ISO/IEC 27701:2019
Privacy Information Management System (PIMS)
COMPLETE AUDIT CHECKLIST
Organization:
Audit Date:
Lead Auditor:
Audit Scope:
PIMS Role:
PII Controller / PII Processor / Both (circle one)
Certification Body:
Rating Key:
C
Conformant
PC
Partially Conformant
NC
Non-Conformant
CLAUSE 4 — Context of the Organisation
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
4.1 — Understanding the Organisation and Its Context
4.1.1
The organisation has identified external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of the PIMS.
Review context analysis documents; privacy impact register; SWOT/PESTLE or equivalent analysis relevant to privacy.
☐
☐
☐
4.1.2
The organisation has considered relevant privacy laws, regulations, and contractual obligations in its context analysis.
Verify legal register or compliance matrix referencing GDPR, CCPA, PDPA, or applicable jurisdiction laws.
☐
☐
☐
4.2 — Understanding the Needs and Expectations of Interested Parties
4.2.1
The organisation has identified interested parties relevant to the PIMS (e.g., PII principals, regulators, customers, supervisory authorities).
Review stakeholder register; confirm PII principals are explicitly identified.
☐
☐
☐
4.2.2
Requirements of interested parties relevant to privacy have been documented and kept current.
Check stakeholder needs register; interview privacy officer; confirm review cadence.
☐
☐
☐
4.2.3
The organisation has determined which requirements will be addressed through the PIMS.
Review scope document and mapping of interested-party requirements to controls.
☐
☐
☐
4.3 — Determining the Scope of the PIMS
4.3.1
The scope of the PIMS is documented, including the products/services, organisational units, physical locations, and technologies within scope.
Inspect scope statement; verify it distinguishes PII controller vs PII processor roles where applicable.
☐
☐
☐
4.3.2
The scope considers the context, interested-party requirements, and interfaces with external parties.
Confirm scope references suppliers, sub-processors, and cloud providers; verify supply-chain boundary.
☐
☐
☐
4.3.3
The scope is available as documented information.
Locate scope document; check version control and approval signature.
☐
☐
☐
4.4 — Privacy Information Management System
4.4.1
The organisation has established, implemented, maintained, and continually improved the PIMS in accordance with ISO 27701.
Review PIMS framework document; check integration with ISO 27001 ISMS where applicable.
☐
☐
☐
CLAUSE 5 — Leadership
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
5.1 — Leadership and Commitment
5.1.1
Top management demonstrates leadership and commitment to the PIMS by ensuring privacy policy and objectives are established and compatible with strategic direction.
Interview senior management; review board/committee minutes referencing privacy governance.
☐
☐
☐
5.1.2
Top management ensures PIMS requirements are integrated into business processes.
Review process documentation; verify privacy is a standing agenda item in operational reviews.
☐
☐
☐
5.1.3
Top management ensures resources needed for the PIMS are available.
Review resource allocation records; budget for privacy programme; DPO appointment letter.
☐
☐
☐
5.1.4
Top management communicates the importance of effective privacy management and conformance with PIMS requirements.
Review internal communications, all-staff emails, intranet content on privacy.
☐
☐
☐
5.1.5
Top management ensures the PIMS achieves its intended outcomes and directs persons to contribute to its effectiveness.
Review performance metrics reported to management; accountability assignments.
☐
☐
☐
5.2 — Privacy Policy
5.2.1
Top management has established a privacy policy appropriate to the organisation's purpose.
Obtain privacy policy; verify it is approved by senior management.
☐
☐
☐
5.2.2
The privacy policy includes a commitment to satisfy applicable privacy requirements and to continual improvement.
Review policy text for explicit commitments; check date of last review.
☐
☐
☐
5.2.3
The privacy policy is available as documented information; communicated internally and, as appropriate, externally (PII principals).
Verify policy on intranet and public website; confirm employees acknowledge it.
☐
☐
☐
5.3 — Organisational Roles, Responsibilities and Authorities
5.3.1
Top management has assigned and communicated roles and responsibilities for privacy within the PIMS.
Review RACI matrix or organisational chart showing DPO, privacy team, and process owners.
☐
☐
☐
5.3.2
A Data Protection Officer (DPO) or equivalent role has been appointed where required, with appropriate authority and independence.
