SIST EN ISO/IEC 27706:2025

SLOVENSKI STANDARD
01-december-2025
Nadomešča:
SIST-TS CEN ISO/IEC/TS 27006-2:2023
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Zahteve za
organe, ki izvajajo presojanje in certificiranje sistemov za vodenje informacij o
zasebnosti (ISO/IEC 27706:2025)
Information security, cybersecurity and privacy protection - Requirements for bodies
providing audit and certification of privacy information management systems (ISO/IEC
27706:2025)
Anforderungen an Stellen, die Informationssicherheits-Managementsysteme auditieren
und zertifizieren (ISO/IEC 27706:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management de la
protection de la vie privée (ISO/IEC 27706:2025)
Ta slovenski standard je istoveten z: EN ISO/IEC 27706:2025
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 27706

NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2025
ICS 03.120.20; 35.030
Supersedes CEN ISO/IEC/TS 27006-2:2022
English version
Information security, cybersecurity and privacy protection
- Requirements for bodies providing audit and certification
of privacy information management systems (ISO/IEC
27706:2025)
Sécurité de l'information, cybersécurité et protection Anforderungen an Stellen, die Informationssicherheits-
de la vie privée - Exigences pour les organismes Managementsysteme auditieren und zertifizieren
procédant à l'audit et à la certification des systèmes de (ISO/IEC 27706:2025)
management de la protection de la vie privée (ISO/IEC
27706:2025)
This European Standard was approved by CEN on 22 March 2025.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27706:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
This document (EN ISO/IEC 27706:2025) has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology" in collaboration with Technical Committee CEN-CENELEC/ JTC 13
“Cybersecurity and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2026, and conflicting national standards shall be
withdrawn at the latest by April 2026.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes CEN ISO/IEC/TS 27006-2:2022.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN and CENELEC
websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27706:2025 has been approved by CEN-CENELEC as EN ISO/IEC 27706:2025
without any modification.
International
Standard
ISO/IEC 27706
First edition
Information security, cybersecurity
2025-10
and privacy protection —
Requirements for bodies providing
audit and certification of privacy
information management systems
Sécurité de l'information, cybersécurité et protection de la vie
privée — Exigences pour les organismes procédant à l'audit et à
la certification des systèmes de management de la protection de
la vie privée
Reference number
ISO/IEC 27706:2025(en) © ISO/IEC 2025

ISO/IEC 27706:2025(en)
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC 27706:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 3
5 General requirements . 3
5.1 Legal and contractual matters .3
5.2 Management of impartiality .3
5.2.1 General considerations .3
5.2.2 Conflicts of interest.3
5.3 Liability and financing .3
6 Structural requirements . 3
7 Resource requirements . 3
7.1 Competence of personnel .3
7.1.1 General considerations .3
7.1.2 Determination of competence criteria.4
7.1.3 Evaluation processes .4
7.1.4 Other considerations .5
7.2 Personnel involved in the certification activities .5
7.3 Use of individual auditors and external technical experts .5
7.4 Personnel records .5
7.5 Outsourcing .5
8 Information Requirements . 5
8.1 Public information . .5
8.2 Certification documents .5
8.2.1 General .5
8.2.2 PIMS certification documents .5
8.3 Reference to certification and use of marks .5
8.4 Confidentiality .6
8.4.1 General .6
8.4.2 Access to organizational records.6
8.5 Information exchange between a certification body and its clients .6
9 Process requirements . 6
9.1 Pre-certification activities .6
9.1.1 Application .6
9.1.2 Application review . .6
9.1.3 Audit programme .6
9.1.4 Determining audit time .7
9.2 Planning audits .7
9.2.1 Determining audit objectives, scope and criteria .7
9.2.2 Audit team selection and assignments .7
9.2.3 Audit plan .7
9.3 Initial certification .8
9.3.1 General .8
9.3.2 Initial certification audit .8
9.4 Conducting audits .9
9.4.1 General .9
9.4.2 Specific elements of the PIMS audit .9
9.4.3 Audit report .9
9.5 Certification decision . . .10

© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC 27706:2025(en)
9.6 Maintaining certification .10
9.6.1 General .10
9.6.2 Surveillance activities .10
9.7 Appeals .10
9.8 Complaints.10
9.9 Client records .11
10 Management system requirements for certification bodies .11
10.1 Options.11
10.2 Option A: General management system requirements .11
10.3 Option B: Management system requirements in accordance with ISO 9001 .11
Annex A (normative) Audit time .12
Annex B (informative) Methods for audit time calculations. 17
Annex C (normative) Required knowledge and skills .22
Bibliography .24

© ISO/IEC 2025 – All rights reserved
iv
ISO/IEC 27706:2025(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with the
European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 13, Cybersecurity and
data protection, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
This first edition of ISO/IEC 27706 cancels and replaces ISO/IEC TS 27006-2:2021, which has been technically
revised.
