ISO 270017 min read

ISO 27701: Privacy Information Management System (PIMS)

ISO 27701 extends ISO 27001 to address privacy management. It provides a framework for implementing a Privacy Information Management System (PIMS), helping organizations demonstrate their commitment to protecting personal data.

Key Takeaways

Point Summary
What it is Privacy extension to ISO 27001 for managing personal data
Prerequisite Requires ISO 27001 certification as foundation
Scope Covers both data controllers and data processors
Regulatory alignment Supports GDPR, CCPA, and other privacy regulations
Value Demonstrates systematic approach to privacy beyond just security

Quick Answer: ISO 27701 is a privacy extension to ISO 27001 that helps organizations systematically manage personal data protection. It's particularly valuable for demonstrating GDPR compliance and for organizations where privacy is a key concern. You need ISO 27001 first—ISO 27701 builds on that foundation.

Understanding ISO 27701

What ISO 27701 Adds

While ISO 27001 focuses on information security broadly, ISO 27701 specifically addresses the protection and processing of personally identifiable information (PII). It adds:

  • Privacy-specific requirements to the ISO 27001 management system
  • Privacy controls extending ISO 27001's Annex A
  • Role-specific guidance for data controllers and data processors
  • Mapping to regulations like GDPR

Privacy vs. Security

Aspect ISO 27001 (Security) ISO 27701 (Privacy)
Primary focus Protecting information confidentiality, integrity, availability Protecting individuals' personal data rights
Whose interests Organization's information assets Data subjects (individuals)
Key concerns Unauthorized access, data breaches, system availability Consent, data subject rights, lawful processing
Regulatory context General security requirements GDPR, CCPA, privacy-specific regulations

You can have excellent security without good privacy practices, and vice versa. ISO 27701 ensures you address both.

When Do You Need ISO 27701?

ISO 27701 May Be Valuable If:

Scenario Why ISO 27701 Helps
GDPR applies to you Demonstrates systematic privacy management
You process significant PII Shows commitment to data protection
Customers request privacy assurance Provides certified validation
Privacy is a differentiator Supports marketing and trust messaging
You're a data processor Demonstrates responsible data handling to controllers

You May Not Need ISO 27701 (Yet) If:

  • You're just starting compliance—focus on ISO 27001 first
  • You process minimal personal data
  • Your customers haven't requested privacy-specific certification
  • Other privacy mechanisms (DPAs, SOC 2 + Privacy) satisfy requirements

ISO 27701 Structure

Building on ISO 27001

ISO 27701 extends the core ISO 27001 clauses with privacy-specific requirements:

ISO 27001 Clause ISO 27701 Extension
Clause 4 (Context) Understanding PII processing context
Clause 5 (Leadership) Privacy responsibilities and roles
Clause 6 (Planning) Privacy risk assessment
Clause 7 (Support) Privacy awareness and competence
Clause 8 (Operation) Privacy in operational controls
Clause 9 (Evaluation) Privacy performance monitoring
Clause 10 (Improvement) Privacy incident learning

Privacy-Specific Controls

ISO 27701 adds two annexes with privacy controls:

Annex A: PII Controller Controls (31 controls)
For organizations that determine purposes and means of processing:

  • Conditions for collection and processing
  • Data subject rights obligations
  • Privacy by design requirements
  • Consent management
  • Data minimization

Annex B: PII Processor Controls (18 controls)
For organizations that process on behalf of controllers:

  • Processing only on documented instructions
  • Sub-processor management
  • Assisting controllers with data subject requests
  • Data return and deletion
  • Processing records

Key Privacy Concepts in ISO 27701

Data Subject Rights

ISO 27701 requires organizations to support data subject rights:

Right Requirement
Access Provide individuals copies of their data
Rectification Correct inaccurate personal data
Erasure Delete personal data when required
Portability Provide data in portable format
Objection Honor objections to certain processing
Restriction Limit processing when requested

Privacy by Design

The standard emphasizes building privacy into processes:

Principle Application
Proactive Anticipate privacy issues before they arise
Default Privacy as the default setting
Embedded Privacy integrated into design and architecture
Positive-sum Privacy and functionality, not either/or
End-to-end Protection throughout the data lifecycle
Visibility Transparency in operations
User-centric Respect for individual privacy

Processing Records

ISO 27701 requires documented records of processing activities:

Record Element Purpose
Categories of PII What personal data you process
Processing purposes Why you process it
Data subjects Whose data you process
Recipients Who receives the data
Transfers Cross-border data movements
Retention How long you keep data
Security measures How you protect data

