ISO 27701 is an international standard that extends ISO 27001 and ISO 27002 to include privacy management requirements. It provides a framework for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). The standard specifies controls for organizations acting as PII controllers and PII processors, making it applicable across all industries that process personal data. It was published in 2019 and has become the leading international standard for privacy management certification.

Do I need ISO 27001 first?

Yes, ISO 27701 is explicitly designed as an extension to ISO 27001 and cannot be certified independently. Your organization must have an established ISMS that meets ISO 27001 requirements before implementing the ISO 27701 privacy extension. However, you can implement both standards simultaneously, which is common for organizations building their management systems from scratch. The certification audit for ISO 27701 is typically conducted alongside an ISO 27001 audit.

How does ISO 27701 relate to GDPR?

ISO 27701 was designed with GDPR in mind and maps closely to its requirements. Annex D of the standard provides a mapping between ISO 27701 controls and GDPR articles. ISO 27701 certification demonstrates that an organization has implemented a systematic approach to privacy management aligned with GDPR principles including lawful processing, data minimization, transparency, and data subject rights. However, ISO 27701 certification does not automatically guarantee GDPR compliance, as GDPR includes requirements beyond the scope of the standard.

What is the difference between PII controller and PII processor?

A PII controller determines the purposes and means of PII processing. This is equivalent to the GDPR concept of a data controller, typically the organization that collects personal data from individuals and decides how it is used. A PII processor processes PII on behalf of and according to the instructions of a PII controller. This is equivalent to the GDPR data processor, such as a cloud service provider or payroll company. ISO 27701 provides separate control sets for each role, and organizations can be certified as a controller, processor, or both.

How much does ISO 27701 certification cost?

As an add-on to ISO 27001, ISO 27701 costs typically range from $40,000 to $150,000. This includes privacy gap assessment and consulting ($15K-$50K), control implementation and documentation ($15K-$60K), and the certification audit extension ($10K-$40K). Costs are influenced by organizational size, complexity of PII processing activities, number of jurisdictions involved, and whether you act as a controller, processor, or both. Organizations with existing GDPR compliance programs can leverage that work to reduce implementation costs.

Can ISO 27701 replace GDPR compliance?

No, ISO 27701 certification cannot replace GDPR compliance. While the standard maps closely to GDPR requirements and demonstrates a systematic approach to privacy management, GDPR includes requirements that are beyond the scope of any ISO standard, such as appointing a Data Protection Officer in certain circumstances, conducting supervisory authority consultations, and maintaining specific legal bases for processing. ISO 27701 is best viewed as a strong foundation that supports and demonstrates GDPR compliance efforts, not a substitute for a comprehensive GDPR compliance program.

Your Step-by-Step Guide to ISO 27701 Privacy Management Certification

ISO 27701

The Complete ISO 27701 Compliance Checklist

ISO 27701 extends ISO 27001 with a Privacy Information Management System for organizations acting as PII controllers or processors. This checklist guides you through implementing privacy controls, conducting privacy risk assessments, and achieving certification.

Get Expert Help

Understanding ISO 27701

What Is ISO 27701 — and Why Does It Matter?

ISO/IEC 27701 is an international standard that provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension to ISO/IEC 27001 and ISO/IEC 27002.

The standard helps organizations manage privacy risks related to personally identifiable information (PII) and demonstrates compliance with global privacy regulations such as GDPR.

ISO 27701 specifies requirements and provides guidance for PII controllers and PII processors, supporting the integration of privacy controls into an existing information security management system (ISMS).

Privacy Controls

GDPR

Aligned

Controller & Processor

Scope

Your Roadmap

The 8-Step ISO 27701 Compliance Checklist

Click each step to expand the details. Work through them in order — each step builds on the previous one.

Step 1

Prerequisite

Establish ISO 27001 ISMS

Ensure the prerequisite management system is in place

ISO 27701 extends the ISO 27001 ISMS into a Privacy Information Management System (PIMS). An established and ideally certified ISMS is required before implementing ISO 27701 privacy-specific controls and management processes.

Key Actions:

Verify that your ISO 27001 ISMS is fully implemented and ideally certified

Ensure the ISMS scope includes all operations involving PII processing

Review your existing risk assessment methodology for suitability in addressing privacy risks

Confirm your certification body is accredited to audit against ISO 27701

If not yet ISO 27001 certified, plan to implement both standards in parallel

Secure executive commitment to extending the ISMS into a privacy management system

Helpful Resources:

Learn about ISO 27001 Get PIMS implementation guidance

Step 2

1-2 weeks

Define PIMS Scope

Determine your role as PII controller, processor, or both

ISO 27701 distinguishes between PII controllers (who determine the purposes and means of processing) and PII processors (who process PII on behalf of controllers). Your role determines which controls apply and how your PIMS is structured.

