ISO 27701 and ISO 27001: Understanding the Relationship
ISO 27701 is explicitly designed as an extension to ISO 27001, not a standalone standard. Understanding this relationship is essential for planning your certification journey and implementing an effective Privacy Information Management System (PIMS).
Key Takeaways
| Point | Summary |
|---|---|
| Relationship | ISO 27701 extends ISO 27001; cannot exist independently |
| Foundation | ISO 27001 ISMS is prerequisite for ISO 27701 PIMS |
| Integration | Privacy requirements build on security management system |
| Certification | ISO 27701 certified through ISO 27001 extension |
| Efficiency | Combined implementation is more efficient than sequential |
| Maintenance | Both follow 3-year cycle with annual surveillance |
Quick Answer: ISO 27701 extends ISO 27001 by adding privacy-specific requirements. You cannot achieve ISO 27701 certification without first having (or simultaneously achieving) ISO 27001. The standards share a common management system structure, making combined implementation efficient.
How ISO 27701 Extends ISO 27001
The Extension Model
ISO 27701 follows ISO 27001's structure clause by clause, adding privacy-specific requirements to each section:
| ISO 27001 Clause | Original Focus | ISO 27701 Addition |
|---|---|---|
| 4. Context | Organization and ISMS scope | PII processing context, privacy stakeholders |
| 5. Leadership | Management commitment, policy | Privacy responsibilities, privacy policy |
| 6. Planning | Risk assessment, objectives | Privacy risks, privacy-specific objectives |
| 7. Support | Resources, competence, awareness | Privacy competence, privacy awareness |
| 8. Operation | Operational planning, risk treatment | Privacy in operations, PII handling |
| 9. Performance | Monitoring, internal audit, review | Privacy metrics, privacy audit scope |
| 10. Improvement | Nonconformity, continual improvement | Privacy incidents, privacy improvement |
Control Extensions
Beyond management system requirements, ISO 27701 extends ISO 27001's Annex A controls and adds privacy-specific annexes:
| Control Set | Source | Purpose |
|---|---|---|
| ISO 27001 Annex A | 93 security controls | Information security baseline |
| ISO 27701 Annex A | 31 controller controls | PII controller obligations |
| ISO 27701 Annex B | 18 processor controls | PII processor obligations |
| ISO 27701 Annex D | GDPR mapping | Regulatory alignment reference |
Practical Integration Points
Shared Management System Elements
The following ISMS elements extend directly to privacy:
| Element | Security Application | Privacy Extension |
|---|---|---|
| Risk assessment | Information security risks | Add privacy risks (rights, consent, lawful basis) |
| Policy framework | Information security policy | Add privacy policy, align objectives |
| Internal audit | ISMS audit program | Include PIMS scope and privacy controls |
| Management review | Security performance | Add privacy metrics and incidents |
| Document control | Security documentation | Add privacy documentation |
| Training program | Security awareness | Add privacy awareness |
Where They Diverge
| Aspect | ISO 27001 Focus | ISO 27701 Addition |
|---|---|---|
| Stakeholders | Information asset owners | Data subjects as key stakeholders |
| Rights | Organization's rights over data | Individual's rights over their data |
| Third parties | Supplier security | Processor oversight and controller instructions |
| Incidents | Security incidents | Privacy breaches, regulatory notification |
| Purpose | Protect organizational assets | Respect individual privacy |
Certification Approaches
Option 1: Combined Initial Certification
Pursue ISO 27001 and ISO 27701 together from the start.
| Phase | Activities |
|---|---|
| Implementation | Build ISMS with privacy requirements integrated |
| Documentation | Single policy set addressing both standards |
| Internal audit | Combined ISMS + PIMS audit |
| Stage 1 audit | Auditor reviews combined documentation |
| Stage 2 audit | Combined certification audit |
| Certificate | ISO 27001 certificate with ISO 27701 extension noted |
Best for: Organizations certain they need both, starting fresh
Timeline: 4-5 months (vs. 3-4 for ISO 27001 alone)
Option 2: Sequential Certification
Achieve ISO 27001 first, add ISO 27701 later.
| Phase | Timeline |
|---|---|
| ISO 27001 certification | 3-4 months |
| Privacy gap assessment | 1-2 weeks |
| ISO 27701 implementation | 4-6 weeks |
| Extension audit | 1-2 weeks |
Best for: Organizations wanting to phase investment, uncertain about privacy needs
Total timeline: 5-7 months for both
Option 3: Add During Surveillance
Add ISO 27701 during an ISO 27001 surveillance audit.
