# ISO 27701 PIMS Internal Audit

> Plan and document a PIMS-specific internal audit. Covers audit planning, execution checklist, findings, nonconformities, and corrective actions focused on privacy controls and PII processing compliance.



Tags: ISO 27701, Privacy, Audit, Internal Audit, PIMS, Compliance, ISO 19011


## Example Prompts

- Plan our PIMS internal audit
- Create an audit checklist for ISO 27701 compliance
- Document audit findings and corrective actions

URL: https://rakenne.app/skills/iso27701-pims-internal-audit/index.md

Try this skill: https://rakenne.app/a/?skill=iso27701-pims-internal-audit



## Overview

Plan and document a PIMS-specific internal audit covering the full audit lifecycle: planning (scope, objectives, criteria, schedule, and team), execution (clause-by-clause checklist for fieldwork), reporting (findings with nonconformity classification), and corrective actions. The PIMS internal audit extends the ISO 27001 internal audit (Clause 9.2) with a focus on ISO 27701 Clauses 5 through 8, Annex A controller controls, Annex B processor controls, PII processing compliance, and privacy rights fulfilment. This skill produces three deliverables: the audit plan, a detailed audit checklist, and the audit report with findings and corrective action plans.

### What It Covers

- **Audit Planning** — Objectives, scope (which PIMS clauses and controls), criteria, audit team with independence confirmation, schedule, methodology, and sampling strategy
- **Audit Checklist** — Clause-by-clause questions for ISO 27701 Clauses 5-8, Annex A controls, and Annex B controls, each with expected evidence and compliance status fields
- **Findings and Classification** — Major NC (systemic failure), Minor NC (isolated gap), OFI (opportunity for improvement), and Observation (positive finding or informational note)
- **Root Cause Analysis** — Why each nonconformity occurred, distinguishing between correction (immediate fix) and corrective action (systemic root cause fix)
- **Corrective Action Plans** — Action description, responsible owner, target deadline, and verification method for each nonconformity

