ISO 27701 & GDPR Readiness Assessment Audit

Stage 1: Audit Scoping

This stage defines the scope, context, and boundaries of the privacy audit. It identifies the relevant business processes, systems, stakeholders, and data processing activities that must be reviewed as part of the ISO 27701 and GDPR assessment.

• Applicability Assessment: Determination of how ISO/IEC 27701 and GDPR requirements apply to the organization’s activities, services, and processing operations.
• Organizational Scope Definition: Identification of departments, services, systems, locations, and processes included within the audit scope.
• Roles and Responsibilities Review: Mapping of responsibilities for privacy governance, data protection, compliance oversight, and operational ownership.
• Personal Data Processing Identification: Identification of key activities involving the collection, use, storage, sharing, transfer, and deletion of personal data.
• Documentation Scope Definition: Identification of relevant policies, procedures, records, notices, registers, and governance documents required for assessment.
• Audit Criteria Establishment: Definition of assessment criteria, audit methodology, communication workflow, and evidence requirements.

Deliverable: An approved Audit Scoping Document defining the audit scope, stakeholders, assessment criteria, and planned audit activities.

Stage 2: Readiness Assessment

This stage evaluates the design, implementation, and effectiveness of privacy controls against
ISO/IEC 27701 and GDPR requirements. The assessment is based on
documentation review, interviews, and validation of operational practices to identify compliance gaps
and measure the maturity of the organization’s privacy management system.

• Privacy Governance Review: Assessment of governance structure, accountability, reporting lines, and oversight for personal data protection.
• Personal Data Lifecycle Review: Analysis of how personal data is collected, processed, stored, shared, retained, and securely deleted.
• Lawful Basis and Purpose Evaluation: Review of the legal basis for processing and the application of purpose limitation principles.
• Data Flow and Storage Analysis: Verification of data locations, transfer mechanisms, storage environments, and applied protection measures.
• Data Subject Rights Handling: Evaluation of processes supporting access, rectification, erasure, restriction, objection, and portability requests.
• Third-Party Processing Assessment: Review of external processors, data-sharing arrangements, contracts, and governance controls.
• Policy and Documentation Review: Examination of privacy notices, internal policies, procedures, registers, and operational records.
• Control Effectiveness Evaluation: Assessment of technical and organizational measures designed to protect personal data and support privacy compliance.

The assessment typically covers the following domains:

• Privacy governance and accountability
• Records of processing activities and data inventory
• Lawful basis and processing transparency
• Data subject rights management
• Retention and data lifecycle management
• Third-party and processor oversight
• Privacy risk management and internal controls
• Technical and organizational data protection measures
• Personal data breach handling and response
• Alignment of privacy documentation with ISO 27701 and GDPR

Deliverable: The Readiness Assessment Report, including:

• Assessment of alignment with ISO/IEC 27701 and GDPR
• Identification of compliance gaps and control weaknesses
• Evaluation of privacy governance and process maturity
• Prioritized findings and improvement opportunities
• Executive summary of key risks, observations, and recommended next steps

Stage 3: Remediation Roadmap

This stage translates the assessment results into a structured and actionable remediation plan.
The roadmap defines the measures required to improve privacy governance, strengthen controls,
and support ongoing alignment with ISO 27701 and GDPR.

• Prioritized Remediation Actions: Development of a structured list of corrective actions based on risk, compliance impact, and implementation priority.
• Ownership and Responsibility Allocation: Identification of responsible roles, control owners, and supporting functions for each action.
• Documentation and Control Improvements: Definition of required updates to policies, procedures, notices, contracts, registers, and governance records.
• Operational and Technical Enhancements: Identification of improvements in organizational and technical data protection measures.
• Implementation Sequencing: Practical guidance on prioritization, planning, and execution order.
• Requirement Mapping: Clear linkage between remediation actions and the relevant ISO 27701 and GDPR requirements.

Deliverable: A detailed Corrective Action Plan providing a clear, structured path toward improved privacy management, stronger data protection controls, and enhanced regulatory alignment.

Basis of Work

The audit is performed using recognized privacy, information security, and regulatory references
to ensure a consistent and defensible assessment methodology.

• ISO/IEC 27701: Privacy Information Management System (PIMS) guidance and requirements.
• Regulation (EU) 2016/679: General Data Protection Regulation (GDPR).
• ISO/IEC 27001:2022: Information Security Management Systems — Requirements.
• ISO/IEC 27002:2022: Information security and privacy controls.
• Applicable Internal Policies and Procedures: Organizational governance documents, privacy procedures, and supporting control frameworks.

This approach helps align regulatory requirements with established information security and privacy practices, supporting organizations in strengthening privacy governance and maintaining effective data protection controls across the business.