Overview
Define the Privacy Information Management System (PIMS) scope — organization role as PII controller, processor, or both, PII processing context and principal categories, applicable privacy regulations (GDPR, LGPD, CCPA, PIPEDA, PDPA, APPI), PIMS boundaries across business processes and systems, and privacy objectives. This is the foundation skill for all ISO 27701 documentation: every downstream skill (PII inventory, controller controls, privacy risk assessment) references the scope statement produced here.
What It Covers
- Organization Role Determination — Analyze processing activities to declare whether the organization acts as a PII controller, PII processor, or both, with documented justification
- PII Principal Categories — Identify all categories of individuals whose personal data is processed (employees, customers, patients, website visitors, job applicants, etc.)
- Applicable Privacy Regulations — Map the regulatory landscape based on organization locations, customer locations, and processing activities (GDPR, LGPD, CCPA/CPRA, PIPEDA, PDPA, APPI, POPIA)
- PIMS Boundaries — Delineate which business processes, information systems, departments, locations, and third-party relationships handle PII
- Privacy Objectives — Establish compliance, trust, operational, and certification goals for the PIMS
- Exclusions — Document any business processes, locations, or systems excluded from the PIMS scope with justification
Example Conversation
You: We’re MedSecure Health Technologies — a 200-person SaaS company that provides a health data platform. We operate out of the US and Brazil, and we serve healthcare providers in the US, EU, and Brazil. We process patient health records on behalf of providers, but we also have our own employees and run marketing analytics on website visitors. Can you help us define our PIMS scope?
Agent: Great context. Let me work through the role determination first.
Based on what you’ve described, MedSecure acts in both capacities:
- PII Controller — for your employee HR data, job applicant data, and website visitor analytics (you determine the purposes and means)
- PII Processor — for patient health records processed on behalf of healthcare providers (they determine the purposes, you process on their instructions)
This dual role is common for health tech platforms. Let me now map your regulatory landscape. With operations in the US and Brazil, and customers in the EU:
Regulation Applies Because HIPAA Processing protected health information for US healthcare providers GDPR Processing personal data of EU residents (patients of EU providers, any EU-based employees) LGPD Brazilian operations and Brazilian patient data CCPA/CPRA If California residents are among your users or employees For PII principal categories, I’ve identified: patients (via providers), employees, job applicants, website visitors, and healthcare provider staff (who use your platform).
Now let me define the PIMS boundaries — which systems and processes are in scope. Can you tell me about your main systems that handle personal data? For example: your SaaS platform, HR system, marketing tools, CRM?
You: Our main systems are the MedSecure Platform (cloud-hosted on GCP), Workday for HR, HubSpot for marketing, and Salesforce for CRM. We also use AWS S3 for backup storage.
Agent: I’ve drafted the full PIMS scope statement. Let me validate it now.
check_pims_scope_completenessonoutput/PIMS-Scope-Statement.md:Coverage: 6/6 sections (100%) [OK] Organization role declaration (Clause 5.2.1) [OK] PII principal categories (Clause 5.2.1) [OK] Applicable privacy regulations (Clause 5.2.1) [OK] PIMS boundaries (Clause 5.2.1) [OK] Privacy objectives (Clause 5.2.1) [OK] Exclusions with justification (Clause 5.2.1) [INFO] Identified 3 specific regulation(s): GDPR, LGPD, CCPA. RESULT: PASS — All required PIMS scope sections are present.Your PIMS scope statement is complete. It covers the dual controller/processor role, five PII principal categories, four applicable regulations, boundaries across five systems, and privacy objectives targeting ISO 27701 certification.
Sample Output Excerpt
Below is a representative excerpt from the PIMS Scope Statement produced for a health technology organization.
PIMS Scope Statement — MedSecure Health Technologies
1. Organization Role Declaration
MedSecure Health Technologies acts as both a PII Controller and a PII Processor.
Controller role justification: MedSecure determines the purposes and means of processing for employee HR data, job applicant data, and website visitor analytics. These activities are initiated and governed by MedSecure’s own business decisions.
