Privacy in the World of ISO 42001

Artificial intelligence handles a wide array of different types of data, under different uses cases, industry sectors with different considerations, and across diverse regulatory and legal jurisdictions. This post is focused on privacy data, and some of the ISO standards that enable responsible privacy management in ways that you may not understand until you have already broken the rules with your AI system, putting your organization at risk.

PRO TIP: ISO 42001, Appendix D.2 Integration of AI Management System with Other Management Systems identifies that an ISO 27701 Privacy Information Management Systems can be implemented with ISO 42001 as an integrated management system. However, you do not have to formally implement ISO 27701 to leverage the Annex A privacy controls that can help you protect privacy data.

ISO 29100:2024 Privacy Framework

First published in 2011, amended slightly in 2018, and updated with minor revisions in 2024, this standard addresses areas like privacy actors, policies, use of privacy controls, and publishes the eleven (11) Privacy Principles (Clause 6). Many of the principles exist in national laws.

PRO TIP: The Privacy Principles in ISO 29100 can help you formulate and de-conflict your Responsible AI principles. It is the smart thing to do. There are various ISO 42001 Annex A controls that require you to understand, implement, and monitor your Responsible AI objectives which may overlap with the privacy management domain, to include:A.6.1.2 Objectives for Responsible Development of AI System; A.6.1.3 Processes for Responsible AI System Design and Development; A.9.2 Processes for Responsible Use of AI Systems; A.9.3 Objectives for Responsible Use of AI System.

ISO 27701:2025 Privacy Information Management Systems – Requirements and Guidance

The Privacy Information Management System (PIMS) was just updated a couple of weeks ago, and the new controls defined in Annex A can help your organization mitigate the risks to privacy data in AI systems. This includes controls for PII Controllers, controls for PII Processors, and a new representation of the privacy control extensions to the ISO 27002:2022 Annex A control set.

PRO TIP: Make sure you understand the degree to which your AIMS scope aligns with your PIMS scope. Privacy systems, like an HR platform, may be in your ISO 27701 scope, but may not be included within your AIMS scope. Also, your organization should consider how you will evidence privacy management in the AIMS Annex A controls, to include A.2.3 Alignment with Other Organizational Policies; A.5.4 Assessing AI System Impact on Individuals or Groups of Individuals (See also ISO 42005).

ISO 27018:2025 Guidelines for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors

Most AI systems are implemented in cloud environments. This standard was recently updated and aligns with the ISO 27002 Annex A controls. Like ISO 27017, which addresses cloud security, ISO 27018 is focused on privacy in cloud service environments. This standard is focused on defining the PII Controller and PII Processor roles. Of note, pay attention to Annex A – Public Cloud PII Processor Extended Control Set for PII Protection.

PRO TIP: Control implementations in a cloud services environment can be very different. Controls can be bifurcated through the shared responsibility model. Examples of controls that are supplemented include A.5.26 Response to Information Security Incidents Privacy; A.8.13 Information Backup; A.8.15 Logging; A.8.24 Use of Cryptography.

ISO 27557:2022 Application of ISO 31000:2018 for Organizational Privacy Risk Management

ISO 31000 :2018 is the foundational risk management process model used by other ISO risk standards, to include ISO 23894 :2023 Artificial Intelligence - Guidance on Risk Management. This standard address risk assessments (identify, analyze, evaluate), risk treatment, monitoring and review, along with recording and reporting.

PRO TIP:  Pay particular attention to each of the four annex sections. Annex A helps you with PII processing identification; Annex B provides example privacy events and causes; Annex C will be particularly applicable to your AI System Impact Assessment (ISO 42005); while Annex D provides a representative severity scale for privacy impacts on individuals.

ISO 27563:2023 Security and Privacy in Artificial Intelligence Use Cases – Best Practices

This publication supplements ISO 24030:2024 Artificial Intelligence (AI) – Use Cases, which has a collection of use cases listed in Clause 6 Use Cases, which are generalized, and Clause 7 Use Cases Summaries which span 18 industry sectors.

