ISO 27701 – Clause 5.6 – Operation

ISO 27701 Clause 5.6 outlines the operational requirements for managing a Privacy Information Management System (PIMS), ensuring that processes, controls, and procedures are effectively implemented to protect Personally Identifiable Information (PII) and maintain compliance.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 21 February 2025
LinkedIn Twitter Twitter

ISO 27701 Clause 5.6 Explained: Key Operational Requirements

ISO 27701 Clause 5.6 deals with the practice of controlling the processes, controls and procedures that are necessary to operate with a robust privacy protection plan and privacy information management system.

Operational planning covers a broad range of topics – from structured change management activities to privacy protection risk assessments and risk treatment plans that improve the security of PII within the boundaries of the organisation’s network.

What’s Covered in ISO 27701 Clause 5.6

ISO 27701 Clause 5.6 features three sub-clauses that rely on accompanying guidance within ISO 27001:

  • ISO 27701 5.6.1 – Operational planning and control (References ISO 27001 Control 8.1)
  • ISO 27701 5.6.2 – Information security risk assessment (References ISO 27001 Control 8.2)
  • ISO 27701 5.6.3 – Information security risk treatment (References ISO 27001 Control 8.3)

ISO 27701 5.6 contains no other guidance points that specifically deal with the implementation of a PIMS – instead focusing its attention more broadly on organisational privacy protection – nor does it feature any adjoining GDPR articles.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo


ISO 27701 Clause 5.6.1 – Operational Planning and Control

References ISO 27001 Control 8.1

ISO 27701 Control 5.6.1 outlines ISOs broader approach to privacy protection planning. Organisations should ‘plan, implement and control’ and internal procedures or processes that are relevant towards privacy protection and the storage and processing of PII (see ISO 27001 6.1 & 6.2).

ISO also asks organisations to retain documented information that evidences adherence and change across organisational privacy protection controls, including any outsourced activities.

Planning also extends to change management. ISO requires organisations to manage any internal changes to minimise the risk to PII and evaluate any unintended consequences arising from purposeful or inadvertent changes.

Relevant ISO 27001 Controls

  • 6.1 – Actions to address risks and opportunities
  • 6.1.2 – Information security risk assessment
  • 6.2 – Information security objectives and planning to achieve them

ISO 27701 Clause 5.6.2 – Information Security Risk Assessment

References ISO 27001 Control 8.2

Organisations need to carry out periodic privacy protection risk assessments at key stages of the operation – such as a major change, or immediately after a security incident.

As with all PII-related activities, organisations should thoroughly document any risk assessment to improve its overall information security operation, and to be able to provide sufficient evidence to legal and regulatory authorities should the need arise.

Relevant ISO 27001 Controls

  • 6.1.2 – Information security risk assessment


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


ISO 27701 Clause 5.6.3 – Information Security Risk Treatment

References ISO 27001 Control 8.3

In addition to periodic risk assessments, organisations should also enact a privacy protection ‘risk treatment plan’, which should contain recommendations that reduce the likelihood and/or impact of any risks inherent with the storage and processing of PII.

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27001 Requirement Associated GDPR Articles
5.6.1 Operational Planning and Control
8.1 – Operational Planning and Control for ISO 27001
 		None
5.6.2 Information Security Risk Assessment
8.2 – Information Security Risk Assessment for ISO 27001
 		None
5.6.3 Information Security Risk Treatment
8.3 – Information Security Risk Treatment for ISO 27001
 		None

How ISMS.online Helps

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27001 and ISO 27701 at the click of a button.

Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online.

See it live with ISMS.online by booking a demo.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!