The main changes are as follows:
— the title has been modified;
— the clause numbering has been aligned to ISO/IEC 17021 rather than ISO/IEC 27006-1, in accordance
with ISO/IEC 27701;
— Annexes A, B and C have been added.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
v
ISO/IEC 27706:2025(en)
Introduction
This document sets out requirements for bodies providing audit and certification of privacy information
management systems in accordance with ISO/IEC 27701.
This document is also intended to assist accreditation bodies and peer assessors in being able to assess the
minimum requirements for personnel competence in certification bodies and the processes of certification
in these certification bodies in an efficient and harmonized way.

© ISO/IEC 2025 – All rights reserved
vi
International Standard ISO/IEC 27706:2025(en)
Information security, cybersecurity and privacy protection —
Requirements for bodies providing audit and certification of
privacy information management systems
1 Scope
This document specifies requirements and provides guidance for bodies providing audit and certification
of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the
requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability
by bodies providing PIMS certification. The guidance contained in this document provides additional
interpretation of these requirements for bodies providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit
processes.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of
management systems — Part 1: Requirements
ISO/IEC 27701:2025, Information security, cybersecurity and privacy protection—Privacy information
management systems—Requirements and guidance
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17000, ISO/IEC 17021-1,
ISO/IEC 27701, and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
certification document
document indicating that a client's privacy information management system conforms to ISO/IEC 27701 and
any supplementary documentation required under the management system
Note 1 to entry: This definition does not limit the number of documents collectively known as certification documents.
[SOURCE: ISO/IEC 27006-1:2024, 3.1, modified — the references to “information security management
system” have been changed to “privacy information management system” and ISO/IEC 27001 to
ISO/IEC 27701.]
© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
3.2
personally identifiable information
PII
information that (a) can be used to establish a link between the information and the natural person to whom
such information relates, or (b) is or might be directly or indirectly linked to a natural person
Note 1 to entry: The “natural person” in the definition is the PII principal (3.4). To determine whether a PII principal is
identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding
the data, or by any other party, to establish the link between the set of PII and the natural person.
[SOURCE: ISO/IEC 29100:2024, 3.7]
3.3
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
personally identifiable information (PII) (3.2) other than natural persons who use data for personal purposes
Note 1 to entry: A PII controller sometimes instructs others [e.g. PII processors (3.5)] to process PII (3.8) on its behalf
while the responsibility for the processing remains with the PII controller.
[SOURCE: ISO/IEC 29100:2024, 3.8]
3.4
PII principal
data subject
natural person to whom the personally identifiable information (PII) (3.2) relates
[SOURCE: ISO/IEC 29100:2024, 3.9]
3.5
PII processor
privacy stakeholder that processes personally identifiable information (PII) (3.2) on behalf of and in
accordance with the instructions of a PII controller (3.3)
[SOURCE: ISO/IEC 29100:2024, 3.10]
3.6
privacy information management system
PIMS
management system which addresses the protection of privacy as potentially affected by the processing of
personally identifiable information (3.8)
[SOURCE: ISO/IEC 27701:2025, 3.23]
3.7
privacy impact assessment
privacy risk assessment
overall process of identifying, analysing, evaluating, consulting, communicating and planning the treatment
of potential privacy impacts with regard to the processing of personally identifiable information (3.2), framed
within an organization’s broader risk management framework
[SOURCE: ISO/IEC 29100:2024, 3.18]
3.8
processing of PII
operation or set of operations performed upon personally identifiable information (PII) (3.7)
Note 1 to entry: Examples of processing operations of PII include, but are not limited to, the collection, storage,
alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making
available, deletion or destruction of PII.