## Example Conversation

> **You:** We need to conduct our first PIMS internal audit before our ISO 27701 certification audit. MedSecure Health Technologies — 200 employees, dual role as controller and processor, SaaS health data platform for hospital clients, with a patient engagement portal. We have all the PIMS documentation ready: PII inventory, controller and processor controls registers, PIMS SoA, privacy policy, and DPIAs.
>
> **Agent:** I'll help you plan and execute MedSecure's first PIMS internal audit. Since this is a pre-certification audit, the objectives should focus on confirming PIMS readiness and identifying gaps before the external auditors arrive.
>
> Let me load your PIMS SoA to determine the audit scope. From the SoA, I can see 48 controls are marked "In" (30 Annex A, 18 Annex B) and 1 control is "Out" (A.7.2.7 joint controller). The audit will cover:
>
> - ISO 27701 Clauses 5-8 (PIMS-specific requirements)
> - All 30 applicable Annex A controller controls
> - All 18 applicable Annex B processor controls
>
> For the audit team — who will be conducting the audit? Remember that auditors must not audit their own work.
>
> **You:** Our IT Security Manager (Sarah Chen) will lead the audit, supported by an external privacy consultant (Dr. Klaus Weber). Sarah was not involved in implementing the privacy controls — that was handled by our Privacy Manager. Dr. Weber has ISO 27701 Lead Auditor certification.
>
> **Agent:** Good — independence is confirmed. I'll now create the audit plan and checklist.
>
> I've written the audit plan to `output/PIMS-Audit-Plan.md` with a 3-day schedule:
> - Day 1: Document review (PIMS SoA, PII inventory, policies, DPIAs)
> - Day 2: Interviews and sampling (Privacy Manager, IT team, clinical support, HR)
> - Day 3: Technical verification and report drafting
>
> The checklist has been written to `output/PIMS-Audit-Checklist.md` with 87 audit questions organized by clause and control.
>
> Now, let me help you document the findings. Have you completed the fieldwork, or would you like me to create a template report with placeholder findings?
>
> **You:** We've done the fieldwork. Here are the findings: (1) The sub-processor register on our website was last updated 4 months ago but we added a new sub-processor 2 months ago — the website was not updated within 5 business days as our procedure requires. (2) We found that 3 out of 14 hospital client DPAs are still on version 2.1, which doesn't include the LGPD addendum — but those 3 clients are in Germany, not Brazil. (3) The DPIA for the patient engagement portal has not been reviewed since it was created 11 months ago, and our methodology says annual review. (4) The employee access reviews for the clinical support team happened on schedule and were well-documented — positive finding.
>
> **Agent:** I'll classify and document each finding:
>
> **NC-PIMS-001** (Minor NC): Sub-processor register not updated within the required 5 business days. The register on the website still shows 3 sub-processors when a 4th (DataSync Analytics) was engaged 2 months ago.
> - Root cause: No automated trigger links the sub-processor onboarding workflow to the public register update process.
> - Corrective action: Implement an automated notification in the sub-processor onboarding workflow that triggers a website update task.
>
> **NC-PIMS-002** (Minor NC): 3 of 14 hospital client DPAs on outdated version 2.1 without LGPD addendum.
> - Root cause: DPA version upgrade tracked manually in a spreadsheet; no systematic contract lifecycle management.
> - Note: While these 3 clients are German and do not require LGPD terms, the standard DPA should be consistent across all clients for operational simplicity and to ensure the latest security terms apply.
>
> **NC-PIMS-003** (OFI): Patient engagement portal DPIA approaching 12-month review deadline but not yet overdue.
> - This is an opportunity for improvement — the DPIA methodology specifies annual review, and the review should be scheduled proactively rather than reactively.
>
> **OBS-PIMS-001** (Observation): Clinical support team access reviews completed on schedule with comprehensive documentation. Good practice noted.
>
> I've written the audit report to `output/PIMS-Audit-Report.md`. Let me validate both documents.
>
> `check_pims_audit_plan_completeness` on `output/PIMS-Audit-Plan.md`:
>
> ```
> === PIMS AUDIT PLAN COMPLETENESS CHECK ===
> Section coverage: 8/8 (100%)
>
> --- PIMS SCOPE REFERENCES ---
>   Clause 5: Yes
>   Clause 6: Yes
>   Clause 7: Yes
>   Clause 8: Yes
>   Annex A: Yes
>   Annex B: Yes
>
> Errors: 0, Warnings: 0
> ```
>
> `check_pims_audit_report_completeness` on `output/PIMS-Audit-Report.md`:
>
> ```
> === PIMS AUDIT REPORT COMPLETENESS CHECK ===
> Section coverage: 8/8 (100%)
> NC records found: 3
>
> --- NC ANALYSIS ---
>   NC-PIMS-001: Minor NC | Root cause: Yes | Corrective action: Yes | Owner: Yes | Deadline: Yes
>   NC-PIMS-002: Minor NC | Root cause: Yes | Corrective action: Yes | Owner: Yes | Deadline: Yes
>   NC-PIMS-003: OFI | Root cause: Yes | Corrective action: Yes | Owner: Yes | Deadline: Yes
>
> --- FINDINGS ---
>   [INFO] Found 3 nonconformity record(s): NC-PIMS-001, NC-PIMS-002, NC-PIMS-003
>   [INFO] Finding summary — Major NC: 0, Minor NC: 2, OFI: 1, Observation: 0
>
> Errors: 0, Warnings: 0
> ```
>
> Both documents pass validation. The audit plan covers all required sections including PIMS-specific scope, and the report has complete NC analysis with root causes, corrective actions, owners, and deadlines for all findings. No major nonconformities were found — MedSecure is in good shape for the certification audit.

## Sample Output Excerpt

Below is a representative excerpt from the PIMS Audit Report showing the executive summary, findings, and corrective action plans.

