Define your ISO 27701 Audit Scope
Overview
Define your ISO 27701 audit scope to set the boundaries of the audit and identify the object in focus.
The object includes the people, data, system, or product in review. The defining ISO 27701 audit scope allows the auditors to focus on an aspect of the organization rather than the whole. It is important to clearly define the scope of review for your given audit.
Determining your ISO 27701 audit scope requires your organization to specify the product, the data, the systems, vendors, location, department, internal and external parties, etc. in scope.
Since ISO 27701 is an extension of ISO 27001, the scopes have to match and align. ISO 27701 audit scope is usually defined or targeted to a specific business unit, service, or product. Refer to this article to understand more about ISO 27001 scope.
Processor vs Controller Scope
ISO 27701 provides controller- and processor-specific controls that help organizations overcome the challenges of privacy and security by establishing a point of connection between two different functions. The difference between the controller and processor classifications is straightforward: the former collects the information and provides the reason and means for it, and the latter is a service provider to the controller because it processes the data on the controller’s behalf.
It is important to determine the organization’s scope because of the different requirements for processors and controllers.
Generally, all organizations are controllers regarding their own employee data or marketing data; however, in the context of the ISO 27701 certification, employee or marketing data falls out of scope because it’s usually outside of the ISMS scope and confined to a specific business unit, service, or product.
The challenge is that some specific business units, services, or products can be both controllers and processors; for example, an organization may collect vendor and client related information and also perform data processing on behalf of clients or vendors. In those cases, both organizations comply with both classification’s requirements.
A quick question to determine whether your organization is one or the other is:
Who is collecting the PII? If you collect PII directly from an individual, you are the controller.
If some other organization collects it on your behalf, you are the processor.
Read below for guidance on how to determine each scope item. A table listing each item is provided below to use as a template for this exercise.
Product(s) in scope
For a Software as a Service (SaaS) provider, the ISO 27701 audit scope is typically the software application(s) offered to clients. Some organizations have multiple products, and it is important to define for your ISO 27001 and ISO 27701 what product is in focus and what product isn’t.
When conducting an ISO 27701 audit, it is important to determine the product(s) that fall within the scope of the audit. ISO 27701 is a privacy information management system standard that focuses on protecting personal data and ensuring compliance with privacy regulations. The products in scope for the audit will depend on the organization’s activities and the personal data it processes. This could include software applications, online platforms, physical products, or any other systems that involve the collection, storage, or processing of personal data.
It is essential to identify and assess these products to ensure they meet the requirements outlined in ISO 27701 and effectively protect individuals’ privacy rights. By including the relevant products in the audit scope, organizations can identify any gaps or areas for improvement in their privacy management practices and take appropriate measures to address them.
Data in scope
In order to identify the data in the ISO 27701 audit scope, the ideal step is to focus on the type of data and people that flow through the product or service identified. For a SaaS provider, it’s typically all the data held in it (i.e., customer data, etc.) and the people that support it, such as vendors and employees.
Systems in scope
To identify all your systems in scope, take an inventory of all the various systems and internal controls that are critical to delivering your service or product in scope. This includes email and Slack. The key is to focus on the systems and tools that are essential to delivering your service / product. Production systems have a direct impact on your product or service in lieu of non-production systems.
For HR systems, focus on systems that manage employee onboarding and training processes. Everything else, such as time off requests and benefits, is out of scope since it is not critical to delivering a service or product.
For a SaaS provider, it’s typically all the infrastructure that hosts it and the procedures that support it, such as AWS, Github, JIRA, etc.
Vendors in scope
When conducting an ISO 27701 audit scope, it is crucial to consider the vendors that are in scope. Vendors play a significant role in the protection of personal information and the overall privacy management system. These vendors may include cloud service providers, data processors, or any third-party entities that have access to the organization’s personal data.
By including vendors in the audit scope, organizations can ensure that their privacy management practices extend beyond their own internal systems. This comprehensive approach allows for a thorough evaluation of how vendors handle personal information and whether they comply with ISO 27701 requirements. Therefore, it is essential to carefully identify and assess the vendors in scope to maintain a robust privacy management system.
In order to identify the vendors in the ISO 27701 audit scope, focus on the critical vendors, such as cloud hosting and production-related organizations, used to support the product or service in scope.
Internal and External Parties in scope
You need to list out all internal stakeholders’ (i.e., employees, Board of Directors) and external parties (i.e., customers, regulators, government) needs and interests relevant to your ISMS and PIMS.
Relevant laws and regulations in scope
You need to list the laws and regulations that are relevant for information security according to your business and describe how you are willing to fulfill those requirements.
Physical Office / location in scope
There is no mandatory requirement to include an organization’s headquarters in the ISO 27701 audit scope of the ISMS. Physical location can usually be carved out of the scope. However, an office site can be added to the scope depending on its relevance to the ISMS (i.e., whether it hosts a server or serves as a satellite office).
Scoping guidance template
| Scoping guidance |
| Provide a detailed description of your organization’s products or services.
Focus on the product or service under review. |
| Provide the type of data and people that flow through the product or service under review. |
| Please provide a list of systems / tools that flow through or support the product or service under review. |
| Please provide the list of critical vendors and sub-processors being used to support the product or service under review. |
| Please provide a list of internal and external parties with needs relevant to the ISMS-PIMS. |
| Please provide a list of relevant laws and regulations regulating the product or service under review. |
| Please provide a list of locations serving as operation centers to support the product or service under review. |
Making your ISO 27701 scope a privacy story, not just a boundary line
A well‑defined ISO 27701 audit scope should read like a clear privacy story about your business, not just a list of systems and teams. Instead of starting with “everything in IT,” begin with the specific products, services, and processes where you actually handle personal data for customers, partners, or users. For many SaaS organizations, that means centering the scope on one or more customer‑facing applications and the supporting infrastructure, not the entire company.
From there, identify which categories of personal data flow through those products (for example, account details, usage logs, support tickets) and which internal functions materially influence how that data is processed (like engineering, operations, or customer success). This approach keeps the scope tight enough to be practical but rich enough that your PIMS reflects how privacy really works in your environment.
Once you know the “what” and “where,” refine the scope using roles, vendors, and laws as lenses. Clarify whether, for each in‑scope product, you act as a controller, processor, or both; this directly shapes which ISO 27701 clauses and annex controls apply. Then trace the ecosystem around that product: critical cloud hosting, monitoring, support, or analytics vendors that touch in‑scope personal data should be explicitly included so third‑party risk does not become a blind spot.
Finally, anchor the scope to the privacy regulations that matter for that context, GDPR, CCPA/CPRA, or others, so your PIMS can be used to demonstrate compliance against real legal obligations, not just the standard in isolation. Done well, your ISO 27701 scope becomes a concise map: here is the data we care about most, here is who touches it, and here is the privacy promise we are ready to prove.
Learn more about TrustCloud’s continuous ISO 27001 compliance with TrustOps for ISO 27001.