Key Actions:

Determine whether your organization acts as a PII controller, PII processor, or both

Identify all PII processing activities and their legal bases across your operations

Map PII categories, data subjects, and processing purposes for each business function

Identify jurisdictions where PII is collected, processed, and stored, and applicable privacy laws

Document relationships with PII controllers (if you are a processor) or processors (if you are a controller)

Define the PIMS scope statement as an extension of your ISO 27001 ISMS scope

Helpful Resources:

Get PIMS scoping help

Step 3

2-4 weeks

Conduct Privacy Risk Assessment

Identify and evaluate risks to PII

Extend your ISO 27001 risk assessment to specifically address privacy risks. This includes evaluating risks to PII principals arising from your processing activities, assessing the impact of potential privacy breaches, and identifying where additional privacy controls are needed.

Key Actions:

Extend your risk assessment methodology to include privacy impact criteria (harm to individuals, regulatory penalties, reputational damage)

Identify privacy-specific threats: unauthorized access, excessive collection, purpose creep, cross-border transfer risks

Assess the impact of potential privacy breaches on PII principals (data subjects)

Evaluate the effectiveness of existing privacy controls and identify gaps

Consider conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities

Document privacy risks in your risk register alongside information security risks

Helpful Resources:

Get privacy risk assessment help

Step 4

1-2 weeks

Map ISO 27701 Controls

Identify applicable privacy controls for your role

ISO 27701 provides 49 privacy-specific controls organized for PII controllers (Annex A) and PII processors (Annex B). Map these controls against your current practices to build your implementation roadmap.

Key Actions:

Review Annex A controls (31 controls for PII controllers) covering conditions for processing, obligations to PII principals, and privacy by design

Review Annex B controls (18 controls for PII processors) covering customer agreements, purpose limitation, and sub-processor management

Identify controls that apply based on your role as controller, processor, or both

Map existing privacy practices (GDPR measures, privacy policies) against ISO 27701 control requirements

Document gaps requiring additional controls or documentation

Update your Statement of Applicability to include all applicable ISO 27701 controls with justifications

Helpful Resources:

Get control mapping assistance ISO 27701 Standard

Step 5

4-8 weeks

Implement Privacy Controls

Deploy controls for PII protection and privacy management

Implement the privacy controls identified in your gap analysis. These controls go beyond information security to address the full privacy lifecycle including lawful processing, purpose limitation, data subject rights, cross-border transfers, and privacy by design.

Key Actions:

Implement lawful basis determination and documentation for all PII processing activities

Establish consent management mechanisms where consent is the legal basis for processing

Deploy data minimization controls limiting PII collection and retention to what is necessary

Implement cross-border PII transfer safeguards including adequacy assessments and transfer mechanisms

Establish privacy by design processes integrating privacy considerations into new projects and systems

Implement PII de-identification, pseudonymization, and anonymization capabilities where appropriate

Helpful Resources:

Get privacy control implementation help

Step 6

3-5 weeks

Develop Privacy Policies

Create the documentation framework for your PIMS

ISO 27701 requires specific privacy documentation including a PII processing policy, privacy notices, records of processing activities, and data protection impact assessments. These documents form the governance backbone of your privacy management system.

Key Actions:

Develop a PII processing policy documenting the organization's approach to privacy management

Create or update privacy notices providing transparent information to PII principals

Establish records of processing activities (ROPA) documenting all PII processing operations

Develop data subject rights procedures covering access, rectification, erasure, portability, and objection

Create sub-processor management procedures for evaluating, onboarding, and monitoring sub-processors

Document PII breach management procedures including notification timelines and communication templates

Helpful Resources:

Get privacy policy development help

Step 7

1-2 weeks

Conduct Internal Audit

Verify PIMS controls before the certification audit

Extend your internal audit program to cover ISO 27701 privacy controls. The audit should evaluate whether your PIMS meets the standard's requirements and whether privacy controls are operating effectively to protect PII.

Key Actions:

Add ISO 27701 controls to your internal audit program covering both Annex A and Annex B as applicable

Audit PII processing activities against documented legal bases and processing purposes

Verify data subject rights processes through test requests and response time measurements

Review records of processing activities for completeness and accuracy

Test PII breach notification procedures and cross-border transfer safeguards

Document findings and ensure remediation of nonconformities before the certification audit

Helpful Resources:

Schedule an internal audit ISO Internal Audit Service

Step 8

3-5 weeks

Seek Certification

Obtain ISO 27701 certification as an ISO 27001 extension

Work with your certification body to add ISO 27701 to your ISO 27001 certification. The audit evaluates your PIMS including privacy controls, processing records, and data subject rights processes. Your certificate will specify your certified role as controller, processor, or both.

