ISO/IEC 27701.

ISO 27701 is the privacy-information-management extension to ISO 27001. Adds controller and processor obligations on top of the ISMS. Useful for organisations that want a single certifiable management system covering both security and privacy. Maps onto the GDPR but does not "replace" GDPR compliance work.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyPrivacy & data protectionAll entries

The Cyber Academy take

ISO 27701 is the privacy-information-management extension to ISO 27001. Adds controller and processor obligations on top of the ISMS. Useful for organisations that want a single certifiable management system covering both security and privacy. Maps onto the GDPR but does not "replace" GDPR compliance work.

An extension, not a standalone standard

ISO/IEC 27701 does not stand on its own. It is built as an extension to ISO/IEC 27001 and ISO/IEC 27002, which means you cannot certify to it without first having a working information security management system (ISMS). The standard takes the security controls you already operate and layers privacy-specific requirements and guidance on top, turning the ISMS into a Privacy Information Management System (PIMS). For an organisation that already runs ISO 27001, this is an efficient move: you reuse the same governance, the same risk methodology, the same audit cycle, and you extend the scope to cover the handling of personally identifiable information (PII).

That architectural choice is the whole point. Rather than running privacy as a separate programme with its own committees and its own evidence, ISO 27701 lets you certify a single management system that covers both security and privacy. The Statement of Applicability is broadened, the risk assessment now considers privacy risk to individuals and not only risk to the organisation, and the same certification body audits the lot in one engagement.

Controller and processor obligations

ISO 27701 splits its additional requirements along the same line that data protection law draws: between the organisation acting as a controller (deciding why and how PII is processed) and the organisation acting as a processor (handling PII on behalf of someone else). Many organisations are both at once, depending on the dataset, so the standard gives you two sets of guidance and asks you to apply whichever fits each processing activity.

  • Controller-side topics include lawful basis and purpose, consent and choice, transparency to individuals, handling data subject requests, records of processing, and obligations when you share PII with third parties.
  • Processor-side topics include acting only on documented instructions, supporting the controller with their obligations, managing sub-processors, and returning or deleting PII at the end of a contract.

In practice this is what a privacy team already does under modern data protection regimes, but ISO 27701 organises it into auditable controls with documented evidence, which is exactly what turns a privacy posture into something a third party can verify.

Where it sits next to the GDPR

The most common misreading is that ISO 27701 certification makes you GDPR compliant. It does not, and it is careful not to claim that. The GDPR is law and ISO 27701 is a voluntary management-system standard. What 27701 gives you is a structured, certifiable framework whose controls map closely onto data protection principles, so it is strong evidence of accountability and a good operating backbone. But compliance with a specific legal regime still requires your own legal analysis, your records, and your demonstrable handling of individual rights under that law.

ISO 27701 next to the GDPR
DimensionISO/IEC 27701GDPR
NatureVoluntary management-system standardBinding EU law
What it producesA certifiable PIMSLegal obligations and individual rights
Built onISO 27001 / ISO 27002Data protection principles
Verified byAccredited certification bodySupervisory authorities and courts
RelationshipMaps onto and supports complianceThe obligation 27701 helps you meet

The clean way to run it is to anchor privacy on the same ISMS you use for security, certify the combined system to ISO 27001 plus ISO 27701, and keep your data protection officer and legal team owning the law itself. The standard handles the operating discipline; they handle the interpretation.

Frequently asked questions

01Can I certify to ISO 27701 without ISO 27001?

No. ISO 27701 is an extension that requires a certified or concurrently certified ISO 27001 ISMS as its foundation. You extend the existing management system into a privacy information management system rather than building a separate one.

02Does ISO 27701 make my organisation GDPR compliant?

No. It is a voluntary standard whose controls map closely onto data protection principles, so it is strong evidence of accountability. Actual GDPR compliance still requires your own legal analysis, records, and handling of individual rights.

03What is a PIMS?

A Privacy Information Management System is what you get when ISO 27701 extends an ISO 27001 ISMS to cover the protection of personally identifiable information, adding controller and processor requirements to the security controls already in place.

04Does ISO 27701 cover both controllers and processors?

Yes. It provides separate guidance for organisations acting as PII controllers and as PII processors, and you apply whichever set fits each processing activity. Many organisations are both depending on the dataset.

05How does ISO 27701 relate to the DPO role?

They are complementary. ISO 27701 gives the management system and auditable controls, while the data protection officer owns interpretation of the law, advice, and the relationship with supervisory authorities. The standard makes the DPO's work repeatable and evidenced.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.