Inspect DPO appointment; confirm reporting line to top management; verify DPO is involved in all personal data matters.
☐
☐
☐
5.3.3
The DPO's contact details are published and communicated to PII principals and the supervisory authority.
Check public privacy notice and regulatory filings for DPO contact info.
☐
☐
☐
CLAUSE 6 — Planning
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
6.1 — Actions to Address Risks and Opportunities
6.1.1
The organisation has conducted a privacy risk assessment identifying risks to the rights and freedoms of PII principals.
Review Privacy Impact Assessments (PIA/DPIA); risk register; methodology documentation.
☐
☐
☐
6.1.2
Privacy risks are evaluated for likelihood and impact; risk treatment options have been selected and documented.
Inspect risk register; confirm risk owners and treatment plans are assigned.
☐
☐
☐
6.1.3
A Statement of Applicability (SoA) has been produced that includes all Annex A and B controls with justification for inclusion or exclusion.
Obtain SoA; verify all Annex A (ISMS) and Annex B (PIMS-specific) controls are addressed.
☐
☐
☐
6.1.4
A risk treatment plan has been formulated and approved by risk owners and top management.
Verify risk treatment plan with timelines, owners, and acceptance criteria.
☐
☐
☐
6.2 — Privacy Objectives and Planning to Achieve Them
6.2.1
Privacy objectives have been established at relevant functions and levels; they are measurable and consistent with the privacy policy.
Review privacy objectives register; verify KPIs with measurable targets.
☐
☐
☐
6.2.2
Plans exist specifying what will be done, resources, responsibilities, timelines, and how results will be evaluated.
Inspect privacy programme plan; confirm each objective has an action plan.
☐
☐
☐
CLAUSE 7 — Support
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
7.1 — Resources
7.1.1
The organisation determines and provides resources needed for the establishment, implementation, maintenance, and improvement of the PIMS.
Review privacy budget; headcount; tooling procurement records.
☐
☐
☐
7.2 — Competence
7.2.1
The organisation determines necessary competence of persons doing privacy-related work and ensures they are competent.
Review job descriptions, training records, certifications (e.g., CIPM, CIPP, CISM).
☐
☐
☐
7.2.2
Competence gaps are identified and appropriate actions taken (training, mentoring, recruitment).
Inspect training needs analysis; learning management system records.
☐
☐
☐
7.3 — Awareness
7.3.1
Persons working under the organisation's control are aware of the privacy policy, their contribution to PIMS effectiveness, and implications of non-conformance.
Review privacy awareness programme; completion statistics; phishing simulation or quiz results.
☐
☐
☐
7.3.2
Privacy awareness training is conducted at onboarding and on a recurring basis.
Verify training frequency; sample employee acknowledgement records.
☐
☐
☐
7.4 — Communication
7.4.1
The organisation has determined internal and external communications relevant to privacy (what, when, with whom, how).
Review communications plan; verify PII principal communication channels.
☐
☐
☐
7.5 — Documented Information
7.5.1
The PIMS documentation includes the scope, privacy policy, risk assessment & treatment results, SoA, and required records.
Check document inventory against ISO 27701 requirements; verify records are complete.
☐
☐
☐
7.5.2
Documented information is controlled for creation, update, distribution, access, retrieval, use, storage, and disposal.
Review document control procedure; check version history, access controls, and retention schedules.
☐
☐
☐
CLAUSE 8 — Operation
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
8.1 — Operational Planning and Control
8.1.1
Processes needed to meet requirements are planned, implemented, and controlled; changes are managed and unintended changes reviewed.
Review operational procedures; change management records relevant to PII processing.
☐
☐
☐
8.1.2
Outsourced processes relevant to the PIMS are determined and controlled.
Verify processor agreements, vendor assessments, and sub-processor approval process.
☐
☐
☐
8.2 — Privacy Risk Assessment
8.2.1
Privacy risk assessments are performed at planned intervals and when significant changes occur.
Review DPIA log; confirm DPIAs are performed before high-risk processing activities.
☐
☐
☐
8.2.2
Privacy risk assessment results are retained as documented information.
Inspect DPIA records; confirm they are version-controlled and accessible.
☐
☐
☐
8.3 — Privacy Risk Treatment
8.3.1
A privacy risk treatment plan is implemented; results of risk treatment are retained.
