ISO/IEC 27701•

ISO 27701 – The Standard for Privacy Information Management

See it in action
By Mark Sharron | Updated 31 May 2024

ISO 27701 is a framework for data privacy that builds on ISO 27001. It guides organisations on policies and procedures that should be in place to comply with GDPR and other data protection/privacy regulations and laws.

Jump to topic

What is ISO 27701?

In the wake of the EU’s General Data Protection Regulation (GDPR), South Africa’s POPIA, Brazil’s LGPD, the Australia Privacy Principles, many similar privacy laws and regulations being drafted around the world; there has been a growing need for a code of conduct, or standard, to demonstrate privacy data compliance and certification. ISO 27701 seeks to provide a truly international approach to privacy protection as a component of information security.

ISO 27701 was developed to provide a standard for data privacy controls, which, when coupled with an ISMS, allows an organisation to demonstrate effective privacy data management. It establishes the parameters for a PIMS in terms of privacy protection and processing personally identifiable information (PII).

ISO 27701 is an impressive way of demonstrating to consumers, external organisations and internal stakeholders, that mechanisms are in place to keep data safe and to comply with GDPR and other privacy laws.

The ISO 27701 standard, a PIMS (Privacy Information Management System) standard, lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. Companies document their policies, procedures, protocols and activities in line with the standard’s operational checklists, with records then audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard. ISO 27701 helps companies to maintain an effective privacy and information security system and reduce privacy risks.

What are the building blocks of the standard?

ISO 27701 is an extension of ISO/IEC 27001, which is one of the most widely used international standards for information security management. If your organisation is already acquainted with ISO/IEC 27001, integrating the new privacy controls of PIMS may be relatively straightforward. ISO 27701 is also based on other standards, like ISO 27002 and ISO 29100. ISO 27701 adds a data privacy layer to previous information security standards. If you are ticking the boxes for other standards you may be ticking some of the boxes for ISO 27701 already.

Important points to remember about ISO 27001 and PIMS:

  • PIMS provides new controller- and processor-specific controls that help organisations overcome the challenges of privacy and security by establishing a point of convergence between what could be two different functions.
  • Security is important for privacy. ISO 22701 PIMS relies on ISO 27001 for security management. IS0 27701 certification is only available as an add-on to ISO 27001 certification and cannot be obtained as a standalone certificate.

Achieve multiple standards with ISMS.online

ISO 27701 is an extension of ISO 27001 which means that organisations intending to implement ISO 27701 certification must have ISO 27001, or complete both standards simultaneously.

ISMS.online supports over 100 standards and frameworks, all in one easy-to-use platform. Book a demo to see for yourself.

Book a platform demo

The Data Protection Act (DPA)

The Data Protection Act (DPA) came into law to regulate how personal or consumer data is used by companies and government agencies in the UK. It safeguards individuals and establishes guidelines for the use of personal data.


The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) seeks to establish a common set of data protection laws for all EU member states. Even if they are not in the country where their data is stored, GDPR makes it easier for EU citizens to understand how their data is being used and to file any complaints, should they have a problem with how their information is used. The ISO 27701 Standard provides the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR and similar laws and regulations.


PII (Personally Identifiable Information)

Personally identifiable information is the data that can be used to specifically identify a person. By itself, the information may not necessarily be sensitive but, when taken in context, this data can lead to a variety of conclusions about an individual or company.

Personally identifiable information includes an individual’s name, address, birthday, national insurance number, phone number, email address, and so on. PII may also include electronic identifiers, like IP addresses, geo location tags and ID numbers.


Privacy Information Management

Privacy information management covers the methods an organisation has for collecting, processing, storing, and destroying personally identifiable information, also known as PII.

Putting in place a privacy information management system ensures that organisations comply with regulations like GDPR. The penalty for breaching data protection legislation in the UK and EU can be serious. For example, the maximum fine is about €17 million or 4% of total worldwide turnover (whichever is higher).


Under the guidelines of the GDPR, organisations are expected to keep all personally identifiable information safe from theft, loss, and damage.

Changes to UK law since May 2018 now mean that organisations must put in place an HR data-hand handling policy, with the capability to show that non-relevant personal data is being deleted appropriately. ISO 27701 helps organisations address these three important compliance challenges:

Too many regulatory requirements to juggle

Using ISO 27701 as a unified system of data privacy operational control removes the need to focus on multiple regulations. As an international standard, ISO 27701 is designed to meet the requirements of data protection and GDPR, and to be flexible enough to be adapted to specific industry requirements. This enables companies to work within a single framework in meeting multiple regulatory requirements.

