Overview of PIMS

What is a PIMS?

In recent years, legal regulations related to privacy protection have been strengthened worldwide, such as GDPR (EU General Data Protection Regulation). Organizations are required to establish a comprehensive management framework for the handling of personal information in order to comply with these legal requirements.

PIMS is a comprehensive system designed to manage risks associated with the processing of Personally Identifiable Information (PII) (Note)— such as its collection, use, storage, and processing — and to implement privacy protection in response to such international trends.

Note: personally identifiable information(PII)
information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or might be directly or indirectly linked to a natural person
(Definitions in ISO/IEC 29100 Privacy Framework)

Overview of ISO/IEC 27701:2025

ISO/IEC 27701:2025 is an international standard that specifies requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It requires organizations to manage risks related to privacy measures taking into consideration aspects of information security.
This standard applies to PII controllers (Note 1) and PII processors (Note 2) that handle PII, which is information that can be used to identify an individual. Applying this standard enables systematic management of the processing of the PII within an organization.

Note 1: PII Controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes

Note 2: PII Processor
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller
(Definitions in ISO/IEC 29100 Privacy Framework)

Characteristics of ISO/IEC 27701

ISO/IEC 27701:2025 is an ISO management system standard and therefore follows the same harmonized structure as ISMS (ISO/IEC 27001), QMS (ISO 9001), and other management system standards.
The PIMS defined in ISO/IEC 27701 describes two roles for organizations that handle (process) PII — PII controllers and PII processors — and specifies requirements for the processing of PII corresponding to each role.
Other characteristics include:


  • In addition to requirements, it provides practical guidance for the processing of PII.
  • Similar to ISMS, it presents specific controls, enabling organizations to verify the validity of their management system by comparing their processing of PII with these controls.

    • When developing and operating a Privacy Information Management System, particular considerations should be given to the above points.
    Although ISMS (Information Security Management System), which had been a prerequisite in ISO/IEC 27701:2019, is no longer mandatory, information security measures are still required. The term “information security program” is defined in ISO/IEC 27701:2025 as “set of interrelated or interacting elements of an organization to establish policies and objectives, as well as processes to achieve those objectives.” (in its Note 1 it is stated: “An information security program may, for example, be an information security management system based on ISO/IEC 27001.”). Accordingly, organizations that have been operating management systems based on ISO/IEC 27701:2019 can continue to operate PIMS together with ISMS.