ISO 27701 – Clause 5.5.5 – Documented Information

ISO 27701 Clause 5.5.5 outlines requirements for managing documented information in a Privacy Information Management System (PIMS), ensuring accessibility, accuracy, security, and compliance with ISO 27001. It mandates structured document creation, updating, and control processes to maintain data integrity and confidentiality.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 21 February 2025
LinkedIn Twitter Twitter

Understanding ISO 27701 Clause 5.5.5: Documented Information Requirements

Document control is a crucial part of any privacy protection system, or indeed any broader information security policy.

Throughout its various standards, ISO recognises document management as an ongoing process that is used to demonstrate adherence both to ISO standards, and the organisation’s own privacy protection objectives.

ISO asks organisations to not merely view documented information as an administrative function, but instead use it as a recurring means to improve privacy protection adherence through the structured storage of guidelines that provide clear direction on PII-related activities.

What’s Covered in ISO 27701 Clause 5.5.5

ISO 27701 5.5.5 deals with documented information through three sub-clauses. Each deals with a different set of privacy and PII specific guidance points that link back to ISO 27001:

  • ISO 27701 Clause 5.5.5.1 – General (References ISO 27001 Control 7.5.1)
  • ISO 27701 Clause 5.5.5.2 – Creating and updating (References ISO 27001 Control 7.5.2)
  • ISO 27001 Clause 5.5.5.3 – Control of documented information (References ISO 27001 Control 7.5.3)

ISO 27701 5.5.5 doesn’t contain any supplementary guidance on PIMS-specific requirements, nor is it particularly relevant to any specific GDPR articles.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo


ISO 27701 Clause 5.5.5.1 – General

References ISO 27001 Control 7.5.1

The organisation’s PIMS should include documented information that:

  • Is required for ISO 27701 and ISO 27001 adherence;
  • Improves the efficiency of the PIMS and accompanying privacy protection systems.

ISO 27701 Clause 5.5.5.2 – Creating and Updating

References ISO 27001 Control 7.5.2

Throughout the process of drafting and amending documentation, organisations should:

  1. Include a clear identifying field, with an accompanying description;
  2. Ensure that documents are formatted correctly and are available from the appropriate sources – both physical and electronic;
  3. Adhere to a structured amendment process that reviews documents based on their ability to convey the relevant information.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


ISO 27701 Clause 5.5.5.3 – Control of Documented Information

References ISO 27001 Control 7.5.3

Organisation’s should exercise adequate levels of control and security over their internal document structure that ensures documents are:

  • Accessible, as and when required, by the relevant authorities and/or personnel.
  • Secure and protected against unauthorised use, breach of confidentiality or any other loss of data integrity;

ISO 27701 Control 5.5.5 asks organisations to consider four main activities, when exercising control over privacy protection-related documents:

  1. Distribution (including access and use).
  2. Storage (including document preservation).
  3. Version controls.
  4. Retention.

Alongside the management of internal documents, ISO asks organisations to consider how best to manage their interactions with and control of external documents that are required for the planning and implementation of a PIMS or other privacy/PII-related activities.

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27001 Requirement Associated GDPR Articles
5.5.5.1 General
7.5.1 – General Documentation for ISO 27001
 		None
5.5.5.2 Creating and Updating
7.5.2 – Creating and Updating Documented Information for ISO 27001
 		None
5.5.5.3 Control of Documented Information
7.5.3 – Control of Documented Information for ISO 27001
 		None

How ISMS.online Helps

In order to achieve ISO 27701 you must build a Privacy Information Management System (PIMS).

With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.

See it in action with by booking a demo.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!