Relationship to GDPR

Supporting GDPR Compliance

ISO 27701 aligns closely with GDPR requirements:

GDPR Requirement ISO 27701 Coverage
Lawful basis for processing Processing conditions controls
Data subject rights Rights management controls
Privacy by design Design and default controls
Processing records Records management requirements
Data protection impact assessments Risk assessment integration
Data processor requirements Processor-specific controls
Breach notification Incident management requirements

Important Clarification

ISO 27701 certification does not equal GDPR compliance. The standard supports GDPR compliance by providing a systematic framework, but GDPR compliance involves additional legal, organizational, and operational considerations beyond what certification covers.

Certification Process

Prerequisites

To pursue ISO 27701 certification, you need:

  1. ISO 27001 certification (required foundation)
  2. Extended ISMS scope to cover PII processing
  3. Privacy-specific controls implemented
  4. PIMS documentation established

Certification Approach

ISO 27701 certification typically occurs as an extension to ISO 27001:

Approach Description
Combined initial audit Pursue ISO 27001 + ISO 27701 together
Extension audit Add ISO 27701 to existing ISO 27001
Surveillance extension Add during annual surveillance audit

Timeline Considerations

Scenario Additional Timeline
Adding to ISO 27001 project 2-4 weeks additional
Adding to existing ISO 27001 4-8 weeks standalone project
Combined initial certification Included in overall timeline

ISO 27701 vs. Other Privacy Standards

Comparison with ISO 27018

Aspect ISO 27701 ISO 27018
Scope All PII processing PII in public cloud only
Applicability Controllers and processors Primarily cloud processors
Certification Yes, through ISO 27001 extension Yes, through ISO 27001 extension
Focus Comprehensive privacy management Cloud-specific PII protection

When to Choose Each

  • ISO 27701: Comprehensive privacy management for any processing
  • ISO 27018: Specific to cloud PII processing contexts
  • Both: For cloud service providers handling significant PII

Practical Implementation

Roles and Responsibilities

ISO 27701 requires clear assignment of privacy responsibilities:

Role Responsibilities
Privacy Officer/DPO Overall privacy program oversight
Management Privacy commitment and resources
Process owners Privacy in business processes
IT/Security Technical privacy controls
Legal Regulatory compliance guidance

Key Implementation Areas

Area Activities
Data inventory Identify and document all PII processing
Legal basis Document lawful basis for each processing activity
Consent management Implement consent collection and tracking
Rights fulfillment Establish processes for data subject requests
Vendor management Ensure processor agreements are in place
Incident response Include privacy breach procedures
Training Privacy awareness for all staff

Common Questions

Can I get ISO 27701 without ISO 27001?

No. ISO 27701 is explicitly designed as an extension to ISO 27001. You need the foundation certification first. However, you can pursue both simultaneously.

Does ISO 27701 replace GDPR compliance assessments?

No. ISO 27701 provides a framework that supports GDPR compliance, but it doesn't replace legal analysis, data protection impact assessments, or other GDPR-specific requirements. Think of it as a tool to help achieve and demonstrate compliance, not proof of compliance itself.

Is ISO 27701 recognized by regulators?

ISO 27701 is increasingly recognized as evidence of good privacy practices. While it's not a regulatory requirement anywhere, it demonstrates systematic commitment to privacy that regulators generally view favorably.

Should I pursue ISO 27701 or SOC 2 + Privacy?

They serve different purposes:

  • ISO 27701: International recognition, systematic PIMS, GDPR alignment
  • SOC 2 + Privacy: US-focused, attestation report, detailed control evidence

Organizations serving both US and international markets may benefit from both.

The Path Forward

Recommended Sequence

For most organizations:

  1. ISO 27001 — Establish foundation security management
  2. Evaluate privacy needs — Assess customer requirements and regulatory context
  3. ISO 27701 — Add when privacy certification adds business value

Integration Approach

If you anticipate needing ISO 27701:

  • Build privacy considerations into your ISO 27001 implementation
  • Document PII processing from the start
  • Include privacy in your risk assessment methodology
  • Train staff on both security and privacy

This integrated approach makes eventual ISO 27701 certification more efficient.

Want to discuss whether ISO 27701 makes sense for your organization? Talk to our team

Sources

← PreviousISO 27017 and ISO 27018: Cloud Security StandardsNext →ISO 27001 External Audits: What to Expect
Back to ISO 27001 guides