Review treatment plan completion status; verify residual risk acceptance records.
☐
☐
☐
8.4 — Records of Processing Activities (RoPA)
8.4.1
A Record of Processing Activities is maintained (required for controllers and processors where applicable under law).
Inspect RoPA; verify it covers: categories of PII, purposes, legal basis, recipients, retention periods, safeguards.
☐
☐
☐
8.4.2
The RoPA is kept current and reflects actual processing operations.
Compare RoPA with recent system inventory or data discovery scan; check last review date.
☐
☐
☐
CLAUSE 9 — Performance Evaluation
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
9.1 — Monitoring, Measurement, Analysis and Evaluation
9.1.1
The organisation determines what needs to be monitored and measured, methods, when performed, when results analysed and evaluated, and who performs them.
Review privacy metrics dashboard; data breach statistics; PII principal request response times.
☐
☐
☐
9.1.2
Results of monitoring and measurement are retained as documented information.
Inspect reporting records; management review packs; audit trails.
☐
☐
☐
9.2 — Internal Audit
9.2.1
Internal audits are conducted at planned intervals to provide information on whether the PIMS conforms to requirements and is effectively implemented.
Review internal audit programme; last audit report; findings and corrective actions.
☐
☐
☐
9.2.2
An audit programme is established, considering the importance of processes and results of previous audits.
Verify audit schedule covers all PIMS clauses and Annex B controls over a defined cycle.
☐
☐
☐
9.2.3
Audit results are reported to relevant management; documented information is retained.
Review audit reports; management communication records; corrective action tracking.
☐
☐
☐
9.3 — Management Review
9.3.1
Top management reviews the PIMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
Obtain management review minutes; confirm privacy is a standing agenda item.
☐
☐
☐
9.3.2
Management review inputs include status of actions from previous reviews, changes in context, performance metrics, audit results, PII principal complaints, opportunities for improvement.
Review meeting agenda and minutes for completeness of inputs.
☐
☐
☐
9.3.3
Outputs include decisions on continual improvement, resource needs, and PIMS changes.
Verify action items from management review are tracked to completion.
☐
☐
☐
CLAUSE 10 — Improvement
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
10.1 — Nonconformity and Corrective Action
10.1.1
When a nonconformity occurs, corrective actions are taken: react to it, evaluate causes, implement actions, review effectiveness.
Review nonconformity register; corrective action plans; evidence of root cause analysis.
☐
☐
☐
10.1.2
The organisation retains documented information as evidence of nonconformities and corrective actions.
Inspect CAR (Corrective Action Records); verify they are linked to findings.
☐
☐
☐
10.2 — Continual Improvement
10.2.1
The organisation continually improves the suitability, adequacy, and effectiveness of the PIMS.
Review improvement register; privacy roadmap; trend analysis of metrics over time.
☐
☐
☐
ANNEX A — ISO 27001 ISMS Controls (Privacy-Relevant)
The following ISMS controls from ISO 27001 Annex A are extended by ISO 27701 Annex A for privacy. Verify both baseline ISMS conformance AND the privacy-specific extensions below.
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
A.5 — Information Security Policies (Privacy Extension)
A.5.1
Information security policies include specific privacy requirements; policies are communicated to all relevant parties including processors.
Review policy suite; confirm privacy addendum or dedicated privacy policy exists.
☐
☐
☐
A.6 — Organisation of Information Security (Privacy Extension)
A.6.1.1
Privacy roles and responsibilities are defined and allocated; DPO authority is established within the governance structure.
Verify governance charter; DPO role defined with independence, resources, and access to top management.
☐
☐
☐
A.6.1.2
Segregation of duties for PII processing is implemented to reduce risk of unauthorised or unintentional modification or misuse.
Review access control matrix; verify no single individual can initiate and approve PII access.
☐
☐
☐
A.7 — Human Resource Security (Privacy Extension)
A.7.1.1
Background verification checks are performed on candidates for roles with access to PII, consistent with legal requirements.
Review HR procedures; sample background check records for PII-handling roles.
☐
☐
☐
A.7.2.2
Privacy and data protection training is provided to employees and contractors at hire and updated regularly.
Inspect LMS records; training content covers PII handling, breach reporting, and PII principal rights.
