ISO 27701 Certification Overview

ISO 27701 certification demonstrates that your organization has implemented a Privacy Information Management System (PIMS) that extends your Information Security Management System (ISMS) to address privacy requirements. The certification process follows the same two-stage audit approach as ISO 27001.

The certification cycle spans three years:

  • Year 1: Initial certification (Stage 1 + Stage 2 audits)
  • Year 2: Surveillance Audit 1
  • Year 3: Surveillance Audit 2
  • Year 4: Recertification audit (new cycle begins)
Integrated Certification

ISO 27701 is always issued as an extension to ISO 27001. Your certificate will reference both standards, and audits are typically conducted together as an integrated assessment.

ISO 27001 Prerequisite

Before pursuing ISO 27701, you must have ISO 27001 certification or pursue both simultaneously:

Option 1: Add to Existing ISO 27001

If you're already ISO 27001 certified:

  • Implement PIMS requirements as extension to existing ISMS
  • Schedule ISO 27701 audit to align with surveillance or recertification
  • Receive ISO 27701 certificate with same expiry as ISO 27001

Option 2: Integrated Initial Certification

If you're not yet ISO 27001 certified:

  • Implement integrated ISMS + PIMS from the start
  • Single integrated audit covers both standards
  • Receive both certificates simultaneously

The integrated approach is more efficient for organizations starting fresh, as it avoids duplicate effort in documentation, risk assessment, and audit preparation.

Choosing a Certification Body

Select a certification body (CB) that meets these criteria:

Accreditation Requirements

  • Accredited by a recognized national accreditation body (UKAS, ANAB, IAS, DAkkS, etc.)
  • Accreditation scope includes ISO 27701
  • Part of IAF MLA for international recognition

Practical Considerations

  • Privacy Expertise: Auditors with privacy law and data protection experience
  • Industry Knowledge: Understanding of your sector's privacy requirements
  • Geographic Coverage: Ability to audit all locations in scope
  • Existing Relationship: If already ISO 27001 certified, using the same CB simplifies integration

Stage 1 Audit: Documentation Review

Stage 1 assesses whether your PIMS is ready for the full certification audit.

Stage 1 Objectives

  • Review PIMS documentation against ISO 27701 requirements
  • Verify PIMS scope is appropriate and clearly defined
  • Confirm controller and/or processor role determination
  • Assess privacy risk assessment completion
  • Verify internal audit and management review include PIMS
  • Identify potential issues before Stage 2

Key Documents Reviewed

  • PIMS Scope: Boundaries, PII types, processing activities
  • Privacy Policy: Management commitment to privacy
  • Role Determination: Controller/processor analysis
  • Privacy Risk Assessment: Privacy-specific risks and treatment
  • Statement of Applicability: Annex A/B controls with justifications
  • PII Inventory: Data mapping and processing records
  • Third-Party Agreements: Processor contracts, DPAs
  • Privacy Procedures: Data subject rights, breach notification

Stage 1 Duration

When conducted as extension to ISO 27001 Stage 1:

  • Additional 0.5-1 day for PIMS-specific review
  • Can be remote or on-site

Stage 2 Audit: Implementation Verification

Stage 2 verifies that your PIMS is effectively implemented and operating.

Stage 2 Objectives

  • Confirm PIMS conforms to all ISO 27701 requirements
  • Verify privacy controls are implemented and effective
  • Assess data subject rights handling processes
  • Verify third-party and transfer controls
  • Evaluate privacy awareness and competence
  • Review privacy incident handling

Audit Methods

  • Interviews: Privacy officer, DPO (if applicable), process owners, IT staff
  • Document Review: Privacy notices, consent records, DPIA records, contracts
  • Process Observation: Data subject request handling, consent management
  • Technical Verification: Access controls for PII, encryption, anonymization
  • Sampling: Data subject requests, privacy incidents, third-party assessments

Controller-Specific Assessment (Annex A)

For organizations certified as PII controllers, auditors evaluate:

  • Lawful basis determination and documentation
  • Purpose specification and limitation
  • Data minimization practices
  • Data subject rights fulfillment
  • Privacy by design implementation
  • Third-party disclosure controls

Processor-Specific Assessment (Annex B)

For organizations certified as PII processors, auditors evaluate:

  • Processing under documented instructions
  • Subprocessor authorization and management
  • Assistance to controllers for data subject requests
  • Data return and deletion procedures
  • Security incident notification to controllers

Stage 2 Duration

Additional audit time for ISO 27701 beyond ISO 27001:

Organization Size (FTE) ISO 27001 Stage 2 ISO 27701 Additional Total Integrated
1-45 3-5 days 0.5-1 day 3.5-6 days
46-125 5-7 days 1-1.5 days 6-8.5 days
126-425 7-10 days 1.5-2 days 8.5-12 days
426-625 10-12 days 2-2.5 days 12-14.5 days

Managing Nonconformities

Audit findings follow the same classification as ISO 27001:

Types of Findings

  • Major Nonconformity: Systemic failure or absence of a required PIMS element. Must be resolved before certification.
  • Minor Nonconformity: Isolated instance of non-compliance. Certificate can be issued with accepted corrective action plan.
  • Observation: Opportunity for improvement. No action required.

Common ISO 27701-Specific Findings

  • Incomplete PII inventory or data mapping
  • Missing or inadequate controller/processor role analysis
  • Privacy risk assessment not integrated with information security risk assessment
  • Statement of Applicability missing Annex A/B justifications
  • Inadequate data subject request handling procedures
  • Missing or incomplete third-party agreements
  • Privacy notices not aligned with actual processing

Surveillance Audits

Annual surveillance audits verify continued PIMS conformity:

Surveillance Scope

  • Privacy internal audit and management review
  • Actions on previous PIMS nonconformities
  • Privacy complaints and their handling
  • Data subject requests and response
  • Privacy incidents and breach handling
  • Changes to processing activities
  • Selected Annex A/B controls

Surveillance Duration

Typically 30-40% of initial ISO 27701 audit time added to ISO 27001 surveillance, ensuring all PIMS requirements are covered over the 3-year cycle.

Recertification Audit

Before the 3-year certificate expires, a recertification audit confirms continued PIMS suitability:

  • Full review of PIMS against current ISO 27701 requirements
  • Assessment of PIMS performance over the certification cycle
  • Evaluation of changes to privacy landscape and processing
  • Review of regulatory developments and response

Plan recertification 3-4 months before expiry to allow for any corrective actions.

Complete Certification Timeline

Phase Duration Key Activities
ISO 27001 Foundation Existing or concurrent Ensure ISMS is certified or plan integrated certification
PIMS Implementation 2-4 months Privacy-specific controls, documentation, procedures
CB Selection 2-3 weeks Proposals, evaluation, contract
Stage 1 Audit 0.5-1 day (additional) PIMS documentation review
Gap Closure 2-6 weeks Address Stage 1 findings
Stage 2 Audit 1-2.5 days (additional) PIMS implementation verification
Corrective Actions 2-8 weeks Resolve nonconformities
Certificate Issuance 1-2 weeks CB review and approval

Total Time for ISO 27701 Extension: 3-6 months for organizations already ISO 27001 certified.
Total Time for Integrated Certification: 6-12 months for both ISO 27001 and ISO 27701 together.

ISO 27701 Certification Audit Process