| Consideration | Details |
|---|---|
| Eligibility | Must be established ISO 27001 certified |
| Preparation | Implement PIMS controls before surveillance window |
| Audit scope | Surveillance + extension scope |
| Certificate | Updated to reflect ISO 27701 extension |
Best for: Existing ISO 27001 organizations with clear privacy need
Building for Both from the Start
Integrated Policy Structure
| Document | ISO 27001 Requirement | ISO 27701 Addition |
|---|---|---|
| Information Security Policy | Required | Add privacy commitment |
| Privacy Policy | Not required | Required, can be combined or separate |
| Acceptable Use Policy | Common practice | Include PII handling rules |
| Data Classification | Information classification | Include PII classification |
| Access Control Policy | Required | Include PII access provisions |
| Incident Response | Required | Include privacy breach procedures |
Integrated Risk Assessment
| Risk Category | Security Focus | Privacy Addition |
|---|---|---|
| Confidentiality | Unauthorized disclosure | Add data subject harm from disclosure |
| Integrity | Data accuracy | Add impact on individual decisions |
| Availability | System uptime | Add access rights fulfillment |
| New categories | N/A | Consent validity, lawful basis, purpose limitation |
Combined Control Implementation
Many controls serve both security and privacy objectives:
| Control Area | Security Purpose | Privacy Purpose |
|---|---|---|
| Access control | Prevent unauthorized access | Ensure only necessary access to PII |
| Encryption | Protect confidentiality | Protect PII in transit and at rest |
| Logging | Security monitoring | Demonstrate processing activities |
| Retention | Storage management | Ensure PII deleted when no longer needed |
| Vendor management | Supplier security | Processor compliance with instructions |
Efficiency Gains from Integration
Shared Effort Areas
| Activity | Without Integration | With Integration |
|---|---|---|
| Gap assessment | Separate security and privacy assessments | Single combined assessment |
| Policy development | Separate policy sets | Unified policies serving both |
| Training | Separate security and privacy training | Integrated awareness program |
| Internal audits | Separate audit cycles | Combined audit program |
| External audits | Separate audit days | Combined or consecutive audits |
| Management review | Separate meetings | Single integrated review |
Cost Implications
| Approach | Relative Cost |
|---|---|
| ISO 27001 alone | 100% |
| ISO 27001 + ISO 27701 combined | ~130-140% |
| ISO 27001 then ISO 27701 later | ~150-160% |
Combined implementation typically saves 10-20% compared to sequential approaches.
Documentation Requirements
ISO 27001 Mandatory Documents Extended by ISO 27701
| Document | ISO 27001 Requirement | ISO 27701 Extension |
|---|---|---|
| Scope statement | ISMS scope | Add PIMS scope, PII processing context |
| Risk assessment | Information security risks | Add privacy risks |
| Statement of Applicability | Annex A controls | Add Annex A/B applicability |
| Risk treatment plan | Security risk treatment | Add privacy risk treatment |
| Internal audit program | ISMS audits | Include PIMS scope |
Additional ISO 27701 Documentation
| Document | Purpose |
|---|---|
| PII inventory | Document all PII processing activities |
| Legal basis register | Document lawful basis for each processing activity |
| Processor agreements | Document instructions to processors |
| Data subject rights procedures | Document request handling processes |
| Privacy impact assessments | Document high-risk processing evaluations |
Common Questions
Can I get ISO 27701 without ISO 27001?
No. ISO 27701 is explicitly an extension to ISO 27001 and requires the underlying ISMS. You can pursue both simultaneously but cannot have ISO 27701 alone.
Do I need separate auditors for each standard?
No. Most certification bodies offer combined audits with auditors competent in both standards. This is more efficient than separate audits.
Does ISO 27701 add significant audit time?
Typically 1-2 additional audit days for initial certification, depending on organization size and complexity of PII processing.
Can ISO 27701 be removed while keeping ISO 27001?
Yes. If your privacy needs change, you can choose not to renew the ISO 27701 extension while maintaining ISO 27001 certification.
How Bastion Helps
We guide organizations through integrated ISO 27001 + ISO 27701 implementation, maximizing efficiency while ensuring comprehensive coverage.
| Service | Description |
|---|---|
| Integrated planning | Design implementation approach serving both standards |
| Unified documentation | Develop policies and procedures addressing both |
| Combined gap assessment | Single assessment covering security and privacy |
| Audit preparation | Prepare for combined certification audits |
| Ongoing support | Maintain both certifications efficiently |
Ready to explore integrated ISO 27001 + ISO 27701 certification? Talk to our team
Sources
- ISO/IEC 27701:2019 - Privacy information management extension
- ISO/IEC 27001:2022 - Information security management systems
- ISO/IEC 27002:2022 - Information security controls guidance
- IAF MD 12:2016 - Assessment of certification activities for MS