☐
☐
☐
A.7.3.1
Privacy responsibilities and obligations survive termination; confidentiality obligations for PII are enforced.
Review employment contracts; offboarding checklist; data return/destruction upon exit.
☐
☐
☐
A.8 — Asset Management (Privacy Extension)
A.8.1.1
Assets containing PII are identified and an inventory (data map) is maintained.
Inspect data asset inventory; verify PII classification labels; compare with RoPA.
☐
☐
☐
A.8.2.1
PII is classified according to sensitivity; classification drives handling, access, and retention requirements.
Review classification scheme; sample PII datasets to verify labelling.
☐
☐
☐
A.8.3.1
Procedures exist for the secure disposal of PII-bearing media and devices.
Review media disposal procedure; certificates of destruction; data wiping records.
☐
☐
☐
A.9 — Access Control (Privacy Extension)
A.9.1.1
Access control policy specifies privacy-specific restrictions on PII access based on business need and least privilege.
Review access control policy; verify PII access is need-to-know only.
☐
☐
☐
A.9.2.1
User access to PII is formally provisioned and de-provisioned; access rights for PII roles are reviewed regularly.
Inspect IAM system; review access provisioning tickets and periodic access reviews.
☐
☐
☐
A.9.4.1
Information access is restricted to authorised users; PII systems enforce access at application and data level.
Test application-level access controls; verify row-level security for PII databases.
☐
☐
☐
A.10 — Cryptography (Privacy Extension)
A.10.1.1
PII is encrypted at rest and in transit using approved cryptographic algorithms; key management procedures protect PII encryption keys.
Review encryption standards; verify TLS/HTTPS for transit; AES-256 or equivalent for rest; key rotation records.
☐
☐
☐
A.11 — Physical and Environmental Security (Privacy Extension)
A.11.1.1
Physical access to areas where PII is processed is controlled; visitors are logged and escorted.
Inspect access logs; physical security policy; CCTV coverage of data centres.
☐
☐
☐
A.11.2.6
Equipment used to process PII when taken off premises is protected and authorised.
Review mobile device management (MDM) policy; device encryption enforcement.
☐
☐
☐
A.12 — Operations Security (Privacy Extension)
A.12.4.1
Logs recording user activities, exceptions, and PII access events are produced, protected, and reviewed.
Inspect audit logging configuration; SIEM alerts; log retention policy (minimum recommended: 1 year).
☐
☐
☐
A.12.6.1
Vulnerabilities in systems processing PII are identified and remediated in a timely manner.
Review vulnerability management programme; patching SLAs; penetration test results for PII systems.
☐
☐
☐
A.13 — Communications Security (Privacy Extension)
A.13.1.1
Network controls protect PII in transit; PII systems are segmented from untrusted networks.
Review network architecture; firewall rules; DMZ for systems handling PII.
☐
☐
☐
A.13.2.1
Policies and procedures govern transfer of PII; acceptable-use requirements for email and file transfer of PII.
Review data transfer policy; DLP solution effectiveness; approved transfer mechanisms.
☐
☐
☐
A.14 — System Acquisition, Development and Maintenance (Privacy Extension)
A.14.1.1
Privacy requirements are included in system specifications; Privacy by Design is embedded in the SDLC.
Review SDLC procedures; confirm DPIA is triggered for new projects involving PII.
☐
☐
☐
A.14.2.1
Secure development practices are followed; PII handling is tested before release.
Inspect security testing results; code review checklists; staging environment controls.
☐
☐
☐
A.15 — Supplier Relationships (Privacy Extension)
A.15.1.1
Agreements with third-party suppliers accessing PII include privacy and security requirements; Data Processing Agreements (DPAs) are in place.
Review supplier contracts; DPA inventory; confirm DPAs cover: processing instructions, security measures, sub-processor obligations, breach notification.
☐
☐
☐
A.15.2.1
Third-party performance including privacy compliance is monitored; audits of processors are conducted or assurance obtained.
Review supplier audit reports, SOC 2/ISO 27001 certificates, and questionnaire responses.
☐
☐
☐
A.16 — Information Security Incident Management (Privacy Extension)
A.16.1.1
A personal data breach response procedure exists; includes detection, containment, assessment, notification to supervisory authority (within 72 hours under GDPR), and notification to PII principals where required.