[SOURCE: ISO/IEC 29100: 2024, 3.21]

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
3.9
statement of applicability
documentation of all necessary controls and justification for the inclusion or exclusion of such controls
[SOURCE: ISO/IEC 27701:2025, 3.25]
4 Principles
The principles from ISO/IEC 17021-1:2015, Clause 4 shall apply.
5 General requirements
5.1 Legal and contractual matters
The requirements of ISO/IEC 17021-1:2015, 5.1 shall apply.
5.2 Management of impartiality
5.2.1 General considerations
The requirements of ISO/IEC 17021-1:2015, 5.2 shall apply.
5.2.2 Conflicts of interest
In addition to the requirements of ISO/IEC 17021-1:2015, 5.2.5, certification bodies shall not provide
consulting for management systems related to privacy, data protection (e.g. in the form of an external data
protection officer or data protection check) or privacy risk management.
Certification bodies may carry out the following activities without them being considered as consultancy or
having a potential conflict of interest:
a) providing only generic and publicly available information when arranging and participating as a
lecturer in training courses related to privacy information management systems, management systems
or auditing;
b) adding value during certification and surveillance audits, e.g. by identifying opportunities for
improvement, as they become evident during the audit.
5.3 Liability and financing
The requirements of ISO/IEC 17021-1:2015, 5.3 shall apply.
6 Structural requirements
The requirements of ISO/IEC 17021-1:2015, Clause 6 shall apply.
7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
The requirements of ISO/IEC 17021-1:2015, 7.1.1 shall apply.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
7.1.2 Determination of competence criteria
7.1.2.1 General
The requirements of ISO/IEC 17021-1:2015, 7.1.2 shall apply.
7.1.2.2 Generic competence requirements
The certification body shall define the competence requirements for each certification function as referenced
in ISO/IEC 17021-1:2015, Table A.1.
The certification body shall also take into account the requirements specified in Annex C, for the PIMS
technical areas.
The certification body shall consider the competence requirements for an audit team in information security
in accordance with the requirements in ISO/IEC 27701.
NOTE ISO/IEC 27006-1:2024, 7.1.3 provides competence requirements for information security.
7.1.3 Evaluation processes
7.1.3.1 General
The requirements of ISO/IEC 17021-1:2015, 7.1.3 shall apply.
7.1.3.2 Evaluating auditors
The certification body shall demonstrate that the auditors have the necessary knowledge and experience
through at least one of the following:
a) recognized PIMS-specific qualifications;
b) participation in PIMS training courses and attainment of relevant personal qualifications;
c) up-to-date professional development records;
d) PIMS audits witnessed by another competent and authorized PIMS auditor.
NOTE The knowledge and skills in privacy can include completion of PIMS audits under the supervision of other
qualified PIMS auditors, as well as specific knowledge and skills in privacy information management systems.
7.1.3.3 Selecting auditors
In addition to 7.1.3.1, the process for selecting auditors shall ensure that each auditor:
a) has practical workplace experience in privacy to act as auditor for PIMS;
b) has received training regarding PIMS audit and audit management, and demonstrated skills of auditing
a PIMS in accordance with to ISO/IEC 27701;
c) maintains relevant and current knowledge and skills in privacy information management and auditing
through continual professional development.
7.1.3.4 Selecting technical experts
The process for selecting technical experts shall ensure that each technical expert:
a) has practical workplace experience in privacy to act as a technical expert;
b) maintains relevant and current knowledge and skills in privacy information management through
continual professional development.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
7.1.4 Other considerations
The requirements of ISO/IEC 17021-1:2015, 7.1.4 shall apply.
7.2 Personnel involved in the certification activities
The requirements of ISO/IEC 17021-1:2015, 7.2 shall apply.
7.3 Use of individual auditors and external technical experts
The requirements of ISO/IEC 17021-1:2015, 7.3 shall apply.
7.4 Personnel records
The requirements of ISO/IEC 17021-1:2015, 7.4 shall apply.
7.5 Outsourcing
The requirements of ISO/IEC 17021-1:2015, 7.5 shall apply.
