Privacy regulation is becoming more complex and more consequential. The GDPR, its national implementations, and emerging privacy laws worldwide create a web of obligations that organizations must navigate. ISO 27701 provides a structured, certifiable framework for managing these obligations by extending your existing ISO 27001 information security management system with privacy-specific controls.
What is ISO 27701
ISO 27701 specifies the requirements for establishing, implementing, maintaining and continuously improving a Privacy Information Management System (PIMS). It is designed as an extension to ISO 27001, not a standalone standard. This means you need an ISO 27001 certified ISMS as the foundation, and ISO 27701 adds privacy-specific requirements on top of it.
The standard distinguishes between two roles: PII controllers (organizations that determine the purposes and means of processing personal data) and PII processors (organizations that process personal data on behalf of controllers). Each role has specific control requirements, and most organizations will implement controls for one or both roles depending on their activities.
Concrete privacy requirements
ISO 27701 translates abstract privacy principles into concrete, auditable requirements. Organizations must maintain Records of Processing Activities (RoPA), documenting all processing activities, their purposes, legal bases and retention periods. They must implement processes for conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
Data subject rights are another key area. The standard requires documented procedures for handling access requests, rectification, erasure, data portability and objection to processing. These procedures must include defined response times, verification mechanisms, and escalation paths.
For PII processors, the standard specifies controls around sub-processor management, cross-border transfer mechanisms, and return or deletion of personal data at the end of a processing relationship. These requirements map directly to what GDPR Article 28 demands from processors.
How ISO 27701 differs from GDPR
ISO 27701 and the GDPR are complementary, not identical. The GDPR is a legal framework with specific requirements tied to EU jurisdiction, enforcement mechanisms and legal bases for processing. ISO 27701 is a management system standard that provides the organizational structure for meeting privacy obligations systematically.
Certification to ISO 27701 does not automatically mean GDPR compliance. The GDPR contains requirements (such as the appointment of a Data Protection Officer in specific circumstances, or the specifics of lawful processing bases) that fall outside the scope of a management system standard. However, ISO 27701 certification demonstrates that your organization has implemented a systematic approach to privacy management, which is a strong foundation for compliance with any privacy regulation.
Certification process
ISO 27701 certification is always granted as an extension to ISO 27001. During the certification audit, the auditor evaluates the privacy-specific controls on top of the information security management system. Organizations that are already ISO 27001 certified can add ISO 27701 during a surveillance or recertification audit, which makes the process more efficient.
Secure Audit guides organizations through ISO 27701 implementation and certification, building on your existing ISO 27001 foundation. Contact us to explore how privacy certification can support your compliance objectives.
About the author
Partner | IT Auditor