Can I get ISO 27701 certified without ISO 27001?

No. ISO 27701 is an extension to ISO 27001 and cannot be certified independently. Organizations must either be ISO 27001 certified first or pursue both certifications together as an integrated management system.

Does ISO 27701 guarantee GDPR compliance?

ISO 27701 certification demonstrates a robust privacy management system that supports GDPR compliance, but it does not guarantee full GDPR compliance. GDPR has legal and organizational requirements beyond technical controls that must be addressed separately.

What is ISO 27701 (PIMS)? Complete 2025 Guide

Q: What is ISO 27701?

ISO 27701 is an international standard that extends ISO 27001 and ISO 27002 to include privacy management. It provides a framework for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

What is ISO 27701?

ISO/IEC 27701:2019 is an international standard that extends ISO 27001 (Information Security Management System) and ISO 27002 (security controls) to include privacy management. It provides a framework for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Published in August 2019, ISO 27701 addresses the growing need for organizations to demonstrate robust privacy practices in response to regulations like GDPR, CCPA, LGPD, and other global data protection laws.

ISO 27701 in a Nutshell

What: Privacy extension to ISO 27001/27002
Full Name: Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
Output: ISO 27701 certificate (as extension to ISO 27001)
Prerequisite: ISO 27001 certification required
Recognition: Global

Relationship to ISO 27001

ISO 27701 is not a standalone standard. It is explicitly designed as an extension to ISO 27001, adding privacy-specific requirements to the existing ISMS framework. Understanding this relationship is crucial:

How They Work Together

ISO 27001: Provides the management system framework (Plan-Do-Check-Act) and core requirements for information security
ISO 27002: Provides the control guidance referenced by ISO 27001 Annex A
ISO 27701: Extends both standards with privacy-specific requirements and controls

Think of it as layers:

Layer	Standard	Focus
Foundation	ISO 27001	Information Security Management System
Controls	ISO 27002	Security control implementation guidance
Extension	ISO 27701	Privacy-specific requirements and controls

You cannot achieve ISO 27701 certification without ISO 27001. Organizations can pursue both simultaneously or add ISO 27701 to an existing ISO 27001 certification.

Standard Structure

ISO 27701 follows a structured approach that mirrors and extends ISO 27001:

Clause 5: PIMS-Specific Requirements Related to ISO 27001

Extends clauses 4-10 of ISO 27001 with privacy considerations:

Context: Identify privacy stakeholders, PII processing roles
Leadership: Privacy accountability and policy
Planning: Privacy risk assessment, objectives
Support: Privacy awareness, competence
Operation: Privacy by design, PII handling
Performance: Privacy metrics, monitoring
Improvement: Privacy incident handling, continuous improvement

Clause 6: PIMS-Specific Guidance Related to ISO 27002

Extends ISO 27002 controls with privacy implementation guidance, adding considerations for:

PII protection in each control domain
Privacy-specific implementation notes
Data subject considerations

Clause 7: Additional ISO 27002 Guidance for PII Controllers

Specific controls for organizations that determine purposes and means of processing:

Collection limitation and purpose specification
Data minimization and accuracy
Data subject rights management
Privacy by design and default
Third-party and cross-border transfers

Clause 8: Additional ISO 27002 Guidance for PII Processors

Specific controls for organizations processing on behalf of controllers:

Processing only under documented instructions
Subprocessor management
Assisting controllers with data subject requests
Return and deletion of PII

Annexes

Annex A: PIMS-specific reference control objectives and controls for PII controllers
Annex B: PIMS-specific reference control objectives and controls for PII processors
Annex C: Mapping to ISO 29100 (privacy framework)
Annex D: Mapping to GDPR
Annex E: Mapping to ISO 27018 and ISO 29151
Annex F: How to apply ISO 27701 to ISO 27001 and ISO 27002

Controller vs Processor Roles

A fundamental concept in ISO 27701 is distinguishing between PII Controllers and PII Processors:

Aspect	PII Controller	PII Processor
Definition	Determines purposes and means of PII processing	Processes PII on behalf of a controller
Example	E-commerce company collecting customer data	Cloud provider hosting customer databases
Applicable Clause	Clause 7 + Annex A	Clause 8 + Annex B
Key Responsibilities	Lawful basis, purpose limitation, data subject rights	Following instructions, security, assisting controller
Certificate Scope	"As PII Controller"	"As PII Processor"

Dual Roles

Many organizations act as both controller and processor depending on the context. For example, a SaaS company might be a processor for customer data while being a controller for employee data. ISO 27701 accommodates this by allowing certification in both roles.

