Training Module
Auditing Privacy Risk & Controls (PIMS)
Audit data subject risk logic, lawful basis and purpose limitation, and rights handling effectiveness under ISO/IEC 27701
Training Module
Auditing Privacy Risk & Controls (PIMS)
Audit data subject risk logic, lawful basis and purpose limitation, and rights handling effectiveness under ISO/IEC 27701
Training Module
Auditing Privacy Risk & Controls (PIMS)
Audit data subject risk logic, lawful basis and purpose limitation, and rights handling effectiveness under ISO/IEC 27701
Move from privacy checklists to defensible judgements about data subject risk and control effectiveness
Privacy audits often pass on paper while individuals still face harm through unclear purposes, weak lawful basis decisions, or rights processes that fail under pressure. This module equips auditors to follow the privacy audit trail end-to-end and judge whether controls work in practice.
Move from privacy checklists to defensible judgements about data subject risk and control effectiveness
Privacy audits often pass on paper while individuals still face harm through unclear purposes, weak lawful basis decisions, or rights processes that fail under pressure. This module equips auditors to follow the privacy audit trail end-to-end and judge whether controls work in practice.
Move from privacy checklists to defensible judgements about data subject risk and control effectiveness
Privacy audits often pass on paper while individuals still face harm through unclear purposes, weak lawful basis decisions, or rights processes that fail under pressure. This module equips auditors to follow the privacy audit trail end-to-end and judge whether controls work in practice.
Training module overview
Training module overview
Training module overview
ISO/IEC 27701 introduces privacy-specific requirements and controls that change what “good evidence” looks like in audits: lawful basis decisions must be defensible, purposes must remain stable across systems and third parties, and rights handling must work reliably within required timeframes. In practice, audits often drift into document checking (policies, notices, registers) without testing whether the underlying processing reality matches what the organisation claims.
This audit add-on focuses on privacy risk and controls through the lens of the data subject. Participants learn how to evaluate the credibility of privacy risk logic, test lawful basis and purpose limitation across the processing lifecycle, and assess rights handling as an operational capability. The module is designed for internal auditors and third-party auditors (including certification bodies and independent assurance providers) and stays strictly within audit judgement and evidence—without re-teaching generic audit craft or generic risk methods.
ISO/IEC 27701 introduces privacy-specific requirements and controls that change what “good evidence” looks like in audits: lawful basis decisions must be defensible, purposes must remain stable across systems and third parties, and rights handling must work reliably within required timeframes. In practice, audits often drift into document checking (policies, notices, registers) without testing whether the underlying processing reality matches what the organisation claims.
This audit add-on focuses on privacy risk and controls through the lens of the data subject. Participants learn how to evaluate the credibility of privacy risk logic, test lawful basis and purpose limitation across the processing lifecycle, and assess rights handling as an operational capability. The module is designed for internal auditors and third-party auditors (including certification bodies and independent assurance providers) and stays strictly within audit judgement and evidence—without re-teaching generic audit craft or generic risk methods.
Applicable environments
This module focuses on auditing clauses and controls that are specific to ISO/IEC 27701. It is intended for auditors working with organisations operating a privacy information management system (PIMS) according to this standard.
Target audience
Target audience
Target audience
Aspiring auditors who want to audit privacy information management systems against ISO/IEC 27701 following best practices
Practising ISO/IEC 27701 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Aspiring auditors who want to audit privacy information management systems against ISO/IEC 27701 following best practices
Practising ISO/IEC 27701 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Decision support
Is this module for you?
It is a good fit if you…
seek to audit privacy risk and controls from a data subject perspective.
are aiming to judge the credibility of lawful basis and purpose limitation logic.
focus on evidence for privacy controls working across the processing lifecycle.
are prepared to test rights handling under realistic volume and time pressure.
expect to strengthen audit conclusions on privacy control effectiveness.
seek to audit privacy risk and controls from a data subject perspective.
are aiming to judge the credibility of lawful basis and purpose limitation logic.
focus on evidence for privacy controls working across the processing lifecycle.
are prepared to test rights handling under realistic volume and time pressure.
expect to strengthen audit conclusions on privacy control effectiveness.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
prefer to design privacy frameworks or interpret legal requirements.
are looking for guidance on DPIAs, policies, or consent design.
focus primarily on advising on GDPR or privacy programme implementation.
do not intend to audit privacy risk and controls under ISO/IEC 27701.
prefer to design privacy frameworks or interpret legal requirements.
are looking for guidance on DPIAs, policies, or consent design.
focus primarily on advising on GDPR or privacy programme implementation.
do not intend to audit privacy risk and controls under ISO/IEC 27701.
Agenda
Agenda
Agenda
Audit framing for ISO/IEC 27701 privacy controls
Data subject risk logic (credibility tests, not risk method teaching)
Lawful basis: audit tests for defensibility and consistency
Purpose limitation: from statements to operational enforcement
Rights handling as an operational control
Control effectiveness patterns in privacy operations
Case-based audit simulation
Show detailed agenda...
Audit framing for ISO/IEC 27701 privacy controls
Data subject risk logic (credibility tests, not risk method teaching)
Lawful basis: audit tests for defensibility and consistency
Purpose limitation: from statements to operational enforcement
Rights handling as an operational control
Control effectiveness patterns in privacy operations
Case-based audit simulation
Show detailed agenda...