---

# PIMS Internal Audit Report — MedSecure Health Technologies

**Audit ID:** PIMS-AUDIT-2026-001
**Audit Date:** 2026-03-17 to 2026-03-19
**Lead Auditor:** Sarah Chen (IT Security Manager)
**Co-Auditor:** Dr. Klaus Weber (External Privacy Consultant, ISO 27701 Lead Auditor)

## Executive Summary

This internal audit assessed MedSecure Health Technologies' Privacy Information Management System (PIMS) against ISO/IEC 27701:2019 requirements in preparation for certification. The audit covered ISO 27701 Clauses 5-8, all 30 applicable Annex A controller controls, and all 18 applicable Annex B processor controls.

**Overall conclusion:** The PIMS is substantially conformant. Two minor nonconformities and one opportunity for improvement were identified. No major nonconformities were found. The organization is recommended to proceed with the certification audit after addressing the corrective actions below.

| Finding Type | Count |
|-------------|:-----:|
| Major NC | 0 |
| Minor NC | 2 |
| OFI | 1 |
| Observation | 1 |

## Findings

### NC-PIMS-001 — Sub-processor register not updated (Minor NC)

**Clause/Control:** B.8.5.6 (Disclosure of sub-contractors used to process PII)
**Finding:** The public sub-processor register at medsecure.com/sub-processors lists 3 sub-processors. However, DataSync Analytics was engaged as a 4th sub-processor on 2026-01-15. The internal procedure IIP-001 requires the public register to be updated within 5 business days of a sub-processor change. The register was not updated as of audit date (60+ days overdue).
**Objective evidence:** Screenshot of public register (dated 2026-03-17) showing 3 entries. Sub-processor onboarding record for DataSync Analytics dated 2026-01-15.
**Root cause:** The sub-processor onboarding workflow does not include an automated trigger to update the public register. The update relies on a manual reminder that was missed.
**Correction:** Update the public sub-processor register immediately to include DataSync Analytics.
**Corrective action:** Add an automated task in the sub-processor onboarding workflow (Jira) that creates a website update ticket when a new sub-processor is approved. Assign to IT Operations.
**Owner:** Privacy Manager (Maria Santos)
**Deadline:** 2026-04-15
**Verification:** Auditor to confirm automated workflow exists and test with a mock sub-processor addition.

### NC-PIMS-002 — Outdated DPA versions (Minor NC)

**Clause/Control:** B.8.2.1 (Customer agreement)
**Finding:** 3 of 14 hospital client DPAs remain on version 2.1 (dated 2024-06). The current standard is version 3.2 (dated 2025-09) which includes updated security measures and LGPD addendum. While the 3 affected clients (all German) do not require LGPD terms, they are missing the updated security clauses introduced in v3.0.
**Objective evidence:** DPA tracking spreadsheet showing versions per client. Comparison of v2.1 and v3.2 change log.
**Root cause:** No systematic contract lifecycle management. DPA version tracking relies on a manual spreadsheet with no renewal triggers.
**Correction:** Contact the 3 clients to execute updated DPA v3.2.
**Corrective action:** Implement contract lifecycle management with automated renewal reminders. Set policy that all DPAs must be on current version within 90 days of a new version release.
**Owner:** Legal Counsel (Dr. Thomas Braun)
**Deadline:** 2026-05-30
**Verification:** Auditor to confirm all 14 DPAs are on v3.2 and automated reminders are active.

### NC-PIMS-003 — DPIA review approaching deadline (OFI)

**Clause/Control:** A.7.2.5 (Privacy impact assessment)
**Finding:** The DPIA for the patient engagement portal (DPIA-002) was conducted on 2025-05-10 and has not been reviewed. The DPIA Methodology specifies annual review. While not yet overdue, the review should be scheduled proactively.
**Recommended action:** Schedule the DPIA-002 annual review for 2026-04-30. Add calendar reminders for all DPIAs at 10-month and 11-month marks.
**Owner:** Privacy Manager (Maria Santos)
**Deadline:** 2026-04-30

### OBS-PIMS-001 — Access reviews well-documented (Observation)

**Clause/Control:** B.8.4.1 (Privacy by design and default)
**Finding:** Quarterly access reviews for the clinical support team (12 persons) were completed on schedule for Q1, Q2, Q3, and Q4 2025. Each review includes a signed attestation, access matrix comparison, and remediation log for revoked access. Good practice noted.