Too costly to audit regulation-by-regulation

Internal and external auditors use ISO 27701 to determine regulatory compliance in one single audit cycle. This saves the organisation money compared to following a disjointed regulation-by-regulation audit process.

Promises of compliance without proof is potentially risky

It is not enough for companies to follow best practice data privacy processes; they must also be able to prove compliance with laws and regulations. That means having a robust, integrated process for documentation. Businesses with complex processes may have multiple types of data controller and data processor, cloud providers and partner vendors. Inability to prove compliance with laws or regulations in any part of the supply chain could expose the business to financial and reputational risk.

Compliance doesn’t have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Benefits of ISO 27701

ISO 27701 benefits

Demonstrate next-level data protection with ISO 27701

The ISO 27701 standard is one of the ways to show that you are complying with all appropriate data protection, confidentiality and privacy security requirements.

Build trust when managing personal information

When it comes to handling personal information, you need to have a way of ensuring that your organisation is doing everything possible to ensure that information is handled correctly and in compliance with the law. ISO 27701 gives you the standard necessary to build trust when managing data. Suppliers, consumers and partners can have confidence in your policies, procedures and protocols when you work to an international standard like ISO 27701.

Integrates with the leading information security standards

ISO 27701 integrates with the leading information security standards. This enables seamless development and updating of policies and procedures across differing standards, and the sure knowledge that you won’t compromise your compliance with other standards by adopting ISO 27701 standards.

Supports compliance with other privacy regulations

ISO 27701 is the ‘industry standard’ to comply with new data protection legislation. Even though ISO 27701 aligns with the principles of GDPR, it also allows organisations to document compliance with other privacy laws, regulations, standards, and requirements.

Flexible enough to accommodate jurisdictional specifics

The ISO 27701 standard was developed to provide standards for working with personally identifiable information so you can meet different privacy laws. If your company operates outside the EU and you want to follow the equivalent territory specific guidelines equivalent to GDPR, you can bring those jurisdictional specifics into ISO 27701.

Provides transparency between stakeholders

ISO 27701 sets the standard for how privacy data is managed. The standard makes processes transparent for all stakeholders, engendering trust and mutual respect.

Facilitates effective business agreements

When companies are committed to working to the same high privacy data standards there it is easier to make agreements and to work together. ISO 27701 engenders trust and ensures that all stakeholders are on the same page when considering system integration and shared business processes.


ISO 27701 vs ISO 27001 – what are the differences?

ISO 27701 and ISO 27001 are two standards that are often used interchangeably by non-information security professionals when referring to information security.

Both ISO 27001 and ISO 27701 standards are IT security management standards. The difference between the two standards is that ISO 27001 focuses on the gap between risk management and security controls whereas ISO 27701 is a standard geared towards meeting privacy regulations and laws like GDPR and the Data Protection Act. ISO 27701 is focused on privacy data risks.

How do ISO 27001 and ISO 27701 integrate with each other?

ISO 27701 is an extension of ISO 27001. It’s one of the risk management standards, but it ensures that the business complies with GDPR and other relevant PII regulations. Before you can benefit from ISO 27701’s security benefits, you must first implement ISO 27001.

How Does ISO 27701 Relate To GDPR?

Organisations must secure and ensure the integrity of all sensitive data they process under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). However, neither the GDPR nor the DPA provide clarification on the actions companies must take to ensure data privacy. This is where ISO 27701 comes in. ISO 27701 provides the requirements and guidelines for a best-practice process for running a privacy information management system (PIMS) with effective data security and privacy capabilities.

How do ISO 27001 and GDPR integrate with each other?

ISO 27001 is the international best practice standard for an information security management system (ISMS) adopted by many countries around the world. More than 35 countries have signed up to implement GDPR. ISO 27701 can help with compliance with GDPR.


Getting started with ISO 27701

If you own a business that processes personal data, then you need to understand how the new ISO 27701 standard applies to you. Understanding the basics of ISO 27701 can be a challenge. This is especially true if you’re used to working to different standards.

Implementing ISO 27701

As with most official standards, ISO 27701 can be a little tricky to get your head around. ISMS.online helps you by providing a cloud-based solution to document compliance with the requirements of ISO 27701.
Implementing ISO 27701 will give you a solid framework for compliance with laws and regulations, from the GDPR regulations to HIPAA level protection.