8 Information Requirements
8.1 Public information
The requirements of ISO/IEC 17021-1-2015, 8.1 shall apply.
8.2 Certification documents
8.2.1 General
The requirements of ISO/IEC 17021-1-2015, 8.2 shall apply.
8.2.2 PIMS certification documents
Certification documents shall include:
a) the phrase “privacy information management system”;
b) the role of the organization for each activity, product or service in scope (i.e. if the organization acts as
PII controller or PII processor or both)
c) the PII principals whose data are being processed for each activity, product or service in scope (e.g.
employees, customers);
d) the version of the statement of applicability (SoA) for the organization’s PIMS.
NOTE A change to the statement of applicability which does not change the coverage of the controls in the scope
of certification does not require an update of the certification documents.
Where no activity of the organization within the scope of the certification is undertaken at a defined physical
location at all, the certification document(s) shall state that all activities of the organization are conducted
remotely.
8.3 Reference to certification and use of marks
The requirements of ISO/IEC 17021-1-2015, 8.3 shall apply.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
8.4 Confidentiality
8.4.1 General
The requirements of ISO/IEC 17021-1-2015, 8.4 shall apply.
8.4.2 Access to organizational records
Before the certification audit, the certification body shall ask the client to report if any PIMS related
information (such as PIMS records or information about design and effectiveness of controls) cannot
be made available for review by the audit team because it contains confidential or sensitive information.
The certification body shall determine whether the PIMS can be adequately audited in the absence of such
information. If the certification body concludes that it is not possible to adequately audit the PIMS without
reviewing the identified confidential or sensitive information, it shall advise the client that the certification
audit cannot take place until appropriate access arrangements are granted.
8.5 Information exchange between a certification body and its clients
The requirements of ISO/IEC 17021-1-2015, 8.5 shall apply.
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
9.1.1.1 General
The requirements of ISO/IEC 17021-1:2015, 9.1.1 shall apply.
9.1.1.2 Application readiness
The certification body shall not accept applications from the client where the client does not document and
implement a PIMS which conforms to the requirements of ISO/IEC 27701.
9.1.2 Application review
The requirements of ISO/IEC 17021-1-2015, 9.1.2 shall apply.
9.1.3 Audit programme
9.1.3.1 General
The requirements of ISO/IEC 17021-1-2015, 9.1.3 shall apply.
As part of the audit programme, remote auditing methods should be considered. Certification bodies can
refer to ISO/IEC TS 17012 for more information.
9.1.3.2 PIMS Controls
The audit programme for PIMS audits shall take the controls determined by the client in accordance with
ISO/IEC 27701:2025, 6.1.3 b) and c) into account.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
9.1.4 Determining audit time
9.1.4.1 General
The requirements of ISO/IEC 17021-1-2015, 9.1.4 shall apply.
9.1.4.2 Audit time
The certification body shall determine the audit time to be spent on the ISO/IEC 27701 certification audits,
including initial certification, surveillance and re-certification.
The certification body shall use Annex A to determine the audit time.
9.2 Planning audits
9.2.1 Determining audit objectives, scope and criteria
9.2.1.1 General
The requirements of ISO/IEC 17021-1:2015, 9.2.1 shall apply.
9.2.1.2 Determining PIMS audit scope
The certification body shall ensure that the scope of certification to ISO/IEC 27701 is included within the
boundaries of the activities of the client as defined in the scope of the PIMS.
The certification body shall identify the role of the client with regard to PII controllers or PII processors, or both.
The certification body shall verify that the PII processing is within the scope of the client PIMS (see
ISO/IEC 27701:2025, 4.3).
Certification bodies shall ensure that the client’s privacy risk assessment and risk treatment reflect its
activities and extend to the boundaries of its activities as defined in the scope of the PIMS. Certification
bodies shall confirm that this is reflected in the client’s scope of their PIMS and statement of applicability.
9.2.1.3 Audit objectives
The audit objectives shall include ensuring that the client, based on the privacy risk assessment, has
identified the necessary controls.
9.2.2 Audit team selection and assignments
The requirements of ISO/IEC 17021-1:2015, 9.2.2 shall apply.
