ISO 27701 — Privacy Information Management System

The complete guide to ISO/IEC 27701 — the international standard that extends ISO 27001 with privacy-specific requirements and controls. Learn how PIMS works, how it aligns with GDPR, and how to get trained.

View ISO 27701 Courses

What Is ISO 27701?

ISO/IEC 27701 is the international standard for Privacy Information Management Systems (PIMS). First published in 2019 and substantially revised in 2025, it provides a structured framework for organisations to manage the privacy of personal data through documented policies, controls, and continual improvement.

The standard is built as an extension to ISO/IEC 27001 — the international standard for information security management. Where ISO 27001 protects information assets generally, ISO 27701 adds privacy-specific requirements that address how personally identifiable information (PII) is collected, used, retained, disclosed, and disposed of.

ISO 27701 is a certifiable standard, meaning organisations can be audited by accredited certification bodies and receive formal certification demonstrating their privacy management practices meet international requirements. The 2025 revision aligns with the latest ISO 27001:2022 controls and addresses updated global privacy regulations.

ISO 27701 and ISO 27001 — The Relationship

ISO 27701 cannot be implemented or certified in isolation. It is explicitly designed as an extension to ISO 27001 — your organisation must either already have an ISO 27001-aligned ISMS in place, or implement both standards together.

This integration is intentional. Privacy and information security overlap significantly: most privacy controls depend on underlying security controls (encryption, access management, monitoring), and many security incidents have privacy implications. Building PIMS on top of an ISMS avoids duplication and creates a unified governance structure.

For organisations already certified to ISO 27001, adding ISO 27701 is the most efficient path. The ISMS provides the foundation; ISO 27701 adds the privacy-specific clauses and controls. Auditors can assess both standards in a single audit cycle, reducing cost and effort.

GDPR Alignment

One of the primary reasons organisations adopt ISO 27701 is to demonstrate alignment with the EU General Data Protection Regulation (GDPR). The standard's Annex D provides a direct mapping between ISO 27701 requirements and specific GDPR articles.

Implementing ISO 27701 provides documented evidence of compliance with key GDPR principles:

Lawfulness, fairness, and transparency (Article 5) — Through documented privacy notices and lawful basis records.
Data subject rights (Articles 12–22) — Through formal processes for handling access, rectification, erasure, and portability requests.
Privacy by design and default (Article 25) — Through embedded controls in the PIMS lifecycle.
Records of processing activities (Article 30) — Through documented PIMS scope and processing inventories.
Data protection impact assessments (Article 35) — Through structured PIA methodology in ISO 27701.
Breach notification (Articles 33–34) — Through documented incident response and notification procedures.
Accountability (Article 5(2)) — Through audit trails, management review, and continual improvement.

ISO 27701 certification does not replace legal obligations under GDPR — only the regulator can determine compliance with the law. However, certification provides strong evidence of accountability and is increasingly accepted by enterprise customers and supervisory authorities as a demonstration of good privacy governance.

Key ISO 27701 Requirements

PII Controllers vs Processors

ISO 27701 recognises two distinct roles in privacy management, each with different obligations:

PII controllers — Organisations that determine the purposes and means of processing personal data. Controllers have primary accountability under privacy law and face the broadest set of obligations.
PII processors — Organisations that process personal data on behalf of controllers (typically as a service provider). Processors have a narrower set of obligations focused on acting only on documented instructions.

The standard provides separate Annex A controls for controllers and Annex B controls for processors. Organisations that act in both roles (which is common for SaaS businesses) implement both sets of controls.

Privacy by Design

ISO 27701 requires organisations to embed privacy considerations into systems, processes, and services from the outset rather than adding them after deployment. This includes data minimisation, purpose limitation, retention controls, and default settings that protect privacy.

Data Subject Rights Handling

Organisations must establish processes to handle requests from data subjects, including access, rectification, erasure, restriction of processing, data portability, and objection. ISO 27701 requires documented procedures, defined response times, and audit trails.

Privacy Impact Assessments

The standard requires organisations to conduct privacy impact assessments (PIAs) for new processing activities or significant changes. PIAs identify privacy risks and define treatment measures before processing begins, supporting GDPR Article 35 DPIA requirements.

ISO 27701 vs ISO 27001

ISO 27701 and ISO 27001 are complementary — not competitors. Most organisations need both. Here is how they compare:

	ISO 27001	ISO 27701
Focus	Information Security Management	Privacy Information Management
Scope	All information assets	Personal information (PII) only
Standalone?	Yes — can certify alone	No — requires ISO 27001 base
Controls	93 controls, 4 themes	49 PIMS-specific controls (Annex A & B)
Primary regulation alignment	General security expectations	GDPR, Australian Privacy Act, global privacy laws
Audit cycle	3-year certification cycle	Combined with ISO 27001 audit

Many organisations implement both standards together to address security and privacy obligations in a single integrated management system. The combined approach is more efficient than separate programs and avoids duplicate controls.