Demonstrating Good Practice

Implementing ISO 27701 is about demonstrating ‘good practice’ for personal information management. ISO 27701 has become an integral part of the data management framework for businesses in many sectors. This important standard is a shift from the ISO 27001 information security technical and asset emphasis to a more risk-based business focus.

Plan, Do, Check, Act

Plan, Do, Check, Act (PDCA) is a continuous improvement cycle that many progressive companies use, and is a vital element in the implementation of ISO 27701. Others may use different names for the phases — but the key idea is the same: Plan what should be done; do the best job you can on implementation and execution of that task; check the results against your plan; and when the necessary plan changes act to improve performance.


Requirements of ISO 27701

The requirements to achieve ISO/IEC 27701 compliance include:

  • Design, build and implement a Personal Information System for your organisation.
  • Follow the ISO 27701 guidelines when designing and implementing the PIMS.
  • The PIMs should define strict systems and tactical controls for managing personally identifiable information, including how this information is obtained, used, shared and deleted.
  • Define strict user roles and strong passwords for all stakeholders processing and controlling privacy data.

ISO 27701 certification requires that you have ISO 27001 certification. Your Personal Information Management System builds upon your Information Security Management System (ISMS). You can get certified to ISO 27701 at the same time as doing ISO 27001. Doing both concurrently is normally easier, less resource intensive and cheaper than doing them in series.

Structure

ISO 27701 is divided into clauses, just like other ISO standards, with Clauses 5–8 detailing the additional requirements and updates that must be added to ISO 27001:

  • Clause 5 outlines the PIMS requirements for ISO/IEC 27001 compliance.
  • Clause 6 outlines the PIMS guidance for ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 of the PIMS provides guidance for PII Processors.

The following Annexes are also included in the standard:

  • PIMS-specific reference control goals and controls are mentioned in Annex A. (PII Controllers)
  • PIMS-specific reference management goals and controls are mentioned in Annex B. (PII Processors)
  • Mapping of Annex C to ISO/IEC 29100
  • Mapping to the General Data Protection Regulation (GDPR) in Annex D (GDPR).
  • Annex E to ISO/IEC 27018 and ISO/IEC 29151 Mapping
  • Appendix F What is the relationship between ISO/IEC 27701 and ISO/IEC 27001 and ISO/IEC 27002?

It’s important, however, that you learn all of the policies, procedures, and controls in place and that they’re followed consistently throughout your organisation.


ISO 27701 Implementation

Implementing ISO/IEC 27701 is a robust way to start a privacy information management system within any company. Many companies choose to pursue ISO 27701 alongside ISO 27001. This can reduce cost and the overall time and effort involved in achieving both standards.

Here at ISMS.online, we provide cloud-based solutions that your organisation can use to document compliance with ISO 27001 and then ISO 27701. We take the uncertainty and guesswork out of the process by providing a framework for compliance with ISO standards.

Who should implement ISO 27701?

ISO 27701 offers an international standard for any organisation handling privacy data. Any company that holds personally identifiable information, irrespective of size and type, may benefit from ISO 27701 implementation. ISO 27701 helps to mitigate the financial and regulatory risks associated with privacy data breaches. ISO 27701 is for private, public companies and even government agencies that need to take a risk-based approach to holding and processing personal information.

What roles are involved in implementing ISO 27701?

Given the scope and the scale of the ISO 27701 standard, it comes as no surprise that different roles are involved in implementing the standard. These roles typically include:

  • The Lead Implementer/ Project Manager
  • Chief Privacy Officer / Data Protection Officer
  • Privacy Manager/Data Protection Manager
  • Internal Auditor
  • External Auditor
  • Privacy Analyst- for taking functional requirements and converting to technical implementation
  • Database and Software Professionals

Not sure where to start?

The ISMS.online platform makes the process more understandable and easier to implement. And if you ever need help, we have compliance experts on hand to guide you. Book a demo today to see how your business can benefit.

Book a platform demo

Compliance vs certification

ISO 27701 compliance and certification can be confusing, as at face value they appear to mean the same thing.

ISO 27701 compliance means that your organisation has put in place the controls needed to satisfy the requirements of ISO 27701; a set of best practices for privacy information management. Compliance with standards is important.

An ISO 27701 certificate is the document that confirms a particular organisation has gone through the processes and documented everything necessary to become ISO 27701 compliant.

Certification means you have demonstrated compliance.

Is ISO 27701 certification right for me?

