AboutStandardsBlog ✦ AI AssessmentGet a Quote →

Home  ›  Blog  ›  ISO 27701 and GDPR Privacy Certification

ISO 27701 — How Privacy Certification Supports GDPR Compliance

ISO 27701 extends your information security management system to cover privacy, providing a structured, auditable framework that maps directly to GDPR requirements and demonstrates accountability to regulators.

Privacy 20 November 2025 7 min read

What Is ISO 27701?

ISO/IEC 27701:2019 is an international standard that specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It was developed as an extension to ISO 27001 and ISO 27002, adding privacy-specific controls and guidance that address the management of personally identifiable information (PII).

The standard was published in August 2019, directly in response to the growing global demand for a certifiable privacy management framework. While GDPR established the legal obligations, ISO 27701 provides the operational management system that helps organisations meet those obligations in a structured, repeatable, and auditable manner.

PIMS: The Privacy Extension to Your ISMS

ISO 27701 does not operate in isolation. It is explicitly designed as an extension to an existing ISO 27001-certified ISMS. This means that organisations must first have ISO 27001 in place before they can implement and certify against ISO 27701. The PIMS builds on top of the ISMS by adding:

  • Privacy-specific clauses. Extensions to ISO 27001 clauses 4 through 10 that address PII processing context, privacy risk assessment, and privacy-specific leadership responsibilities.
  • Additional controls for PII controllers. Annex A of ISO 27701 provides controls specific to organisations that determine the purposes and means of PII processing (controllers under GDPR terminology).
  • Additional controls for PII processors. Annex B provides controls for organisations that process PII on behalf of controllers (processors under GDPR terminology).
  • GDPR mapping annex. Annex D provides an informative mapping between ISO 27701 controls and GDPR articles, making the relationship between certification and regulatory compliance explicit.

This layered approach is a significant advantage. Organisations that have already invested in ISO 27001 certification can extend their existing management system rather than building a separate privacy programme from scratch.

How ISO 27701 Maps to GDPR

The relationship between ISO 27701 and GDPR is not incidental — it was designed to be direct. The standard's Annex D provides a detailed mapping between its controls and specific GDPR articles. Key alignments include:

  • Article 5 — Principles. ISO 27701's requirements for purpose limitation, data minimisation, and accuracy directly support the GDPR's core processing principles.
  • Article 6 — Lawful basis. The standard requires organisations to document and maintain records of the legal basis for each processing activity, supporting GDPR's lawfulness requirements.
  • Articles 13 and 14 — Transparency. ISO 27701 mandates clear privacy notices and communication procedures that address both direct and indirect data collection scenarios.
  • Articles 15 through 22 — Data subject rights. The standard requires documented procedures for handling access requests, rectification, erasure, portability, and objection — the full spectrum of GDPR data subject rights.
  • Article 25 — Data protection by design. ISO 27701's risk-based approach to privacy controls embeds data protection into the design of processing activities, directly supporting this GDPR requirement.
  • Article 28 — Processor obligations. Annex B provides specific controls that processors must implement, including sub-processor management, data return and deletion, and audit cooperation.
  • Article 30 — Records of processing. The standard requires comprehensive records of PII processing activities, categories of data, recipients, and transfer mechanisms.
  • Article 32 — Security of processing. By building on ISO 27001's security controls, ISO 27701 ensures that appropriate technical and organisational measures protect PII throughout its lifecycle.

GDPR Article 42 and Certification Mechanisms

GDPR Article 42 explicitly encourages the establishment of data protection certification mechanisms to demonstrate compliance. While the European Data Protection Board (EDPB) has established criteria for GDPR-specific certification schemes, ISO 27701 certification is widely recognised as strong evidence of a functioning privacy management system.

Although ISO 27701 is not itself an approved GDPR certification mechanism under Article 42, it provides a robust, internationally recognised framework that supervisory authorities and courts can consider when assessing an organisation's accountability and diligence. Several European data protection authorities have acknowledged ISO 27701 as a meaningful indicator of privacy maturity.

PII Controller vs PII Processor Requirements

One of ISO 27701's most practical features is its clear delineation between controller and processor obligations. This distinction is critical for organisations that operate in both capacities — which is increasingly common in cloud-based and platform business models.

PII Controller requirements (Annex A) focus on:

  • Determining and documenting the lawful basis for processing
  • Implementing consent mechanisms and managing consent lifecycle
  • Conducting and documenting privacy impact assessments (PIAs)
  • Establishing procedures for data subject rights fulfilment
  • Managing data transfers, including cross-border transfers and adequacy assessments
  • Defining data retention periods and implementing deletion procedures

PII Processor requirements (Annex B) focus on:

  • Processing PII only in accordance with documented controller instructions
  • Managing sub-processor relationships, including notification and due diligence
  • Assisting controllers with data subject rights requests
  • Implementing data breach notification procedures
  • Returning or deleting PII upon termination of the processing agreement
  • Supporting controller audits and demonstrating compliance evidence

Organisations can certify against one or both sets of controls depending on their role in the data processing ecosystem.

The Certification Process

Achieving ISO 27701 certification follows a structured path that builds on your existing ISO 27001 programme:

  1. Gap analysis. Assess your current ISMS and privacy practices against ISO 27701 requirements. Identify missing controls, documentation gaps, and process deficiencies.
  2. Scope definition. Define the scope of your PIMS, including which processing activities, business units, and data categories are covered. Determine whether you are certifying as a controller, processor, or both.
  3. Implementation. Deploy the additional controls required by ISO 27701, update your risk assessment to include privacy risks, and extend your ISMS documentation to cover PIMS requirements.
  4. Internal audit. Conduct an internal audit of the PIMS to verify that controls are implemented, effective, and properly documented.
  5. Stage 1 audit. The certification body reviews your documentation and readiness for the full assessment.
  6. Stage 2 audit. The certification body conducts a thorough on-site (or remote) assessment of your PIMS implementation and effectiveness.
  7. Certification and surveillance. Upon successful completion, you receive ISO 27701 certification. Annual surveillance audits ensure continued compliance.

For organisations already holding ISO 27001, the additional effort for ISO 27701 is typically moderate — the management system foundation is already in place, and the work primarily involves extending it with privacy-specific controls and documentation.

Benefits for Data Protection Officers

ISO 27701 certification delivers particular value for Data Protection Officers (DPOs) and privacy teams:

  • Demonstrable accountability. GDPR Article 5(2) requires organisations to demonstrate compliance. ISO 27701 certification provides tangible, third-party-verified evidence of a functioning privacy management system.
  • Structured framework. Rather than assembling a bespoke privacy programme, DPOs can leverage the ISO 27701 framework to ensure comprehensive coverage of privacy requirements.
  • Continuous improvement. The management system approach ensures that privacy practices are regularly reviewed, updated, and improved — not just implemented once and forgotten.
  • Supply chain assurance. Certification provides a recognised credential that simplifies privacy due diligence in vendor selection and contract negotiations.
  • Regulatory dialogue. When engaging with supervisory authorities, certification demonstrates that the organisation takes privacy seriously and has invested in a structured approach to compliance.

Conclusion

ISO 27701 bridges the gap between information security and privacy management, providing organisations with a certifiable framework that directly supports GDPR compliance. For organisations that already maintain ISO 27001, extending to ISO 27701 is a logical and efficient step that transforms privacy from a legal obligation into a managed, auditable business process.

As regulatory scrutiny intensifies and data subjects become more aware of their rights, the ability to demonstrate a functioning privacy management system — backed by independent certification — is becoming a competitive advantage, not just a compliance requirement.