ISO/IEC 27701:2025 is the international management system standard for privacy information management. With ISO 27701 certification, you demonstrate that your organization has systematically established the responsibilities, processes and controls required to manage privacy risks within a Privacy Information Management System, or PIMS.
Brand Compliance is an independent certifying body and conducts ISO 27701 certification audits under accreditation from the Dutch Accreditation Council, or RvA. ISO/IEC 27701 is included in our RvA scope of accreditation under registration number C548.
✔ Certification to ISO/IEC 27701:2025
✔ Can be certified independently or combined with ISO/IEC 27001
✔ Independent certification audit
✔ Certification under RvA accreditation
What is ISO/IEC 27701:2025?
ISO/IEC 27701:2025 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System, abbreviated as PIMS.
A PIMS provides a structured approach to managing privacy risks and protecting personally identifiable information, also known as PII. The management system defines responsibilities, processes, privacy objectives, risk assessments and controls.
The standard is suitable for public, private and non-profit organizations that collect, process, store or manage personally identifiable information.
ISO 27701 can be certified independently
ISO/IEC 27701:2025 is a standalone management system standard. Your organization therefore does not need to be certified to ISO/IEC 27001 before obtaining ISO 27701 certification.
Does your organization already have an Information Security Management System based on ISO/IEC 27001? The ISMS and PIMS can then be aligned and managed within a single integrated management system. The harmonized structure enables different ISO management system standards to be combined.
Why obtain ISO 27701 certification?
Organizations process increasing amounts of personal data. At the same time, customers, clients, supply chain partners and supervisory authorities are placing increasingly stringent requirements on the protection of this information.
ISO 27701 certification provides an independent assessment of whether your PIMS conforms to the requirements of ISO/IEC 27701:2025 and has been effectively implemented.
ISO 27701 certification contributes to:
- demonstrable control of privacy risks;
- clearly defined roles and responsibilities;
- a consistent approach to processing and protecting PII;
- structured monitoring and improvement of privacy processes;
- increased confidence among customers, clients and supply chain partners;
- international recognition of the management system;
- demonstrability of how your organization fulfils its privacy responsibilities.
ISO states that ISO/IEC 27701 can strengthen accountability and demonstrable privacy management and can contribute to substantiating how an organization addresses international privacy legislation.
ISO 27701 and the GDPR
The General Data Protection Regulation, or GDPR, is European legislation. ISO/IEC 27701 is an international management system standard.
ISO 27701 provides a structured framework that enables your organization to manage privacy risks, responsibilities and processes. The standard can therefore contribute to demonstrating how your organization fulfils its obligations under the GDPR.
However, an ISO 27701 certificate is not a formal GDPR certification. The standard does not replace the GDPR, and a certification audit is not a legal assessment of full compliance with privacy legislation.
Which organizations is ISO 27701 suitable for?
ISO 27701 certification is relevant to organizations that collect, process, store, share or manage personal data.
The standard is particularly suitable for:
- software suppliers and SaaS organizations;
- cloud providers and IT service providers;
- healthcare organizations;
- financial service providers;
- government authorities;
- professional service providers;
- organizations that process personal data on behalf of clients;
- organizations that want demonstrable control of privacy risks;
- organizations whose customers or clients require ISO 27701 certification.
The standard is suitable for both PII controllers and PII processors. An organization may also perform both roles, depending on the specific processing of PII.
What do you demonstrate with ISO 27701 certification?
ISO 27701 certification provides an independent assessment of whether your organization systematically manages privacy risks within a Privacy Information Management System, or PIMS.
The certification audit assesses how your organization:
- has defined responsibilities for privacy and the processing of PII;
- assesses and treats privacy risks;
- has implemented appropriate processes and controls;
- monitors and evaluates the performance of the PIMS;
- addresses nonconformities and continually improves the management system.
An ISO 27701 certificate gives customers, clients and other interested parties demonstrable confidence in the way your organization manages privacy information.
