Key Takeaways
| Point |
Summary |
| Prerequisite |
ISO 27001 certification required (can be achieved simultaneously) |
| Certification path |
Combined initial, sequential, or surveillance extension |
| Audit structure |
Stage 1 (documentation) + Stage 2 (implementation) |
| Timeline |
2-4 weeks additional for combined, 4-8 weeks for extension |
| Auditor |
Same certification body can audit both standards |
| Cycle |
3-year certificate with annual surveillance audits |
Quick Answer: ISO 27701 certification is achieved through an extension audit to your ISO 27001 certification. You can pursue both standards together initially, add ISO 27701 after achieving ISO 27001, or extend during a surveillance audit. The process follows the same Stage 1/Stage 2 audit structure as ISO 27001, with additional scope for privacy controls.
Certification Pathways
Option 1: Combined Initial Certification
Pursue ISO 27001 and ISO 27701 together from the start.
| Phase |
Duration |
Activities |
| Implementation |
8-12 weeks |
Build integrated ISMS/PIMS |
| Internal audit |
1-2 weeks |
Combined internal audit |
| Stage 1 audit |
1-2 days |
Documentation review for both standards |
| Gap closure |
1-2 weeks |
Address Stage 1 findings |
| Stage 2 audit |
3-5 days |
Implementation audit for both |
| Certificate issued |
2-4 weeks |
ISO 27001 with ISO 27701 extension |
Best for:
- Organizations starting fresh with both requirements
- Those certain they need privacy certification
- Maximum efficiency through single implementation
Timeline: 4-5 months (vs. 3-4 for ISO 27001 alone)
Option 2: Sequential Certification
Achieve ISO 27001 first, then add ISO 27701.
| Phase |
Duration |
Activities |
| ISO 27001 certification |
3-4 months |
Standard ISO 27001 process |
| Privacy gap analysis |
1 week |
Assess PIMS requirements |
| PIMS implementation |
4-6 weeks |
Implement privacy controls |
| Internal audit |
1 week |
Privacy-focused audit |
| Extension audit |
1-2 days |
ISO 27701 specific assessment |
| Certificate updated |
2-4 weeks |
Certificate reflects extension |
Best for:
- Organizations with existing ISO 27001
- Those wanting to phase investment
- Uncertain privacy certification timeline
Timeline: 2-3 months after ISO 27001 achieved
Option 3: Surveillance Extension
Add ISO 27701 during an ISO 27001 surveillance audit.
| Phase |
Duration |
Activities |
| PIMS implementation |
4-6 weeks |
Implement before surveillance window |
| Internal audit |
1 week |
Include PIMS scope |
| Combined surveillance |
2-3 days |
Surveillance + extension scope |
| Certificate updated |
2-4 weeks |
Reflects ISO 27701 extension |
Best for:
- Established ISO 27001 organizations
- Timing aligned with surveillance audit
- Efficient use of audit days
Timeline: 6-8 weeks before scheduled surveillance
Stage 1 Audit: Documentation Review
What Auditors Assess
| Area |
Evaluation |
| PIMS scope |
Clearly defined, appropriate for PII processing |
| PII processing context |
Documented understanding of processing activities |
| Privacy policy |
Exists, appropriate, communicated |
| Risk assessment |
Privacy risks identified and assessed |
| Statement of Applicability |
Annex A/B controls addressed |
| Documentation |
Required policies and procedures exist |
| Readiness |
Ready for Stage 2 audit |
Common Stage 1 Findings
| Finding |
Resolution |
| Incomplete PII inventory |
Document all processing activities |
| Missing legal basis documentation |
Complete legal basis register |
| Inadequate privacy risk assessment |
Add privacy-specific risks |
| Unclear controller/processor roles |
Document roles per processing activity |
| Missing data subject procedures |
Develop rights fulfillment processes |
Stage 1 Outputs
- Auditor report with findings
- Confirmation of Stage 2 readiness (or not)
- Identified gaps requiring closure
- Stage 2 audit plan
Stage 2 Audit: Implementation Assessment
Audit Focus Areas
| Area |
Evidence Reviewed |
| Management system |
PIMS operational, management engaged |
| Controller controls |
Annex A controls implemented (if applicable) |
| Processor controls |
Annex B controls implemented (if applicable) |
| Risk treatment |
Privacy risks treated as planned |
| Operational effectiveness |
Controls working in practice |
| Records |
Processing records, consent records, rights requests |
| Internal audit |
PIMS included in audit scope |
| Management review |
Privacy reviewed by management |
Common Stage 2 Findings
| Finding |
Resolution |
| Incomplete consent records |
Enhance consent capture mechanisms |
| Inadequate rights request handling |
Improve DSAR procedures |
| Sub-processor oversight gaps |
Strengthen sub-processor management |
| Privacy notice deficiencies |
Update privacy communications |
| Incomplete processing records |
Enhance record-keeping |
Stage 2 Outcomes
| Outcome |
Meaning |
| Certification recommended |
No major nonconformities, minor closed |
| Conditional recommendation |
Minor nonconformities to close within timeframe |
| Not recommended |
Major nonconformities require re-audit |
Choosing a Certification Body
Selection Criteria
| Criterion |
Consideration |
| Accreditation |
Accredited by recognized body (UKAS, ANAB, etc.) |
| ISO 27701 competence |
Experience with privacy certification |
| Industry experience |
Understanding of your sector |
| Geographic coverage |
Ability to audit your locations |
| Existing relationship |
Current ISO 27001 CB can often extend |
