Privacy Information Management Systems Scheme (PIMS Scheme)

Privacy Information Management Systems Scheme (PIMS Scheme)


The scheme is based on the ISO/IEC 27000 family of standards which help organisations keep information assets secure. To reflect the importance of privacy, this ISMS Scheme scope extension is referred to as the ‘PIMS Scheme’.

ISO/IEC 27001 is the best-known standard in the family, providing requirements for an information security management system, thus helping organisations ensure that their information is securely managed.

In addition, with the publication of ISO/IEC TS 27006-2:2021, the ISMS Scheme includes an optional scope extension to undertake certification of privacy information management systems under the PIMS Scheme. This is consistent with decision by CASCO to specify the requirement for conformity assessment bodies at a sublevel of ISO/IEC 27006, albeit with a stand-alone certification decisions and certification documents for ISO/IEC 27001 and ISO/IEC 27701. All privacy related information – or personally identifiable information (PII) – is of potential relevance to information security. It is not possible to have a conforming PIMS in the absence of a conforming ISMS.

Moreover, PII is almost always potentially damaging to the individual(s) affected due to risks of identity theft, and other fraudulent activities that target individual persons. In this sense, PII risks are fundamentally incurred at the level of individuals, and therefore more insidious than other forms of information security risks.

For this reason, many jurisdictions have developed regulations that impose penalties on the unauthorised release of PII. With publication of these regulations, organizations have new legal compliance obligations and resulting financial risks that top management needs to understand and adequately mitigate, as relevant to the context of their operations.

Applicant CABs will need to comply with ISO/IEC 27006:2015/Amd.1:2020 - Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

As a management systems scheme, applicants also need to comply with ISO/IEC 17021-1:2015 – Conformity Assessment – Requirements for bodies providing audit and certification of management systems - Part 1: Requirements.


  • Helps organisations operate Privacy Information Management Systems to manage risks of the unauthorised use release of personally identifiable information.
  • Assists understanding and adequate mitigation of legal compliance obligations and resulting financial risks from privacy related regulations such as the EU General Data Protection Regulation (EU GDPR).
  • Designed to operate in conjunction with Information Security Management Systems Scheme.

Scheme owner

International Organization for Standardization (ISO).

More information

An application pack, application form and other relevant material is not available on this site. These documents are available through our SharePoint portal. If you are a body that we currently accredit, you can access this information through the Share CAB Portal. If you are a new applicant, please complete an application enquiry form. Once this form is submitted, the Secretariat will provide you with a temporary username and password for the portal. For other stakeholders please submit your inquiry through the online feedback form.