Processor role justification: MedSecure processes patient health records on behalf of healthcare provider organizations. The providers (as controllers) determine what data is collected and for what purposes. MedSecure processes this data strictly according to contractual instructions and data processing agreements.
2. PII Principal Categories
| Category | Role | Volume (approx.) | Sensitivity |
|---|---|---|---|
| Patients | Processor | 500,000+ records | High — health data (special category) |
| Employees | Controller | 200 | Medium — HR, payroll, benefits |
| Job Applicants | Controller | ~1,000/year | Medium — CVs, background checks |
| Website Visitors | Controller | ~50,000/month | Low — cookies, analytics |
| Healthcare Provider Staff | Processor | ~2,000 | Low — platform login credentials |
3. Applicable Privacy Regulations
| Regulation | Jurisdiction | Trigger | Key Requirements |
|---|---|---|---|
| HIPAA | United States | Processing PHI on behalf of covered entities | BAA, minimum necessary, breach notification |
| GDPR | European Union | Processing data of EU residents | Lawful basis, data subject rights, DPO, DPIA |
| LGPD | Brazil | Brazilian operations and data subjects | Legal basis, data subject rights, DPO (Encarregado) |
| CCPA/CPRA | California, US | California employee and visitor data | Right to know, delete, opt-out of sale |
4. PIMS Boundaries
In-scope business processes: Patient data ingestion and processing, employee lifecycle management, recruitment, marketing and analytics, customer relationship management, platform development and operations.
In-scope information systems: MedSecure Platform (GCP), Workday HR, HubSpot Marketing, Salesforce CRM, AWS S3 backup storage.
In-scope locations: San Francisco, CA (HQ), Sao Paulo, Brazil (engineering office), GCP us-central1 and europe-west1 regions, AWS us-east-1 (backup).
5. Exclusions
Excluded: Corporate accounting and financial reporting systems — these do not process PII beyond what is already covered by the HR and CRM systems in scope. Justification: financial transactions reference only company-level data; any personal data (employee expenses, vendor contacts) is managed within Workday and Salesforce respectively.
Extension Tools
check_pims_scope_completeness
Validates the PIMS scope statement covers all required sections per ISO 27701 Clause 5.2. Returns a coverage percentage and detailed findings.
| Check | Severity | What It Validates |
|---|---|---|
| Organization role declaration | ERROR if missing | Controller, processor, or both is declared with justification |
| PII principal categories | ERROR if missing | At least one specific category is listed (employees, customers, patients, etc.) |
| Applicable privacy regulations | ERROR if missing | At least one named regulation (GDPR, LGPD, CCPA, etc.) is referenced |
| PIMS boundaries | ERROR if missing | Systems, processes, departments, or locations are identified as in-scope |
| Privacy objectives | ERROR if missing | Compliance, trust, operational, or certification goals are stated |
| Exclusions with justification | WARNING if missing | Out-of-scope items are documented with rationale |
The tool also performs quality checks: it verifies that regulations are named specifically (not just referenced generically), and flags when only one role is declared in case the organization also acts in another capacity for certain activities.
Getting Started
To make the most of this skill, prepare the following before you begin:
Organization profile — Know your company size, industry, locations (offices, data centers), and technology stack. If you have already completed the ISO 27001 Organization Profile skill, the agent will load that context automatically.
Processing activity overview — Have a general understanding of what personal data your organization processes and why. You do not need a formal inventory yet (that comes in the PII Inventory skill), but knowing your main activities helps.
Regulatory awareness — Know which countries your customers, employees, and users are located in. The agent will map regulations, but knowing your geographic footprint speeds up the process.
System landscape — List the main systems that handle personal data: your core product, HR system, CRM, marketing tools, cloud infrastructure, and any third-party processors.
Stakeholder input — If possible, consult with your DPO, legal team, or privacy officer before starting. The scope statement benefits from input on regulatory obligations and existing privacy commitments.
The skill produces output/PIMS-Scope-Statement.md, which becomes the foundation document referenced by all other ISO 27701 skills.