Certification Process

ISO 27701 certification follows the same audit process as ISO 27001 because the two standards are integrated. The typical pathway is:

Gap analysis — Compare current privacy practices against ISO 27701 requirements to identify gaps and remediation needs.
PIMS implementation — Develop policies, procedures, controls, and records to meet the standard's clauses and Annex A/B requirements.
Internal audit — Verify the PIMS is implemented and effective before engaging an external auditor.
Stage 1 audit — Documentation review by an accredited certification body.
Stage 2 audit — On-site or remote assessment of PIMS effectiveness in operation.
Certification — Issued for 3 years with annual surveillance audits.

If you are pursuing ISO 27001 and ISO 27701 simultaneously, both standards can be assessed in a single combined audit, significantly reducing cost and effort compared to separate audit cycles.

Who Needs ISO 27701?

ISO 27701 is most valuable for organisations that handle significant volumes of personal data or face direct privacy obligations:

SaaS companies with EU customers — GDPR creates direct obligations and ISO 27701 provides documented evidence of compliance.
Data processors and service providers — Increasingly required by enterprise customers as part of vendor due diligence and contractual requirements.
Healthcare and financial services — Sectors with sensitive PII and strict regulatory requirements.
Multinational enterprises — Operating across multiple privacy regimes benefit from a single unified PIMS standard.
Public sector and government — Where privacy accountability is a legal and reputational priority.
Australian organisations — Subject to the Privacy Act 1988 and Australian Privacy Principles, ISO 27701 provides a structured framework for compliance.

ISO 27701 Training Pathways

PECB offers a three-tier certification pathway for ISO 27701, suitable for everyone from new privacy professionals to experienced auditors. Mindset Cyber delivers all three courses as self-study eLearning through myPECB.

Course	Level	Effort	Price
ISO 27701 Foundation	Entry	~14 hours	$399 AUD
ISO 27701 Lead Implementer	Advanced	~30–40 hours	$849 AUD
ISO 27701 Lead Auditor	Advanced	~30–40 hours	$849 AUD

Start with Foundation if you are new to privacy management. Move to Lead Implementer if you will be building or managing a PIMS, or Lead Auditor if you will be assessing or certifying one.

Resources

Continue your ISO 27701 journey with these resources:

ISO 27001 Certification Guide — The base information security standard that ISO 27701 extends.
PECB ISO 27701 Foundation Course — Self-paced training, $399 AUD.
PECB ISO 27701 Lead Implementer Course — Self-paced training, $849 AUD.
PECB ISO 27701 Lead Auditor Course — Self-paced training, $849 AUD.
ControlStack — Browse ISO 27001, Essential Eight, and ASD ISM controls alongside privacy guidance.
Free Resources — Download templates, checklists, and implementation guides.
All Courses — Browse the full catalogue of PECB training options.

Frequently Asked Questions

Common questions about ISO 27701 and Privacy Information Management Systems.

What is ISO/IEC 27701?

ISO/IEC 27701 is the international standard for Privacy Information Management Systems (PIMS). It extends ISO/IEC 27001 with privacy-specific requirements and controls, helping organisations demonstrate accountability for handling personal data. The 2025 revision aligns with the latest ISO 27001:2022 controls and updated global privacy regulations including GDPR.

Do I need ISO 27001 before implementing ISO 27701?

Yes — ISO 27701 is designed as an extension to ISO 27001. Your organisation must have an ISO 27001-aligned Information Security Management System (ISMS) in place, or implement both standards together. You cannot certify to ISO 27701 alone. The two standards can be audited and certified at the same time, which is the most efficient path.

How does ISO 27701 align with GDPR?

ISO 27701 maps directly to GDPR articles. Implementing the standard provides documented evidence of compliance with key GDPR requirements including lawfulness of processing, data subject rights, privacy by design, data protection impact assessments, and breach notification. ISO 27701 certification does not replace legal obligations but serves as strong evidence of accountability under Article 5(2).

Who needs ISO 27701 certification?

Organisations that handle personal data at scale benefit most: SaaS companies with EU customers, data processors, multinational enterprises, healthcare and financial services organisations, and any business preparing for regulatory scrutiny. It is particularly valuable for vendors and service providers who need to demonstrate privacy controls to enterprise customers as part of vendor due diligence.

What is the difference between PII controllers and processors in ISO 27701?

ISO 27701 distinguishes between PII controllers (organisations that determine how personal data is processed) and PII processors (organisations that process data on behalf of controllers). The standard provides separate Annex A and Annex B controls for each role, recognising that controllers and processors have different obligations under privacy law. Many organisations act as both depending on the data and context.

Ready to build privacy expertise?

The PECB ISO 27701 certification pathway covers PIMS fundamentals through advanced implementation and audit — all delivered as self-paced eLearning.

Start with Foundation — $399 AUD Talk to us