ISO 27701
Privacy information management system implementation extending ISO 27001 for GDPR and data protection compliance.
ISO 27701 is the international standard for privacy information management. It extends ISO 27001 with additional requirements specifically for managing personal data, providing a framework that maps directly to GDPR and other privacy regulations.
What ISO 27701 actually involves
ISO 27701 is an extension to ISO 27001—you implement it on top of an existing Information Security Management System. The standard adds:
- Privacy-specific controls for collecting, processing, and sharing personal data
- Controller and processor requirements mapped to GDPR terminology
- Enhanced risk assessment covering privacy risks alongside security risks
- Extended governance with defined privacy roles and responsibilities
- Records of processing integrated into your management system
The standard provides a certifiable framework for demonstrating privacy compliance to customers, partners, and regulators.
Who needs ISO 27701
ISO 27701 certification is particularly valuable for:
- Data processors who need to demonstrate compliance to their controller customers
- SaaS and technology companies processing customer data at scale
- Organisations with international operations needing a consistent privacy framework
- Companies seeking competitive advantage in privacy-conscious markets
- Organisations preparing for GDPR audits who want a structured approach
If you’re already ISO 27001 certified (or working towards it), ISO 27701 provides a logical next step that addresses the privacy dimension.
How ISO 27701 relates to GDPR
ISO 27701 was designed with GDPR in mind. The standard includes annexes that map its requirements to:
- GDPR articles (for EU compliance)
- ISO 29100 privacy principles
- ISO 27018 (cloud privacy)
While ISO 27701 certification doesn’t automatically mean GDPR compliance, it demonstrates you have systematic processes for managing personal data. Many Data Protection Authorities view ISO 27701 favourably as evidence of accountability.
How we can help
Gap analysis
If you have an existing ISO 27001 system, we’ll assess what’s needed to extend it for ISO 27701. If you’re starting fresh, we’ll help plan an integrated implementation.
Privacy controls implementation
We’ll help you implement the additional controls required, including:
- Privacy impact assessment processes
- Consent management procedures
- Data subject rights handling
- Third-party data sharing controls
- Privacy-specific incident response
- Records of processing activities (RoPA)
Controller vs processor scoping
The standard has different requirements depending on whether you act as a controller, processor, or both. We’ll help define your scope correctly and implement appropriate controls.
Integration with existing ISMS
If you already have ISO 27001, we’ll ensure the privacy extension integrates smoothly without creating parallel systems or unnecessary duplication.
Certification preparation
We’ll help ensure you’re ready for the combined assessment:
- Internal audit support
- Management review enhancement
- Documentation review
- Audit readiness assessment
What to expect
For organisations with existing ISO 27001 certification, the ISO 27701 extension typically takes 3-6 months. Combined implementations starting from scratch take 9-15 months depending on complexity.
The certification audit is usually conducted alongside your ISO 27001 audit, making it efficient if you’re planning both.
Common questions
Do we need ISO 27001 first? Yes. ISO 27701 is explicitly an extension to ISO 27001. You can implement them together, but you cannot be certified to ISO 27701 without ISO 27001.
Is ISO 27701 the same as GDPR certification? No. There’s no official GDPR certification scheme. ISO 27701 demonstrates you have a privacy management system, which supports your GDPR compliance, but it’s not the same thing.
What’s the difference from ISO 27018? ISO 27018 is specifically for cloud service providers and focuses on protecting personal data in public cloud environments. ISO 27701 is broader, covering any organisation that processes personal data in any context.
Can we certify as both controller and processor? Yes, if that reflects your actual operations. Many organisations need both scopes—for example, a SaaS company might be a controller for employee data and a processor for customer data.
How does this help with customer due diligence? ISO 27701 certification provides independent assurance that you have systematic privacy controls. This can significantly reduce the burden of responding to customer security questionnaires and privacy assessments.