ISO 27701 certification

The protection of personal data requires a systematic and verifiable approach. With an ISO 27701 certification, you demonstrate that your organization has implemented a Privacy Information Management System (PIMS) that meets internationally recognized standards for privacy management and aligns with legal requirements such as the GDPR (General Data Protection Regulation).

Would you like to understand what ISO 27701 means for your organization?
👉 Schedule a free introductory call with one of our experts.

What is ISO 27701?

ISO 27701 is the international standard and specifies requirements for establishing, implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS).

ISO 27701 helps organizations:

• manage privacy risks in a structured way;
• document and demonstrate how Personally Identifiable Information (PII) is processed;
• clarify responsibilities for PII controllers and PII processors;
• strengthen trust among clients, partners and regulators.

ISO 27701 and the Privacy Information Management System (PIMS)

ISO 27701 specifies requirements for PII managers (controllers) and PII processors (processors). The standard is therefore intended for controllers and processors of personally identifiable information (PII) who bear responsibility and liability for the processing of PII.

The standard applies to organizations of all types and sizes, including public and private companies, government agencies, and non-profit organizations. The PIMS helps organizations execute privacy processes in a demonstrably structured and consistent manner.

What are the ISO 27701 requirements?

The ISO 27701 requirements are integrated into a management cycle (context, risk analysis, internal audits, management review, and continuous improvement). They include:

• documented responsibilities for PII controllers and processors;
• privacy-specific controls and objectives;
• documentation and transparency obligations;
• measures for handling data subject rights;
• risk treatment activities tailored to PII processing;
• procedures that support accountability and demonstrability.

ISO 27701 certification process

The certification process for ISO 27701 typically consists of:

1. Purchase the ISO 27701 standard, for example through NEN.
2. Schedule a non-binding introductory meeting to discuss the certification process.
3. Organizations may choose to participate in training to gain the necessary understanding of ISO 27701 and PIMS requirements.
4. Implement the PIMS.
5. Conduct internal audits to evaluate whether the PIMS meets the standard’s requirements.
6. Perform the management review, including evaluation of audit results and corrective actions.
7. A Brand Compliance auditor performs the accredited certification audit, assessing whether the PIMS complies with ISO 27701.
8. When all requirements are met, the ISO 27701 certificate is issued.

ISO 27701 certification costs

The overall cost of ISO 27701 certification depends on several factors, including:

• organizational size and structure;
• number of sites;
• complexity of PII processing activities.

Certification costs generally consist of audit preparation, audit execution, reporting, certificate issuance, administrative activities and travel time where applicable.

A cost estimate can only be provided based on your organization’s specific situation.