Key Actions:

Engage your ISO 27001 certification body to add ISO 27701 to your certification scope

Align the ISO 27701 audit with your next ISO 27001 surveillance or recertification for efficiency

Prepare comprehensive evidence for all privacy controls including processing records and consent mechanisms

Demonstrate data subject rights fulfillment, breach notification processes, and cross-border transfer safeguards

Address any nonconformities identified during the certification audit promptly

Receive your extended certificate specifying your role (PII controller, PII processor, or both)

Helpful Resources:

Get certification support ISO 27701 framework details

Feeling overwhelmed? You don't have to do this alone.

Get Expert Help Learn More About ISO 27701

Budget Planning

What ISO 27701 Compliance Actually Costs

Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.

Typical Cost Range

$40K - $150K (add-on)

Including preparation, tooling, and assessment fees

Timeline to Compliance

4-8 months

Depending on current maturity and scope

Audit & Assessment

ISO 27701 is certified as an extension to ISO 27001. The certification audit evaluates your Privacy Information Management System and can be conducted alongside ISO 27001 surveillance or recertification audits. The certificate specifies whether you are certified as a PII controller, processor, or both.

Independent verification of your compliance

Costs People Forget

GRC platform licensing

Compliance management and evidence collection tools

Security tooling

SIEM, EDR, vulnerability scanning, encryption tools

Internal staff time

Hundreds of hours across IT, security, and leadership

Ongoing maintenance

Annual reviews, continuous monitoring, recertification

The ROI of Compliance

The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:

Win new business and contracts that require certification

Reduce breach risk and avoid costly incident response

Build trust with customers, partners, and stakeholders

Avoid regulatory penalties and reputational damage

Streamline operations with mature security processes

The question isn't whether you can afford compliance — it's whether you can afford not to have it.

How We Can Help

Don't Navigate ISO 27701 Alone

Illumen specializes in helping organizations achieve ISO 27701 compliance — from initial assessment through certification. We meet you wherever you are in the journey.

Gap Assessment

Know exactly where you stand against requirements

Remediation

Close gaps with expert guidance and support

Documentation

Policies, procedures, and evidence packages

Schedule a Free Consultation Explore ISO 27701 Services

FAQ

Frequently Asked Questions

Common questions about ISO 27701 compliance and certification.

What Is ISO 27701 — and Why Does It Matter?

The standard helps organizations manage privacy risks related to personally identifiable information (PII) and demonstrates compliance with global privacy regulations such as GDPR.

Privacy Controls

GDPR

Aligned

Controller & Processor

Scope

Don't Navigate ISO 27701 Alone

Illumen specializes in helping organizations achieve ISO 27701 compliance — from initial assessment through certification. We meet you wherever you are in the journey.

Gap Assessment

Know exactly where you stand against requirements

Remediation

Close gaps with expert guidance and support

Documentation

Policies, procedures, and evidence packages

The Complete ISO 27701 Compliance Checklist

What Is ISO 27701 — and Why Does It Matter?

The 8-Step ISO 27701 Compliance Checklist

Establish ISO 27001 ISMS

Key Actions:

Helpful Resources:

Define PIMS Scope

Key Actions:

Helpful Resources:

Conduct Privacy Risk Assessment

Key Actions:

Helpful Resources:

Map ISO 27701 Controls

Key Actions:

Helpful Resources:

Implement Privacy Controls

Key Actions:

Helpful Resources:

Develop Privacy Policies

Key Actions:

Helpful Resources:

Conduct Internal Audit

Key Actions:

Helpful Resources:

Seek Certification

Key Actions:

Helpful Resources:

What ISO 27701 Compliance Actually Costs

Don't Navigate ISO 27701 Alone

Gap Assessment

Remediation

Documentation

Frequently Asked Questions

What is ISO 27701?

Do I need ISO 27001 first?

How does ISO 27701 relate to GDPR?

What is the difference between PII controller and PII processor?

How much does ISO 27701 certification cost?

Can ISO 27701 replace GDPR compliance?

The Complete ISO 27701 Compliance Checklist

What Is ISO 27701 — and Why Does It Matter?

The 8-Step ISO 27701 Compliance Checklist

Establish ISO 27001 ISMS

Key Actions:

Helpful Resources:

Define PIMS Scope

Key Actions:

Helpful Resources:

Conduct Privacy Risk Assessment

Key Actions:

Helpful Resources:

Map ISO 27701 Controls

Key Actions:

Helpful Resources:

Implement Privacy Controls

Key Actions:

Helpful Resources:

Develop Privacy Policies

Key Actions:

Helpful Resources:

Conduct Internal Audit

Key Actions:

Helpful Resources:

Seek Certification

Key Actions:

Helpful Resources:

What ISO 27701 Compliance Actually Costs

Don't Navigate ISO 27701 Alone

Gap Assessment

Remediation

Documentation

Frequently Asked Questions

What is ISO 27701?

Do I need ISO 27001 first?

How does ISO 27701 relate to GDPR?

What is the difference between PII controller and PII processor?

How much does ISO 27701 certification cost?

Can ISO 27701 replace GDPR compliance?