## Follow-Up Schedule

| NC ID | Verification Date | Verification Method |
|-------|:-:|:-:|
| NC-PIMS-001 | 2026-04-30 | Review automated workflow and public register |
| NC-PIMS-002 | 2026-06-15 | Confirm all DPAs on v3.2, review CLM tool |
| NC-PIMS-003 | 2026-05-15 | Confirm DPIA review completed |

<!-- /excerpt -->

## Extension Tools

### `check_pims_audit_plan_completeness`

Validates that the PIMS audit plan contains all required structural sections and PIMS-specific scope references.

| Check | What It Validates |
|-------|-------------------|
| Audit objectives | Plan states what the audit aims to achieve |
| Audit scope | Plan specifies which PIMS clauses and controls are covered |
| Audit criteria | Plan references ISO 27701 clauses and organizational policies as criteria |
| Audit team | Plan identifies auditors by name or role |
| Auditor independence | Plan confirms auditors are not auditing their own work |
| Schedule / timeline | Plan includes audit dates and time allocation per area |
| Methodology | Plan describes the audit approach (document review, interviews, sampling, observation) |
| PIMS-specific scope | Plan references ISO 27701 Clauses 5-8 and/or Annex A/B controls |

Also checks for specific clause references (Clauses 5, 6, 7, 8) and annex references (Annex A, Annex B) to ensure the plan is PIMS-focused. Suggests a risk-based approach for prioritizing high-risk PII processing areas. Returns section coverage percentage (X/8) with severity-classified findings.

### `check_pims_audit_report_completeness`

Validates the PIMS audit report for structural completeness, proper nonconformity classification, root cause analysis, and corrective action coverage.

| Check | What It Validates |
|-------|-------------------|
| Executive summary | Report includes an overall audit conclusion and finding counts |
| Audit scope and methodology | Report describes what was audited and how |
| Findings / observations | Report documents audit findings per audited area |
| NC classification | Each finding is classified as Major NC, Minor NC, OFI, or Observation |
| Root cause analysis | Each nonconformity includes an explanation of why it occurred |
| Corrective action plans | Each NC has a described corrective action (systemic fix, not just immediate correction) |
| Action owners and deadlines | Each corrective action has a responsible person and target date |
| Follow-up schedule | Report includes a schedule for verifying corrective action effectiveness |

Additionally analyzes individual NC records (expecting NC-PIMS-NNN naming convention) and checks each for severity classification, root cause, corrective action, owner, and deadline. Major and Minor NCs require all elements; OFIs and Observations have lighter requirements. Returns section coverage percentage, NC count, and per-NC analysis.

## Getting Started

The PIMS internal audit draws on all other PIMS documentation. Prepare the following:

1. **PIMS Statement of Applicability** — Run the ISO 27701 PIMS SoA skill first. The SoA defines which controls are in scope for the audit and is the primary audit reference.

2. **All PIMS artifacts** — Gather the complete set of PIMS documentation: PII inventory, controller controls register, processor controls register, privacy policy, DPIAs, risk assessments, and data processing agreements. These serve as audit evidence.

3. **Audit team** — Identify who will conduct the audit. Auditors must be independent — they cannot audit processes they were responsible for implementing. For pre-certification audits, consider engaging an external privacy consultant with ISO 27701 audit experience.

4. **Audit schedule** — Block time for the audit. A typical first PIMS internal audit for a 200-employee organization takes 2-3 days: document review, interviews with key personnel, and technical verification.

5. **Previous audit findings** — If this is not your first audit, have previous audit reports and corrective action records available. The agent will check whether previous findings have been addressed.

6. **Interviewee availability** — Plan access to key personnel: Privacy Manager/DPO, IT Security, HR, clinical/operations teams, and management. The checklist will include interview questions for each area.

Start by telling the agent about your organization, the audit purpose (pre-certification, surveillance, or periodic), and who will be on the audit team. The agent will generate the plan, checklist, and — once fieldwork is complete — the audit report with classified findings and corrective actions.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)