What does ISO 27701 certification cost?
The cost of ISO 27701 certification depends on the specific circumstances of your organization. Factors affecting the audit time and costs include:
- the number of employees within the scope;
- the number of locations;
- the scale and complexity of the PII processing activities;
- the role of the organization as a PII controller and/or PII processor;
- the complexity of processes, systems and outsourced activities;
- the selected scope;
- the presence of an existing ISO 27001 management system;
- the possibility of combining the ISO 27001 and ISO 27701 audits.
The total costs may include audit preparation, the conduct of the audits, reporting, the certification decision, certificate issuance, administrative processing and any travel time.
A reliable cost estimate can only be prepared after we have received the relevant information about your organization.
Combining ISO 27701 with ISO 27001
ISO 27001 focuses on the Information Security Management System. ISO 27701 focuses on the Privacy Information Management System.
Since the publication of the 2025 edition, ISO 27701 can be implemented and certified independently. Organizations already working with ISO 27001 can integrate both management systems. This enables elements such as the organizational context, internal audits, management reviews and improvement processes to be aligned.
Where both management systems operate within the same scope, it may be possible to combine parts of the certification audits. The exact audit approach and audit time are determined during the application review.
Transition from ISO/IEC 27701:2019 to ISO/IEC 27701:2025
ISO/IEC 27701:2019 was structured as an extension to ISO/IEC 27001 and ISO/IEC 27002. The 2025 edition has been rewritten as a standalone management system standard.
Organizations with an existing ISO/IEC 27701:2019 certificate must transition to ISO/IEC 27701:2025 within the applicable transition period.
Read which changes are required, how the transition audit is conducted and when the transition must be completed in our knowledge base article: Transition to ISO 27701:2025.
ISO 27701 certification under RvA accreditation
Brand Compliance is an independent certifying body for management systems in the fields of privacy, information security and quality.
Our accreditation for ISO/IEC 27701 certification is included in the scope of accreditation of the Dutch Accreditation Council under registration number C548. The scope covers ISO/IEC 27701 certification in accordance with ISO/IEC 27706.
An audit under accreditation means that Brand Compliance operates in accordance with established requirements relating to:
- independence and impartiality;
- the competence of auditors and certification decision-makers;
- the conduct of certification audits;
- reporting and certification decision-making;
- the handling of complaints and appeals;
- monitoring of the certification cycle.
Brand Compliance conducts the certification audit but does not provide management system consultancy or implement the PIMS for your organization.
ISO/IEC 27701:2025 is the international management system standard for privacy information management. The standard specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System.
PIMS stands for Privacy Information Management System. It is the management system through which an organization systematically manages privacy risks, responsibilities, processes and controls relating to personally identifiable information.
Yes. ISO/IEC 27701:2025 is a standalone management system standard. ISO 27001 certification is therefore not a prerequisite for ISO 27701 certification. However, the two management systems can be integrated.
No. ISO 27701 certification assesses a Privacy Information Management System against the requirements of ISO/IEC 27701. It is not a formal GDPR certification and does not replace a legal assessment of compliance with the GDPR.
The current version is ISO/IEC 27701:2025. This edition replaces ISO/IEC 27701:2019 and has been structured as a standalone management system standard.
Your organization must have implemented the PIMS. The internal audit and management review must also have been completed, and sufficient audit evidence must be available to assess the performance of the management system.
This may be possible where the management systems and their scopes are aligned. During the application review, Brand Compliance determines whether a combined audit is possible and what audit time is required.
The costs depend on factors including the size of your organization, the scope, the number of locations, the complexity of the PII processing activities and any combination with ISO 27001. Following the application review, Brand Compliance can prepare an appropriate cost estimate.
ISO/IEC 27018 provides guidance and controls for protecting PII in public cloud environments where the public cloud service provider acts as a PII processor.
ISO/IEC 27701 is a certifiable management system standard for privacy information management. The standard is applicable to different types of organizations and is not limited to public cloud environments.