Review breach response plan; simulate or review past breach records; verify 72-hour notification tracking.
☐
☐
☐
A.16.1.2
Privacy breaches are assessed for risk to PII principals; a breach register is maintained.
Inspect breach register; review risk assessments for past incidents.
☐
☐
☐
A.18 — Compliance (Privacy Extension)
A.18.1.4
Privacy and protection of PII is ensured in accordance with applicable legislation, regulations, and contractual requirements.
Review legal compliance matrix; external counsel assessments; data transfer mechanisms (SCCs, BCRs, adequacy decisions).
☐
☐
☐
A.18.2.1
PIMS compliance is reviewed independently; review of technical controls by privacy/security specialists.
Inspect independent review reports; confirm reviewer independence.
☐
☐
☐
ANNEX B — Extended Controls: PII Controller
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
B.1 — Conditions for Collection and Processing
B.1.1
Purpose Limitation: PII is collected only for specified, explicit, and legitimate purposes; not further processed in an incompatible manner.
Review privacy notices; system configurations; verify purpose documented in RoPA and enforced technically.
☐
☐
☐
B.1.2
Lawful Basis: A valid lawful basis is established and documented for each PII processing activity (consent, contract, legal obligation, vital interests, public task, legitimate interests).
Inspect lawful basis register; legitimate interests assessments (LIA); consent management records.
☐
☐
☐
B.1.3
Data Minimisation: Only PII that is adequate, relevant, and limited to what is necessary is collected and processed.
Review data collection forms and APIs; compare fields collected against stated purpose; check for surplus data.
☐
☐
☐
B.1.4
Consent Management: Where consent is the lawful basis, it is freely given, specific, informed, and unambiguous; withdrawable at any time without detriment.
Test consent mechanisms; review consent records with timestamps; verify withdrawal process.
☐
☐
☐
B.1.5
Children's PII: Where applicable, parental or guardian consent is obtained for processing children's PII; age verification mechanisms are implemented.
Review age verification controls; parental consent workflow; minimum age policy.
☐
☐
☐
B.2 — Obligations to PII Principals
B.2.1
Transparency / Privacy Notice: PII principals are provided with clear, accessible information about the organisation's identity, processing purposes, legal basis, recipients, transfers, retention, and rights.
Obtain and review public privacy notice; verify it is up to date, layer-appropriate, and accessible.
☐
☐
☐
B.2.2
Right of Access: Procedures exist to respond to subject access requests (SARs) within legally required timescales.
Review SAR handling procedure; check response time log; verify identity verification process.
☐
☐
☐
B.2.3
Right to Rectification: Processes enable PII principals to correct inaccurate personal data.
Inspect rectification request log; verify downstream system update propagation.
☐
☐
☐
B.2.4
Right to Erasure ('Right to be Forgotten'): Procedures enable PII principals to request deletion of personal data where applicable; exceptions are documented.
Review erasure procedure; test erasure request workflow; verify data is deleted across all systems including backups.
☐
☐
☐
B.2.5
Right to Restriction: Processing can be restricted upon PII principal request pending resolution of disputes about accuracy or lawfulness.
Verify technical capability to flag and restrict PII records.
☐
☐
☐
B.2.6
Right to Data Portability: Where applicable, PII is provided in a structured, commonly used, machine-readable format upon request.
Test portability export; verify format (JSON/CSV); confirm scope (consent/contract-based processing only).
☐
☐
☐
B.2.7
Right to Object: PII principals can object to processing for direct marketing or based on legitimate interests; objections are honoured promptly.
Review objection handling procedure; marketing suppression lists; opt-out mechanisms.
☐
☐
☐
B.2.8
Automated Decision-Making: Where solely automated processing produces significant decisions, PII principals are informed and safeguards are implemented.
Review automated decision register; verify human review capability; privacy notice disclosure.
☐
☐
☐
B.3 — Privacy by Design and Default
B.3.1
Privacy by Design principles are embedded in system and process design from inception.
Review design documentation; DPIA integration with project lifecycle; Data Minimisation by Default settings.
☐
☐
☐
B.3.2
Default privacy-protective settings are implemented; only the minimum PII necessary for each purpose is processed by default.
Audit default application settings; verify opt-in rather than opt-out for non-essential processing.
