their privacy program. The new update brings more value to the certification as it's not restricted to the ISMS. The doors are wide open, and the scoping world is your oyster. 

2. Build Trust Across All Contact Points 

Organizations connect with individuals in a plethora of mediums - from initial interaction through sales outreach to an ongoing relationship as a customer. PII is necessary to stay connected, and more PII is needed to keep interest and effectively market products and services. But consumers are quick to pull the plug and shut the door when that trust is lost. 

According to Cisco’s 2024 Consumer Privacy Survey Report, 89% of consumers care about data privacy with 51% reporting that they have switched companies or providers over their data policies or data sharing practices and 75% stating they wouldn’t even purchase from an organization they don’t trust with their data. Consumer trust and privacy are correlated, and the combination results in brand loyalty and increased profits. 

Organizations that want to demonstrate their support of privacy should consider how data flows in, out, and within their systems and environment. Marketing, as an example, may involve digesting information from or providing information to third parties. With this flow of data, you should consider: 

What information is absolutely necessary to conduct a marketing campaign? How can the third party use that information? Are individuals provided with a choice to participate? How long does the information provide value?  

The answers to these questions may make or break someone’s trust. A PIMS can help organizations think about privacy risks associated with sales, marketing, and customer relationship management. It shows avenues to mitigate those risks through Privacy by Design principles and methods to continually improve their privacy stance to build a stable foundation of trust from the beginning of a hopefully long-lasting consumer relationship.   

3. Mature Your Privacy Program Holistically  

As privacy laws mature and enforcement agencies strengthen, there is a shift in focus towards ensuring organizations are demonstrating good faith and due diligence in their practices instead of just going through the motions. States, countries, and standards are attempting to keep pace with recent developments issued by each other.  

In the United States, state regulators have formed a consortium to collaborate on enforcing privacy law across jurisdictions and coordinating investigative efforts. Retailers especially are finding themselves in the crosshairs of enforcement actions lately. However, companies that provide B2B services should also remain vigilant. The decisions resulting from investigations conducted by regulatory bodies should be evaluated and applied to an organization’s privacy program to avoid fines and retain consumer trust.  

Expanding the scope of the PIMS to include activities not traditionally incorporated in the ISMS, such as marketing or human resource management, may help an organization operationalize compliance with emerging privacy law and avoid hefty fines. A management system under ISO is also required to consider external issues; risk assessment and treatment; awareness; operational planning; monitoring, measurement, analysis, and evaluation; and continual improvement.  

New privacy laws and judgements present external issues that could cause a risk to the organization. It should be communicated effectively to raise awareness, requires planning to address it within processes, needs monitoring to ensure compliance, and provides opportunities for improvement as best practice forms and guidance from regulatory authorities is released. Integrating compliance efforts into a formalized management system enables effective governance and helps prevent controls from being neglected once deployed. 

Creating a Cohesive Management System 

Although ISO 27701:2025 introduces the idea of separating the ISMS and PIMS, the two aren’t completely segregated. Organizations can still realize synergies between the standards. The framework clauses are now mirrored across ISO 27001, ISO 27701, and ISO 42001 (for an artificial intelligence management system (AIMS)) to provide cohesion for consolidated governance across all three management systems.  

Documentation and processes can be integrated for consideration in all three standards, resulting in less lift when providing evidence to internal and/or external auditors or when conducting management system activities, such as management reviews.  

Organizations interested in establishing a PIMS or transferring their current certification to ISO 27701:2025 can contact us today for more information on how Schellman can assist in the transition. In the meantime, you can discover additional helpful ISO 27701 compliance insights in these resources:  

About Emily Heintz

Emily Heintz is a technical fellow with Schellman based in New Orleans, Louisiana. She currently manages privacy assessments and certifications across the full suite of offerings, including CBPR / PRP, ISO 27701, EU Cloud Code of Conduct, and Microsoft SSPA. Prior to joining Schellman in 2020, Emily worked as a Project Manager on the U.S. Privacy team at a Fortune 50 retailer focusing on designing controls to comply with the CCPA and conducting privacy reviews of emerging technology solutions. She also has experience implementing a privacy impact assessment and artificial intelligence impact assessment process at a Future 50 recognized company. She is an active member of the International Association of Privacy Professionals (IAPP), is a Fellow of Information Privacy (FIP), holding both the CIPP/US and CIPM certifications, and has obtained her CISSP.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.