Benefits of ISO 27701 Certification

1. Demonstrate Privacy Commitment

ISO 27701 provides independent, third-party verification that your organization has implemented robust privacy controls. This goes beyond self-attestations and privacy policies to demonstrate operational privacy management.

2. Support Regulatory Compliance

While ISO 27701 doesn't guarantee compliance with any specific law, it provides a framework aligned with major privacy regulations:

GDPR (EU General Data Protection Regulation)
CCPA/CPRA (California Consumer Privacy Rights)
LGPD (Brazil's Lei Geral de Protecao de Dados)
DPDP (India's Digital Personal Data Protection Act)
Other national and regional privacy laws

3. Build Customer Trust

In an era of data breaches and privacy scandals, ISO 27701 certification signals to customers that you take their privacy seriously. It provides a recognizable credential that procurement teams understand.

4. Competitive Advantage

As privacy requirements appear in more vendor questionnaires and RFPs, ISO 27701 certification differentiates you from competitors who can only make claims without third-party verification.

5. Operational Efficiency

Implementing ISO 27701 forces organizations to document and standardize privacy processes, reducing ad-hoc decision making and improving consistency across the organization.

6. Leverage Existing ISO 27001 Investment

For organizations already ISO 27001 certified, ISO 27701 provides an efficient path to formalize privacy management by extending the existing ISMS rather than building a separate system.

ISO 27701 was designed with GDPR in mind and includes Annex D which maps the standard's requirements to GDPR articles. Key mappings include:

GDPR Article	ISO 27701 Reference
Art. 5 - Principles	Clause 7.2.1-7.2.8
Art. 6 - Lawful Basis	Clause 7.2.2
Art. 12-23 - Data Subject Rights	Clause 7.3.1-7.3.10
Art. 25 - Privacy by Design	Clause 7.4
Art. 28 - Processor Requirements	Clause 8
Art. 32 - Security of Processing	Clause 6 (ISO 27002 extension)
Art. 33-34 - Breach Notification	Clause 6.13.1

ISO 27701 certification demonstrates you have implemented controls that support GDPR compliance, but legal compliance requires additional elements like valid legal bases, DPIAs for high-risk processing, and appropriate contractual arrangements that are beyond technical control implementation.

Who Needs ISO 27701?

Ideal Candidates

Organizations Already ISO 27001 Certified: Natural extension to formalize privacy controls
Global Data Processors: Companies processing personal data across jurisdictions
Cloud Service Providers: Demonstrating privacy controls to enterprise customers
B2B SaaS Companies: Meeting vendor assessment requirements
Healthcare Technology: Supporting HIPAA alongside privacy requirements
Financial Services: Meeting regulatory expectations for data protection
HR and Payroll Services: Handling sensitive employee data

Signs You Should Consider ISO 27701

Customers increasingly ask about privacy practices in security questionnaires
You're expanding into markets with strong privacy regulations (EU, California, Brazil)
Your ISO 27001 scope includes personal data processing
Privacy is becoming a competitive differentiator in your market
You need to demonstrate privacy accountability to regulators

Getting Started with ISO 27701

Prerequisites

ISO 27001 Foundation: Either achieve ISO 27001 first or pursue both together
PII Processing Understanding: Document what personal data you process and why
Role Determination: Clarify your controller and/or processor roles

Implementation Steps

Gap Analysis: Compare current privacy practices against ISO 27701 requirements
Scope Definition: Define PIMS scope aligned with ISMS scope
Privacy Risk Assessment: Extend information security risk assessment to include privacy risks
Control Implementation: Implement Annex A (controller) and/or Annex B (processor) controls
Documentation: Update policies, procedures, and records for privacy
Training: Ensure staff understand privacy requirements and their roles
Internal Audit: Audit PIMS against ISO 27701 requirements
Management Review: Include PIMS performance in management review
Certification Audit: Engage accredited certification body

Timeline Considerations

Already ISO 27001 Certified: 3-6 months to add ISO 27701
Pursuing Both Together: 6-12 months for integrated implementation
Starting from Scratch: 9-18 months depending on organization size and complexity