Home Standards Industries ✦ AI Assessment Get a Quote →
HomeStandards → ISO 27701

ISO/IEC 27701 — Privacy Information Management

The international standard for Privacy Information Management Systems (PIMS). ISO 27701 extends ISO 27001 with privacy-specific controls — providing a structured, auditable framework for GDPR, LGPD, PIPEDA, and other privacy regulation compliance.

ISO 27701:2019PIMSGDPR alignmentPrivacy framework

What is ISO/IEC 27701?

ISO/IEC 27701:2019 is an extension to ISO 27001 and ISO 27002 that specifies requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It maps privacy controls to the roles of both Personal Information Controllers (PICs) and Personal Information Processors (PIPs).

Relationship to ISO 27001

ISO 27701 is not a standalone standard — it extends ISO 27001. Organisations must hold ISO 27001 certification (or pursue it simultaneously) before obtaining ISO 27701 certification. The integrated programme shares the ISMS management framework, significantly reducing implementation effort and audit cost compared to separate engagements.

Who Needs ISO 27701?

  • Organisations processing EU personal data under GDPR obligations
  • Cloud service providers and data processors handling customer personal data
  • Healthcare and HR technology platforms
  • Financial services firms subject to multiple privacy jurisdiction requirements
  • Any organisation seeking to demonstrate accountability under Article 5(2) GDPR

ISO 27701 and GDPR Compliance

While ISO 27701 certification does not constitute legal proof of GDPR compliance, it provides a documented, independently audited framework that directly maps to GDPR accountability obligations. Supervisory authorities and data protection officers widely recognise ISO 27701 as a robust accountability measure under Article 24 GDPR.

Key Control Areas

  • Privacy conditions for collection and processing of personal information
  • Obligations to individuals (data subjects): transparency, access, correction, deletion
  • Privacy by design and default in system and process design
  • Data transfer controls including cross-border transfer mechanisms
  • Processor and sub-processor management under Article 28 GDPR
  • Data breach notification procedures aligned with 72-hour GDPR requirement

Typical Timeline

For organisations already holding ISO 27001: 2–3 months to add ISO 27701 certification. For organisations pursuing ISO 27001 + ISO 27701 simultaneously: 4–6 months.