What Types of Controls Does ISO-27701 Include?

The ISO-27701:2019 framework is presented in a 66 page format which is designed as an extension to the more well known ISO-27001:2013 and 27002:2013 standards. It targets three main data privacy roles which are the basis for the standard. These are PIMS (PII) controllers, PIMS (PII) processors and Customers (Data Subjects). It establishes PIMS requirements for each role and guidance for how to meet the privacy and security requirements for protecting PII data.
The requirements are broken up into clauses (5-8) followed by Annexes (A-F) which are all heavily focused on mapping of privacy controls to the aforementioned ISO27k standards. So If we look at clause 5 for example, it states that where “information security requirements” are referred to in ISO-27001:2013, then, they should be extended to include information security and privacy requirements as it relates to the “processing” of data.
It further states that organizations should define their own role as a PII controller in context of applicable legislation, judgements, contractual agreements & internal polices. It also states that organizations should defined interested parties or parties responsible for processing of PII.
In this example and most others, you will see generic type mapping to data privacy control objectives (i.e. avoiding prescriptive controls that a haven’t already been defined in ISO 27001[2].
Most organizations will jump to the Annex section to refer to specific privacy control mappings which can be used as a standalone PIMS framework or inserted into an existing ISO 27001/2 controls matrix as an extension.

ANNEXES
Annex A. outlines control objectives and controls for PIMS controllers. An example of one control and objective is control A.7.2.2 where the control objective is Identify Lawful Basis and the control is “the organization shall identify and document the specific purposes for which PII will be processed”. Annex D Compliments this set of controls with direct mappings to GDPR articles. Together they could really be used to assert that your following the GDPR framework in practice as a demonstration to auditors and customers.
Annex B identifies control objectives and controls for processors while annexes C&E are control mappings to ISO 29100 & 27018/29151 standards.

The open style of controls is probably the biggest feature of the standard, in that it’s translatable to many privacy frameworks including NIST and OWASP Privacy. It’s not too dense as some control standards are and is likely to remain a stable release for years to come.