9.2.3 Audit plan
9.2.3.1 General
The requirements of ISO/IEC 17021-1:2015, 9.2.3 shall apply.
9.2.3.2 General considerations
The audit plan shall take the determined PIMS controls into account.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
9.3 Initial certification
9.3.1 General
The requirements of ISO/IEC 17021-1:2015, 9.3 shall apply.
9.3.2 Initial certification audit
9.3.2.1 Stage 1
In this stage of the audit, the certification body shall obtain documentation on the design of the PIMS
covering the documentation required in ISO/IEC 27701.
As a minimum, the following information shall be provided by the client during stage 1 of the certification audit:
a) general information concerning the PIMS and the activities it covers;
b) a copy of the required PIMS documentation specified in ISO/IEC 27701 and, where required, other
associated documentation.
The certification body shall obtain sufficient understanding of the design of the PIMS in the context of the
client's organization, privacy risk assessment and treatment (including the controls determined), privacy
policy and objectives and, in particular, of the client's preparedness for the audit. This shall be used for
planning the stage 2 audit.
The results of stage 1 shall be documented in a written report. The certification body shall review the stage
1 audit report before deciding on proceeding with stage 2. The certification body shall confirm the stage 2
audit team members have the necessary competence. This may be done by the auditor leading the team that
conducted the stage 1 audit if deemed competent and appropriate.
NOTE Having a person from the certification body who is not involved in the audit reviewing the report, and who
decides to proceed and confirms the competence of the audit team members for stage 2, offers a degree of mitigation
for the risks involved. However, other risk mitigation measures can already be in place to achieve the same goal.
The certification body shall make the client aware of the further types of information and records that may
be required for detailed examination during stage 2.
9.3.2.2 Stage 2
Based on the findings documented in the stage 1 audit report, the certification body shall develop an audit
plan for the conduct of stage 2. In addition to evaluating the effective implementation of the PIMS, the
objective of stage 2 is to confirm that the client adheres to its own policies, objectives and procedures.
To do this, the audit shall focus on the client's:
a) top management leadership and commitment to the privacy objectives;
b) assessment of privacy related risks; the audit shall also ensure that the assessments produce consistent,
valid and comparable results, if repeated;
c) determination of controls based on the privacy risk assessment and risk treatment processes;
d) privacy performance and the effectiveness of the PIMS, evaluating these against the privacy objectives;
e) correspondence between the determined controls, the statement of applicability, the results of the
privacy risk assessment, the risk treatment process and the privacy policy and objectives;
f) implementation of controls taking into account the external and internal context and related risks, and
the organization's monitoring, measurement and analysis of privacy processes and controls, to determine
whether controls declared as being implemented are actually implemented and effective as a whole;

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27706:2025(en)
g) programmes, processes, procedures, records, internal audits and reviews of the PIMS effectiveness to
ensure that these are traceable to top management decisions and the privacy policy and objectives.
9.4 Conducting audits
9.4.1 General
The requirements of ISO/IEC 17021-1:2015, 9.4 shall apply.
9.4.2 Specific elements of the PIMS audit
The certification body audit team shall:
a) require the client to demonstrate that the assessment of privacy related risks is relevant and adequate
for the PIMS operation within the PIMS scope;
b) establish whether the client’s procedures for the identification, examination and evaluation of privacy
related risks and the results of their implementation are consistent with the client’s policy, objectives
and targets.
The certification body audit team shall also establish whether the procedures employed in the privacy risk
assessment are sound and properly implemented.
9.4.3 Audit report
9.4.3.1 In addition to ISO/IEC 17021-1:2015, 9.4.8, the audit report shall provide the following information
or a reference to it:
a) an account of the audit of the client's privacy risk analysis;
b) any privacy control sets used by the organization for comparison purposes as required by
ISO/IEC 27701:2025, 6.1.3;
c) description of the role of the client (i.e. PII controller, PII processor or both).
9.4.3.2 The audit report shall be sufficiently detailed to facilitate and support the certification decision. It
shall contain:
a) the significant audit trails followed and audit methodologies utilized;
b) a reference to the version of the statement of applicability and, where applicable, any useful comparison
with the results of previous certification audits of the client.
Completed questionnaires, checklists, observations, logs, or aud
...