| Scheduling |
Availability aligned with your timeline |
Accreditation Bodies
| Region |
Accreditation Body |
| UK |
UKAS (United Kingdom Accreditation Service) |
| USA |
ANAB (ANSI National Accreditation Board) |
| Germany |
DAkkS (Deutsche Akkreditierungsstelle) |
| France |
COFRAC |
| International |
IAF member bodies |
Audit Day Calculation
| Factor |
Impact on Days |
| Organization size |
Larger = more days |
| PII processing complexity |
More complex = more days |
| Processing locations |
Multiple sites = more days |
| Controller/processor scope |
Both roles = more controls |
| Integration with ISO 27001 |
Combined = some efficiency |
Typical additional audit days for ISO 27701:
| Organization Size |
Additional Days |
| Small (< 50 employees) |
0.5-1 day |
| Medium (50-250 employees) |
1-2 days |
| Large (> 250 employees) |
2-3 days |
Internal Audit Requirements
PIMS Audit Scope
| Audit Area |
What to Assess |
| Management system |
Clauses 5-11 extensions |
| Controller controls |
Annex A applicability and implementation |
| Processor controls |
Annex B applicability and implementation |
| Documentation |
Completeness and currency |
| Operational effectiveness |
Controls working in practice |
Internal Audit Frequency
| Approach |
Details |
| Annual full audit |
Complete PIMS audit annually |
| Continuous audit |
Portions throughout year |
| Risk-based |
Higher frequency for higher risk areas |
| Combined with ISMS |
Integrated audit program |
Management Review Requirements
Privacy Agenda Items
| Topic |
Input |
| Privacy performance |
Metrics, KPIs, trends |
| Privacy incidents |
Breaches, near misses, lessons |
| Rights requests |
Volume, response times, issues |
| Audit results |
Internal and external findings |
| Regulatory changes |
New requirements, guidance |
| Risk landscape |
Privacy risk changes |
| Improvement actions |
Progress on improvements |
Management Review Output
| Decision Area |
Output |
| Resource allocation |
Budget, staffing decisions |
| Process changes |
Approved improvements |
| Risk treatment |
Approved risk decisions |
| Objectives |
Updated privacy objectives |
| PIMS changes |
Approved system changes |
Surveillance and Recertification
Surveillance Audits
| Aspect |
Details |
| Frequency |
Annually after initial certification |
| Scope |
Sample of PIMS, not complete |
| Duration |
Typically 1 day additional for ISO 27701 |
| Focus |
Changes, improvements, selected controls |
Recertification Audit
| Aspect |
Details |
| Timing |
Before 3-year certificate expires |
| Scope |
Full PIMS reassessment |
| Duration |
Similar to initial certification |
| Outcome |
New 3-year certificate |
Common Certification Challenges
Challenge 1: Unclear PII Processing Context
| Problem |
Solution |
| Incomplete understanding of PII processing |
Comprehensive discovery exercise |
| Missing processing activities |
Stakeholder interviews, system review |
| Unclear roles |
Document controller/processor per activity |
Challenge 2: Inadequate Legal Basis Documentation
| Problem |
Solution |
| Processing without documented legal basis |
Legal basis register |
| Reliance on consent without proper records |
Consent mechanism enhancement |
| Legitimate interest without assessment |
Complete LIAs |
Challenge 3: Rights Request Process Gaps
| Problem |
Solution |
| No formal DSAR process |
Implement workflow |
| Unable to locate all subject data |
Data mapping exercise |
| Missed response deadlines |
Tracking and escalation |
Challenge 4: Sub-Processor Management
| Problem |
Solution |
| Unknown sub-processors |
Sub-processor discovery |
| Missing contracts |
DPA program |
| No ongoing oversight |
Sub-processor review program |
Frequently Asked Questions
Can I get ISO 27701 certified without ISO 27001?
No. ISO 27701 is explicitly an extension to ISO 27001. You cannot achieve ISO 27701 certification without an underlying ISO 27001 certification. You can pursue both simultaneously, but both standards must be met. See ISO 27701 and ISO 27001 relationship for details.
How long does ISO 27701 certification take?
If you already have ISO 27001, expect 2-3 months to add ISO 27701. If pursuing both together, expect 4-5 months total. The certification cost article breaks down the full investment.
Do I need separate auditors for ISO 27001 and ISO 27701?
No. The same certification body typically audits both standards. In fact, combined audits are more efficient. Your auditors should be competent in both information security and privacy management.
What happens if I fail the certification audit?
Major nonconformities require corrective action before certification. Your certification body will explain the specific gaps and give you time to address them before a follow-up assessment. Minor nonconformities can often be closed during the audit or shortly after.
How Bastion Helps
We guide organizations through ISO 27701 certification efficiently, whether combined with ISO 27001 or as an extension.
| Service |
Description |
| Pathway planning |
Determine optimal certification approach |
| Gap assessment |
Identify what's needed for certification |
| Implementation support |
Build compliant PIMS |
| Internal audit |
Conduct readiness assessment |
| Audit coordination |
Manage certification body relationship |
| Finding resolution |
Address audit findings quickly |
Ready to begin your ISO 27701 certification journey? Talk to our team
Sources
