The protection of personal data requires a systematic and verifiable approach. With ISO 27701 certification, your organization demonstrates that its Privacy Information Management System (PIMS) is managed, monitored and continuously improved in accordance with an internationally recognized extension to ISO 27001.

Would you like to understand what ISO 27701 means for your organization?
Schedule a free introductory call with one of our experts.

ISO 27701 certification

What is ISO 27701?

ISO 27701 is the international privacy extension to ISO 27001 and ISO 27002. The standard specifies additional requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

 

 

ISO 27701 helps organizations:

  • manage privacy risks in a structured way;
  • document and demonstrate how Personally Identifiable Information (PII) is processed;
  • clarify responsibilities for PII controllers and PII processors;
  • strengthen trust among clients, partners and regulators.

As an add-on, ISO 27701 certification is only possible in combination with an accredited ISO 27001 certificate.

ISO 27701 under accreditation (RvA C548)

Brand Compliance is accredited by the Dutch Accreditation Council (RvA) under registration number C548 for the certification of Information Security and Privacy Management Systems, including ISO 27001 in combination with ISO 27701.

The accreditation has been granted in accordance with ISO/IEC 27006 and ISO/IEC TS 27006-2. These standards specify the requirements for certification bodies that perform audits of information security and privacy management systems. This ensures that ISO 27701 audits are carried out independently, objectively and in line with internationally accepted criteria.

ISO 27701 and the Privacy Information Management System (PIMS)

ISO 27701 introduces additional PIMS requirements for:

  • PII controllers, who determine the purposes and means of processing;
  • PII processors, who process PII on behalf of controllers.

The standard expands ISO 27001 with requirements related to:

  • transparency of processing activities;
  • data subject rights;
  • PII lifecycle management;
  • documentation of responsibilities;
  • risk-based privacy controls.

The PIMS integrates fully into the ISO 27001 management system, following the same structure (context, risk assessment, internal audit, management review and continual improvement).

ISO 27701 requirements

ISO 27701 includes additional requirements beyond ISO 27001, including:

  • documented responsibilities for PII controllers and processors;
  • privacy-specific controls and objectives;
  • additional documentation and transparency obligations;
  • measures for handling data subject rights;
  • risk treatment activities tailored to PII processing;
  • procedures that support accountability and demonstrability.

These requirements build upon — and must align with — all applicable ISO 27001 requirements.

ISO 27701 certification process

The certification process typically includes the following steps:

  1. Purchase the ISO 27701 standard, for example through NEN.
  2. Schedule a non-binding introductory meeting to discuss the certification process.
  3. Organizations may choose to participate in training to gain the necessary understanding of ISO 27701 and PIMS requirements.
  4. Implement the PIMS as an extension to the existing ISO 27001 management system.
  5. Conduct internal audits to evaluate whether the PIMS meets the standard’s requirements.
  6. Perform the management review, including evaluation of audit results and corrective actions.
  7. A Brand Compliance auditor performs the accredited certification audit, assessing whether the PIMS complies with ISO 27701.
  8. When all requirements are met, the ISO 27701 certificate is issued as an add-on to the ISO 27001 certificate.

ISO 27701 certification costs

The overall cost of ISO 27701 certification depends on several factors, including:

  • organizational size and structure;
  • number of sites;
  • complexity of PII processing activities;
  • maturity of existing privacy and security practices;
  • the scope and boundaries of the PIMS.

Certification costs generally consist of audit preparation, audit execution, reporting, certificate issuance, administrative activities and travel time where applicable.

A cost estimate can only be provided based on your organization’s specific situation.

 

Schedule an introductory call for an accurate cost calculation
What is the difference between ISO 27001 and ISO 27701?

ISO 27001 focuses on information security management. ISO 27701 extends this framework with additional privacy requirements for PII controllers and PII processors. ISO 27701 can only be certified in combination with ISO 27001.

What is the difference between ISO 27701 and ISO 27018?

ISO 27018 provides guidelines for protecting PII in public cloud environments. ISO 27701, on the other hand, defines a full privacy management extension (PIMS) applicable to all types of organizations.

What is the relationship between ISO 27701 and GDPR?

The GDPR is legislation, while ISO 27701 is an international standard.
ISO 27701 supports organizations in demonstrating structured privacy management aligned with GDPR principles, but it does not replace the law and is not a formal GDPR certification.

In addition, organizations may need to comply with sector-specific privacy requirements depending on their industry and regulatory environment.

Can ISO 27701 be certified independently?

No. ISO 27701 certification is only available as an add-on to an accredited ISO 27001 certification.

  • Bart Versluijs

    Bart Versluijs

    Account Manager

  • Jade Reilink

    Jade Reilink

    Account Manager

Book Your Appointment