In This Article
- ISO 27001 focuses on information security; ISO 27701 focuses on privacy and personally identifiable information (PII).
- Since 2025, ISO 27701 can be implemented independently without ISO 27001 as a prerequisite.
- Organizations handling PII often benefit from implementing both standards together in an integrated management system.
- ISO 27001 uses a risk-based approach to security; ISO 27701 adds privacy-specific risks and controls.
- Many Annex A controls overlap, making combined implementation more efficient than separate projects.
Quick Overview
ISO 27001 and ISO 27701 address different but related aspects of information management. Understanding their relationship helps you determine the right certification path for your organization.
ISO 27001: Focuses on protecting information assets (confidentiality, integrity, availability) - the security of information regardless of type.
ISO 27701: Focuses specifically on protecting personal data (privacy) - extends ISO 27001 with privacy-specific requirements for controllers and processors.
Side-by-Side Comparison
| Aspect | ISO 27001 | ISO 27701 |
|---|---|---|
| Full Name | Information Security Management System | Privacy Information Management System |
| Primary Focus | Information security (all data types) | Privacy (personal data only) |
| Standalone? | Yes - can be certified independently | No - requires ISO 27001 as foundation |
| Annex Controls | 93 controls across 4 themes | 31 controller + 18 processor controls |
| Regulatory Alignment | Supports various security regulations | Direct mapping to GDPR |
| Certificate Statement | "ISO 27001 certified" | "ISO 27001 + ISO 27701 certified as controller/processor" |
| Typical Audit Addition | Base audit days | +0.5-2.5 days depending on scope |
| Key Stakeholders | IT, Security, Management | Privacy/Legal, DPO, IT, Security |
How They Relate
ISO 27701 is explicitly designed as an extension to ISO 27001. Think of it as a module that adds privacy capabilities to an existing information security foundation.
The Building Block Model
- Foundation: ISO 27001 provides the management system framework (Plan-Do-Check-Act, risk management, internal audit, management review)
- Security Controls: ISO 27002 provides implementation guidance for ISO 27001 Annex A controls
- Privacy Extension: ISO 27701 adds privacy-specific requirements to both the management system and the controls
This means:
- Every ISO 27001 requirement still applies
- ISO 27701 adds additional requirements on top
- The PIMS (Privacy Information Management System) is integrated with the ISMS
- One integrated system, one integrated audit
You cannot skip ISO 27001 and go straight to ISO 27701. The privacy standard assumes the information security foundation is already in place.
Prerequisites for ISO 27701
Before pursuing ISO 27701, you must have:
Option 1: Existing ISO 27001 Certification
- Already ISO 27001 certified
- Add ISO 27701 as an extension during surveillance or recertification
- Certificate expiry dates align
Option 2: Integrated Initial Certification
- Implement ISMS and PIMS together from the start
- Single integrated audit covers both standards
- More efficient for new implementations
What You Cannot Do
- Get ISO 27701 certified without ISO 27001
- Implement ISO 27701 as a standalone system
- Use ISO 27701 as a substitute for ISO 27001
When ISO 27001 Alone is Enough
ISO 27001 by itself may be sufficient when:
Your Primary Concern is Information Security
If you're protecting trade secrets, intellectual property, financial data, or other non-personal business information, ISO 27001's security controls are designed for this purpose.
Limited Personal Data Processing
If you process minimal personal data (e.g., just employee records for internal HR), the privacy-specific controls of ISO 27701 may be overkill.
No Regulatory Privacy Drivers
If you don't fall under GDPR, CCPA, or other privacy regulations, and your customers aren't asking about privacy specifically, ISO 27001 covers security adequately.
B2B Without Personal Data
Some B2B services handle only business data (e.g., infrastructure monitoring, code repositories) with no personal data in scope.
When You Need ISO 27701
Add ISO 27701 to your certification when:
You Process Personal Data at Scale
If personal data processing is core to your business (SaaS platforms, HR services, healthcare tech, marketing platforms), privacy-specific controls become essential.
GDPR or Privacy Regulation Applies
ISO 27701 maps directly to GDPR requirements and supports demonstrating accountability. It's increasingly requested by EU customers and data protection authorities.
You Act as a Data Processor
If you process personal data on behalf of customers (cloud services, SaaS), ISO 27701 provides specific processor controls that demonstrate your privacy commitments contractually.
Customers Ask About Privacy
If security questionnaires increasingly focus on privacy practices, data subject rights, and privacy by design, ISO 27701 provides audited evidence of your capabilities.
Differentiation in Privacy-Sensitive Markets
In healthcare, fintech, HR tech, and other privacy-sensitive sectors, ISO 27701 differentiates you from competitors with only ISO 27001.
Decision Framework
Use this framework to decide your certification path:
Question 1: Do you process personal data?
- No: ISO 27001 is likely sufficient
- Yes: Continue to Question 2
Question 2: Is personal data core to your service?
- Peripheral (just employee data): ISO 27001 may suffice
- Central to business: Consider ISO 27701
Question 3: Do privacy regulations apply?
- GDPR, CCPA, or similar: ISO 27701 strongly recommended
- No specific regulation: Base decision on customer requirements
Question 4: What do customers ask for?
- Security only: ISO 27001
- Security + Privacy: ISO 27001 + ISO 27701
- Privacy-specific evidence: ISO 27701 essential
For organizations processing personal data at any significant scale, we recommend implementing ISO 27001 and ISO 27701 together from the start. The incremental effort is modest (10-20% more), but the value is substantial: you address both security and privacy with one integrated system and one audit process.
Frequently Asked Questions
Do I need ISO 27001 before getting ISO 27701?
No. Since 2025, ISO 27701 is a standalone standard and can be certified independently. However, many organizations choose to implement both for comprehensive security and privacy coverage, and the shared management system components make combined implementation highly efficient.
Which should I get first: ISO 27001 or ISO 27701?
If your primary need is information security, start with ISO 27001. If privacy is the driver, you can now start with ISO 27701 directly. For organizations processing personal data at scale, implementing both together from the start is typically the most efficient and cost-effective approach.
Can I get both certifications at once?
Yes. Integrated audits can assess both standards simultaneously, reducing audit time and cost. Most certification bodies offer combined assessments that evaluate the integrated management system in a single audit process.
What is the cost difference?
Combined implementation is typically 20-30% less expensive than implementing the standards separately. The savings come from shared management system components, overlapping Annex A controls, and integrated audit efficiency.
Is ISO 27701 enough for GDPR compliance?
ISO 27701 demonstrates a structured approach to privacy management and strongly supports GDPR compliance. However, GDPR compliance requires additional legal, organizational, and operational measures beyond any single standard, including establishing valid legal bases, conducting DPIAs for high-risk processing, and implementing appropriate contractual arrangements.