What is ISO 27701?
ISO 27701 is an international standard that extends ISO 27001 and ISO 27002 to address privacy information management. Officially titled "ISO/IEC 27701:2019," it provides a framework for implementing a Privacy Information Management System (PIMS), helping organizations demonstrate their commitment to protecting personal data in a systematic, auditable way.
Key Takeaways
| Point | Summary |
|---|---|
| What it is | Privacy extension to ISO 27001 for managing personally identifiable information (PII) |
| Prerequisite | Requires ISO 27001 certification as foundation |
| Scope | Covers both PII controllers and PII processors |
| Regulatory alignment | Maps to GDPR, CCPA, LGPD, and other privacy regulations |
| Certification cycle | Follows ISO 27001 cycle: 3 years with annual surveillance audits |
| Key benefit | Demonstrates systematic privacy management beyond security alone |
Quick Answer: ISO 27701 is an extension to ISO 27001 that adds privacy-specific requirements for managing personal data. You need ISO 27001 first, then add ISO 27701 to demonstrate comprehensive privacy information management. It's particularly valuable for organizations subject to GDPR or handling significant amounts of personal data.
Understanding ISO 27701
The Privacy Extension to ISO 27001
While ISO 27001 focuses on information security broadly, ISO 27701 specifically addresses the protection of personally identifiable information (PII). The standard was published in August 2019 as ISO/IEC 27701:2019 and provides guidance for establishing, implementing, maintaining, and continuously improving a Privacy Information Management System.
| Aspect | ISO 27001 | ISO 27701 |
|---|---|---|
| Focus | Information security | Privacy and PII protection |
| Whose interests | Organization's information assets | Data subjects (individuals) |
| Key concerns | Confidentiality, integrity, availability | Consent, data subject rights, lawful processing |
| Regulatory context | General security requirements | GDPR, CCPA, privacy-specific regulations |
| Standalone | Yes | No, requires ISO 27001 |
Why Privacy Needs Its Own Framework
Organizations can have excellent security practices yet still fall short on privacy. Security protects data from unauthorized access, but privacy addresses how personal data should be collected, used, shared, and deleted in accordance with individuals' rights and regulatory requirements.
Security without privacy might mean:
- Encrypting personal data but collecting more than necessary
- Restricting access but keeping data indefinitely
- Preventing breaches but not honoring deletion requests
ISO 27701 bridges this gap by adding privacy-specific controls to your existing security management system.
ISO 27701 Structure
Building on ISO 27001
ISO 27701 extends the core ISO 27001 clauses with privacy-specific requirements:
| ISO 27001 Clause | ISO 27701 Addition |
|---|---|
| Clause 4 (Context) | Understanding PII processing context and stakeholder privacy expectations |
| Clause 5 (Leadership) | Privacy responsibilities, roles, and management commitment |
| Clause 6 (Planning) | Privacy risk assessment integrated with information security risks |
| Clause 7 (Support) | Privacy awareness, competence, and communication |
| Clause 8 (Operation) | Privacy controls in operational processes |
| Clause 9 (Evaluation) | Privacy performance monitoring and measurement |
| Clause 10 (Improvement) | Privacy incident learning and continuous improvement |
Privacy-Specific Control Extensions
Beyond the management system requirements, ISO 27701 adds two annexes with privacy controls:
Annex A: PII Controller Controls (31 controls across 8 control objectives)
For organizations that determine purposes and means of processing:
- Conditions for collection and processing
- Obligations to data subjects (rights management)
- Privacy by design and default
- PII sharing, transfer, and disclosure
Annex B: PII Processor Controls (18 controls across 5 control objectives)
For organizations that process PII on behalf of controllers:
- Processing only under documented instructions
- Sub-processor management
- Assisting controllers with data subject requests
- Data return and deletion at end of service
The standard also includes Annex D (mapping to GDPR for controllers) and Annex F (mapping to GDPR for processors), providing explicit regulatory alignment guidance.
Key Concepts in ISO 27701
PII Controller vs. PII Processor
Understanding your role determines which controls apply:
| Role | Definition | Example |
|---|---|---|
| PII Controller | Determines purposes and means of processing | A SaaS company collecting customer data for its own service |
| PII Processor | Processes PII on behalf of a controller | A cloud hosting provider storing customer data |
| Joint Controller | Two or more controllers jointly determine purposes and/or means | Two companies jointly operating a loyalty program, together deciding what data to collect and how to use it |
Most organizations act as controllers for some data (employee data, direct customers) and processors for other data (customer's customer data).
Data Subject Rights
ISO 27701 requires systematic processes for honoring data subject rights:
| Right | Requirement |
|---|---|
| Access | Provide individuals copies of their personal data on request |
| Rectification | Correct inaccurate or incomplete personal data |
| Erasure | Delete personal data when legally required |
| Portability | Provide data in a portable, machine-readable format |
| Objection | Honor objections to certain types of processing |
| Restriction | Limit processing when requested or disputed |
Privacy by Design
ISO 27701 emphasizes embedding privacy into processes from the start:
| Principle | Application |
|---|---|
| Proactive | Anticipate and prevent privacy issues before they occur |
| Default protection | Privacy as the default setting, not an opt-in |
| Embedded | Privacy integrated into design and architecture |
| Full lifecycle | Protection throughout the data lifecycle |
| Transparency | Visibility into privacy practices |
| User-centric | Respect for individual privacy interests |
Relationship to Privacy Regulations
GDPR Alignment
ISO 27701 was designed with GDPR in mind and maps closely to its requirements:
| GDPR Requirement | ISO 27701 Coverage |
|---|---|
| Lawful basis (Art. 6) | Conditions for processing controls |
| Data subject rights (Art. 15-22) | Rights management controls |
| Privacy by design (Art. 25) | Privacy by design requirements |
| Records of processing (Art. 30) | PII inventory and documentation |
| Data protection impact assessments | Risk assessment integration |
| Processor requirements (Art. 28) | Annex B processor controls |
| Breach notification (Art. 33-34) | Incident management requirements |
Important clarification: ISO 27701 certification supports GDPR compliance but does not equal compliance. GDPR involves legal, organizational, and operational requirements beyond what any certification covers.