☐
☐
☐
B.4 — Data Retention and Disposal
B.4.1
Retention periods are defined for all categories of PII; documented in retention schedule.
Review retention schedule; compare against legal requirements; verify it is linked to the RoPA.
☐
☐
☐
B.4.2
PII is deleted or anonymised at the end of its retention period; deletion is verifiable.
Inspect automated deletion jobs; test anonymisation outputs; verify pseudonymisation meets re-identification risk threshold.
☐
☐
☐
B.5 — International Data Transfers
B.5.1
Transfers of PII to third countries are identified; appropriate safeguards are in place (adequacy decision, SCCs, BCRs, derogations).
Review transfer impact assessments; SCC execution records; adequacy country list check.
☐
☐
☐
B.5.2
Transfer mechanisms are kept current; invalidated mechanisms (e.g., Privacy Shield) have been replaced.
Verify no reliance on invalidated mechanisms; confirm SCCs use the 2021 EU Commission versions or equivalent.
☐
☐
☐
ANNEX B — Extended Controls: PII Processor
Ref.
Requirement / Control
Evidence / Guidance
C
PC
NC
Notes / Findings
B.6 — Conditions for Collection and Processing (Processor)
B.6.1
The processor processes PII only on documented instructions from the controller; any instructions to process beyond the original purpose are escalated and documented.
Review processor agreements; verify instructions are in writing; check escalation records.
☐
☐
☐
B.6.2
The processor does not disclose PII to third parties without controller authorisation; sub-processors are approved in writing.
Inspect sub-processor list; controller authorisation records; sub-processor DPAs.
☐
☐
☐
B.6.3
The processor assists the controller in fulfilling obligations to PII principals (SAR, erasure, portability, etc.) within agreed timescales.
Review service-level agreements (SLAs) for PII principal request assistance; verify fulfilment records.
☐
☐
☐
B.6.4
The processor deletes or returns PII to the controller upon termination of the service agreement.
Inspect offboarding procedures; deletion certificates; data return records.
☐
☐
☐
B.7 — Transparency / Obligations to PII Principals (Processor)
B.7.1
The processor makes available to the controller all information necessary to demonstrate compliance; allows for and contributes to audits.
Review audit rights clause in DPA; audit cooperation records; questionnaire responses.
☐
☐
☐
B.7.2
The processor informs the controller of personal data breaches without undue delay; agreed timescales are met.
Inspect breach notification SLA; breach register; test or review past notifications.
☐
☐
☐
B.8 — Privacy by Design and Default (Processor)
B.8.1
The processor implements technical and organisational measures to ensure processing meets requirements and protects PII principal rights.
Review TOMs (Technical & Organisational Measures) schedule; penetration test results; security certifications.
☐
☐
☐
B.8.2
The processor uses pseudonymisation and encryption where appropriate; implements data minimisation in its processing activities.
Inspect architecture diagrams; encryption configuration; anonymisation procedures.
☐
☐
☐
B.9 — Records of Processing Activities (Processor)
B.9.1
The processor maintains records of all categories of processing carried out on behalf of controllers.
Review processor RoPA; verify it captures: controller identity, categories of PII, processing activities, transfers, security measures.
☐
☐
☐
B.10 — Security of PII Processing (Processor)
B.10.1
The processor implements appropriate security measures proportionate to the risk, including access controls, encryption, logging, and incident response.
Review security controls documentation; certifications (ISO 27001, SOC 2); penetration test executive summaries.
☐
☐
☐
Audit Summary & Sign-Off
Section
# Conformant (C)
# Partially (PC)
# Non-Conformant (NC)
Key Findings / Notes
Clause 4 — Context
Clause 5 — Leadership
Clause 6 — Planning
Clause 7 — Support
Clause 8 — Operation
Clause 9 — Performance
Clause 10 — Improvement
Annex A — ISMS Controls
Annex B — PII Controller
Annex B — PII Processor
TOTAL
Overall Audit Conclusion:
☐ RECOMMEND CERTIFICATION
☐ CONDITIONAL (corrective actions required)
☐ DO NOT CERTIFY (major nonconformities)
Signatures
Lead Auditor
DPO / Privacy Officer
Top Management Representative
Signature & Date
Signature & Date
Signature & Date