PRO TIP: Use cases change how privacy data is collected, how it will be processed, prospective threats, and how to protect the use case. Of note, Annex A extends the ISO 24030 collection and analysis of use cases.

ISO 27091 (DIS) Cybersecurity and Privacy – Artificial Intelligence – Privacy Protection

My access to this publication is based on ISO Steering Committee 27 (SC 27) Information Security, Cybersecurity, and Privacy Protection membership. ISO 27091 exists as a Draft International Standard (DIS). Pending voting within ISO, it may be made available soon for public comment. At a high level, this publication addresses privacy threats in AI models, privacy risks within AI systems, and how to address privacy engineering in the AI system life cycle (See ISO 5338).

PRO TIP: When available, you should use this standard with ISO 27557 as you develop your Privacy Risk Assessment or update any existing Privacy Risk Assessment to account for use within an AI System.  (See ISO 27701, Clause 8.2 Privacy Risk Assessment. Also see, ISO 42001, Clause 8.2 AI Risk Assessment and 8.4 AI System Impact Assessment)

ISO Steering Committee 27 (SC27) oversees the world of information security, cybersecurity, and privacy protection. SC27 manages all of the applicable standards, which can be found here. There are 5 working groups (WGs):

WG 1: Information Security Management Systems

WG 2: Cryptography and Security Mechanisms

WG 3: Security Evaluation, Test, and Specifications

WG 4: Security Controls and Services

WG 5: Identify Management and Privacy Technologies

Working Group 5 is responsible for the privacy management standards within the ISO 27700-series, along with the ISO 29000-series publications that address privacy, such as ISO 29100:2024 Security Techniques - Privacy Framework.

NOTE: PROCESS 360 is a voting member of the U.S. Technical Advisory Group (TAG), which drafts, approves, and updates the full suite of SC27 standards. The Company is a member of all 5 working groups, to include WG5.

After an extended review and update process, ISO 27701 and ISO 27706 have been published together. This sets up a three year transition period for those organizations that currently hold an ISO 27701 certificate. ISO 27706 significantly revisions the audit and certification of a Privacy Information Management System, to include the qualifications for certification auditors. Here are some of the major highlights:

It also brings the standard into alignment with the Annex A security controls in ISO 27001:2022, along with a collection of privacy controls for PII controllers and processors.

In October of 2025 ISO officially published the update to ISO/IEC 27701 Privacy Information Management Systems (PIMS) - Requirements and Guidance. ISO 27701:2025 has been renamed as Information Security, Cybersecurity and Privacy Protection — Privacy Information Management Systems — Requirements and Guidance. The new edition of the PIMS establishes ISO 27701 as a stand-alone management system, and no longer requires organizations to first hold an ISO 27001 ISMS certificate. Accordingly, the privacy component of an organization does not have to align the scope of the PIMS with the IMS, and therefore different systems can exist in the scope of the two management systems. There are updates to the privacy controls for both PII controllers and PII processors. The new ISO 27706 PIMS also incorporates recent changes to ISO 29100:2024 Privacy Framework.

While the International Accreditation Forum (iaf.nu) has not provided specific guidance yet, all organizations that currently hold an ISO 27701 certificate will be required to transition not later than October 2028. Organizations should coordinate their transition with their respective certification bodies (CBs), who first need to complete internal training for their auditors, and gain approval of the accreditation body (AB) that oversees the CB.

ISO 27706:2025 replaces the prior ISO 27006-2, and is newly re-titled, Information Security, Cybersecurity and Privacy Protection — Requirements for Bodies Providing Audit and Certification of Privacy Information Management Systems. Some of the more notable changes are found in the Annexes:

• Annex A - Audit Time

• Annex B - Methods for Audit Time Calculations

• Annex C - Required Knowledge and Skills

NOTE: The new required knowledge and skills in Annex C may disqualify current certification auditors who do not meet the requirements for competence identified in the new ISO 27706.