Audit framing for ISO/IEC 27701 privacy controls
Data subject risk logic (credibility tests, not risk method teaching)
Lawful basis: audit tests for defensibility and consistency
Purpose limitation: from statements to operational enforcement
Rights handling as an operational control
Control effectiveness patterns in privacy operations
Case-based audit simulation
Show detailed agenda...
Learning outcomes
Learning outcomes
Learning outcomes
Key outcomes
Trace privacy audit evidence from processing reality to data subject risk statements and control intent
Test whether lawful basis decisions are consistent, owned, and supported by operational evidence
Evaluate purpose limitation using change, sharing, and reuse scenarios rather than policy text alone
Trace privacy audit evidence from processing reality to data subject risk statements and control intent
Test whether lawful basis decisions are consistent, owned, and supported by operational evidence
Evaluate purpose limitation using change, sharing, and reuse scenarios rather than policy text alone
Additional capabilities
Assess rights handling as a working capability (timeliness, completeness, exceptions, and escalation)
Identify common systemic weaknesses in ISO/IEC 27701 implementations and differentiate them from isolated errors
Formulate audit conclusions that are defensible for both internal and third-party assurance contexts
Assess rights handling as a working capability (timeliness, completeness, exceptions, and escalation)
Identify common systemic weaknesses in ISO/IEC 27701 implementations and differentiate them from isolated errors
Formulate audit conclusions that are defensible for both internal and third-party assurance contexts
Additional benefits
Additional benefits
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
PIMS audit trail map (processing → lawful basis/purpose → controls → evidence)
Evidence request checklist for lawful basis, purpose limitation, and rights handling
Red-flag catalogue for common ISO/IEC 27701 privacy control failures
Case-based sampling prompt set (including variants for controller vs processor contexts)
AI prompt set for evidence summarisation and inconsistency spotting (supporting, not replacing, judgement)
PIMS audit trail map (processing → lawful basis/purpose → controls → evidence)
Evidence request checklist for lawful basis, purpose limitation, and rights handling
Red-flag catalogue for common ISO/IEC 27701 privacy control failures
Case-based sampling prompt set (including variants for controller vs processor contexts)
AI prompt set for evidence summarisation and inconsistency spotting (supporting, not replacing, judgement)
Confirmation
Certificate of completion
Module ID
HAM-DP-A-01
Domain
Audience
Auditor
Language
English
Delivery
Live virtual
Duration
3 h
List price
CHF 300
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Delivery & learning format
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
Not sure if this module is right for you?
Not sure if this module is right for you?
Not sure if this module is right for you?
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes:
Ability to work with audit evidence, sampling decisions, and professional judgement in live audits
Working familiarity with ISO/IEC 27701 concepts and typical PIMS artefacts (e.g., processing records, privacy notices, rights workflows)
Basic understanding of privacy roles and multi-party processing (controller/processor) at the level needed to follow responsibilities and evidence
This module assumes:
Ability to work with audit evidence, sampling decisions, and professional judgement in live audits
Working familiarity with ISO/IEC 27701 concepts and typical PIMS artefacts (e.g., processing records, privacy notices, rights workflows)
Basic understanding of privacy roles and multi-party processing (controller/processor) at the level needed to follow responsibilities and evidence
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
PII Processing Context, Roles & Scope
Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701
7 h
PII Processing Context, Roles & Scope
Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701
7 h
PII Processing Context, Roles & Scope
Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701
7 h
Privacy Risk & Impact Assessment (DPIA)
Understand privacy risk assessment, impact reasoning, and DPIA documentation within an ISO/IEC 27701-aligned PIMS
7 h
Privacy Risk & Impact Assessment (DPIA)
Understand privacy risk assessment, impact reasoning, and DPIA documentation within an ISO/IEC 27701-aligned PIMS
7 h
Privacy Risk & Impact Assessment (DPIA)
Understand privacy risk assessment, impact reasoning, and DPIA documentation within an ISO/IEC 27701-aligned PIMS
7 h
Operational Privacy Controls
Understand role-based operational privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS
7 h
Operational Privacy Controls
Understand role-based operational privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS
7 h
Operational Privacy Controls
Understand role-based operational privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS
7 h
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
Data Protection Fundamentals
A helicopter view of privacy roles, obligations, and mechanisms in organisations
7 h
Data Protection Fundamentals
A helicopter view of privacy roles, obligations, and mechanisms in organisations
7 h
Data Protection Fundamentals
A helicopter view of privacy roles, obligations, and mechanisms in organisations
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
After completion of this module, the following modules are ideal to further deepen your competence. If you are looking for a structured learning path, modules can also be taken as part of a professional track.
Information Security Fundamentals I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
Duration
7 h
List price
CHF 750
View module
Information Security Fundamentals I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
Duration
7 h
List price
CHF 750
View module
Information Security Fundamentals I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
Duration
7 h
List price
CHF 750
View module
Information Security Fundamentals II
Understand the core concepts behind detective and corrective controls, including logging and monitoring, incident response, backup, and recovery
Duration
7 h
List price
CHF 750
View module
Information Security Fundamentals II
Understand the core concepts behind detective and corrective controls, including logging and monitoring, incident response, backup, and recovery
Duration
7 h
List price
CHF 750
View module
Information Security Fundamentals II
Understand the core concepts behind detective and corrective controls, including logging and monitoring, incident response, backup, and recovery
Duration
7 h
List price
CHF 750
View module
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.