ISO 27701 Guides

ISO 27701 is a privacy extension to ISO 27001 that provides guidance for establishing a Privacy Information Management System (PIMS). It helps organizations manage privacy risks and demonstrate compliance with privacy regulations like GDPR.

ISO 27701 extends ISO 27001 by adding privacy-specific requirements. You cannot achieve ISO 27701 without first having ISO 27001 certification. ISO 27701 builds on the existing ISMS to add privacy information management.

Yes, ISO 27701 was designed with GDPR in mind. Annex D provides a mapping between ISO 27701 controls and GDPR articles. Certification demonstrates systematic privacy management but doesn't guarantee full GDPR compliance.

A PIMS is a management system for privacy that helps organizations manage the processing of personally identifiable information (PII). It includes policies, procedures, and controls specifically designed for privacy protection.

ISO 27701 has separate control sets for PII controllers (organizations determining processing purposes) and PII processors (organizations processing on behalf of controllers). Organizations implement controls based on their role.

For organizations already ISO 27001 certified, ISO 27701 adds approximately EUR 5,000-15,000 for implementation and audit. New organizations must budget for ISO 27001 first plus the ISO 27701 extension. ISO 27001 pricing depends on scope, company size, and technical setup.

No, ISO 27701 is an extension standard that requires ISO 27001 as its foundation. You must first implement and certify your ISMS before adding the privacy extension to create a PIMS.

For organizations already ISO 27001 certified, ISO 27701 adds 1-3 months for implementation and integrated audit. Organizations starting fresh should plan for ISO 27001 (3-4 months) plus ISO 27701 (1-2 additional months).