Other Privacy Regulations
ISO 27701's framework also maps to:
| Regulation | Region | Alignment |
|---|---|---|
| CCPA/CPRA | California, USA | Consumer rights, disclosure requirements |
| LGPD | Brazil | Similar to GDPR, strong alignment |
| PDPA | Singapore | Data protection principles alignment |
| POPIA | South Africa | Processing requirements alignment |
| PIPL | China | Controller/processor distinctions |
When Do You Need ISO 27701?
Strong Fit Scenarios
| Scenario | Why ISO 27701 Helps |
|---|---|
| GDPR applies to you | Demonstrates systematic approach to EU privacy requirements |
| Processing significant PII | Shows commitment to protecting personal data at scale |
| European enterprise customers | Increasingly requested alongside ISO 27001 |
| Privacy as a differentiator | Certified validation of privacy practices |
| Data processor role | Demonstrates responsible handling to controllers |
| Healthcare or financial services | Sector regulations often align with ISO 27701 |
Consider Waiting If
- You don't yet have ISO 27001 (prerequisite)
- You process minimal personal data
- No customers or regulators have requested privacy certification
- Other mechanisms (DPAs, SOC 2 + Privacy) currently satisfy requirements
- You're in very early stages and need to prioritize product-market fit
ISO 27701 vs. Other Privacy Standards
Comparison with ISO 27018
| Aspect | ISO 27701 | ISO 27018 |
|---|---|---|
| Scope | All PII processing contexts | PII in public cloud only |
| Applicability | Controllers and processors | Primarily cloud processors |
| Foundation | Extends ISO 27001 | Extends ISO 27001 |
| Focus | Comprehensive privacy management | Cloud-specific PII protection |
When to choose each:
- ISO 27701: Comprehensive privacy management for any processing context
- ISO 27018: Specifically for cloud service providers handling PII
- Both: Cloud providers with significant PII processing responsibilities
Comparison with SOC 2 + Privacy
| Aspect | ISO 27701 | SOC 2 + Privacy |
|---|---|---|
| Output | Certificate (via ISO 27001) | Attestation report |
| Geographic recognition | Global, especially EU/APAC | Primarily North America |
| Framework basis | ISO standards | AICPA Trust Services Criteria |
| Prerequisite | ISO 27001 | SOC 2 Security |
| Regulatory mapping | Explicit GDPR alignment | General privacy principles |
Organizations serving both US and international markets may benefit from both certifications. Learn more in our detailed ISO 27701 vs SOC 2 Privacy comparison.
The Path to ISO 27701
Typical Approach
For most organizations, the recommended sequence is:
- Achieve ISO 27001 first to establish the foundation
- Evaluate privacy requirements based on regulations and customer needs
- Extend to ISO 27701 when privacy certification adds clear business value
Combined vs. Sequential Certification
| Approach | Timeline | Best For |
|---|---|---|
| Combined | Pursue both ISO 27001 + 27701 together | Organizations certain they need both |
| Sequential | ISO 27001 first, add 27701 later | Organizations wanting to phase investment |
| Extension audit | Add 27701 during surveillance audit | Existing ISO 27001 certified organizations |
If you anticipate needing ISO 27701, building privacy considerations into your initial ISO 27001 implementation makes eventual certification more efficient.
How Bastion Helps
Achieving ISO 27701 certification requires expertise in both information security and privacy management. Our team guides organizations through the combined ISO 27001 + 27701 journey efficiently.
| Challenge | Our Approach |
|---|---|
| Prerequisite planning | Help you achieve ISO 27001 with privacy extension in mind |
| PII inventory | Document all personal data processing activities systematically |
| Control implementation | Implement privacy controls appropriate to your role |
| GDPR mapping | Demonstrate regulatory alignment in your documentation |
| Audit preparation | Prepare for combined or extension audits |
| Ongoing maintenance | Support for surveillance audits and continuous improvement |
Frequently Asked Questions
What is the difference between ISO 27701 and ISO 27001?
ISO 27001 focuses on information security management, protecting organizational assets from unauthorized access and breaches. ISO 27701 extends this foundation to specifically address privacy, focusing on protecting individuals' rights over their personal data. You need ISO 27001 certification before you can achieve ISO 27701.
Is ISO 27701 certification mandatory?
No, ISO 27701 is a voluntary certification. However, it demonstrates systematic privacy management that supports compliance with regulations like GDPR. Many European enterprise customers increasingly request it alongside ISO 27001.
How long is ISO 27701 certification valid?
ISO 27701 follows the same 3-year certification cycle as ISO 27001. After initial certification, you undergo annual surveillance audits in years 2 and 3, then a full recertification audit in year 4.
Can I get ISO 27701 without ISO 27001?
No. ISO 27701 is explicitly designed as an extension to ISO 27001. You can pursue both certifications simultaneously, but you cannot have ISO 27701 independently. Learn more about the relationship between ISO 27701 and ISO 27001.
Ready to explore ISO 27701 certification? Talk to our team
Sources
- ISO/IEC 27701:2019 - Security techniques, Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
- ISO/IEC 27001:2022 - Information security management systems
- GDPR Full Text - Regulation (EU) 2016/679
- ISO/IEC 27018:2019 - Code of practice for protection of PII in public clouds