If your company deals with personally identifiable information, you may need to look into ISO 27701 certification. ISO 27701 certification will make you stand out compared to companies that are not certified.

Additionally, in the event of a data breach, the Information Commissioner’s Office (ICO) in the United Kingdom has stated that organisations that implement certification or have a comprehensive system in place to handle their data security may be seen more favourably by regulators.

ISO 27701 Certification process

The process of implementing ISO 27701 is relatively easy for organisations that already have ISO 27001 certifications.

The ISO 27701 certification can be obtained in three steps:

You must first engage a qualified certification body that will conduct an audit of your organisation.

After you’ve agreed on a proposal, an assessor will give your organisation a detailed audit. The assessor must make a compulsory visit during the initial certification audit. They’ll look to see if you’ve put in place a completely functional personal information management system.

Once the assessor has completed the audit, the certification body will decide whether your organisation has met the criteria. If the outcome is positive, they will give you a certificate stating that your company complies with the standard’s specifications. The certification is valid for the next three years, or until your ISO 27001 certificate expires, whichever comes first.

If your company does not have ISO 27001 certification yet, you’ll need to have it first, or to pursue ISO 27001 and ISO 27701 certifications at the same time.

Take control of your compliance with ISMS.online

ISMS.online can work with you to ensure that your PIMS processes are in line with ISO 27701 requirements. Additionally, our information security professionals and comprehensive suite of infosec written and video resources can guide you through the process of demonstrating compliance with ISO standards.

Book a platform demo to see how it works.

Book a platform demo

Maintaining ISO 27701 certification

Maintaining ISO 27701 certification need not be a daunting prospect, as long as the initial ISO 27701 implementation was completed correctly. However, to keep your ISO 27701 valid, you must perform periodic surveillance audits in combination with your ISO 27001 audit, and then a complete reassessment before certification renewal.

The best way to maintain ISO 27701 certification is to manage your systems in such a way that you are able to keep doing continuous improvements. Continual improvement is the ongoing effort taken by your organisation to improve how it handles personally identifiable information, identifying emerging risks to compliance, and taking systemic actions to remedy them.


How much does ISO 27701 cost?

The cost of ISO 27701 is the sum of the cost of certification and the business costs associated with implementation and continued compliance. The cost of implementation will depend on the resources you have in house, the complexity of your data processes and the system you put in place to comply with and document compliance with ISO 27701. The cost of certification is detailed below:

No. of people working for the organisationNo. of people working for the organisationEstimated certification cost
1 – 453 – 6£2850 – £5700
46 – 1257 – 8£6,650 – £7,600
126 – 4259 – 10£8,550 – £9,500
426 – 62511£10,450
626 – 87512£11,400
876 – 117513£12,350
1176 – 155014£13,300
1551 – 202515£14,250

The simplest way to ISO 27701

ISMS.online makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation. On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.

Frameworks for ISO 27701

It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in. Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701. Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.

Supply chain management tools

At ISMS.online we can incorporate supply chain information security management into your ISMS. Quick and practical performance metrics can also be used to monitor the progress of your suppliers and other third-party partnerships. Use ISMS.online Clusters to get the whole supply chain together in one location for clarity, insight, and control.

Highly efficient project oversight and collaboration

Our ISMS.online solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard. Our online system also ensures that system implementers have a single place for reference and collaboration. Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.

Help and support engaging your people

ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data. At ISMS.online, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey. We also provide video resources and access to information security professionals to help you integrate standards into your company.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

FAQs

Why Was ISO 27701 Developed?

ISO 27701 was developed to bridge the gap between data protection and information security in the context of ISO 27001.

ISMS.online understands the importance of both aspects in maintaining a secure environment for your business.

ISO 27001 and Its Limitations

  • ISO 27001 is an Information Security Management System (ISMS) that helps organisations like yours identify, analyse, and address information security risks.
  • However, it does not guarantee that data protection needs are adequately considered, especially with the introduction of privacy-focused legislation like GDPR.

Addressing the Gap With ISO 27701

  • ISO 27701 helps organisations demonstrate compliance with GDPR requirements and other privacy regulations.
  • It provides a framework for managing personal data for both data controllers and data processors.


How ISO 27701 Benefits Commercial Agreements Involving PII

When it comes to commercial agreements involving the transfer of personal information, demonstrating compliance with privacy standards is essential.

ISO 27701 is an international standard, making it practical for managing compliance in organisations with a worldwide presence.

We understand the importance of using an internationally recognized standard like ISO 27701 to manage compliance across your organisation. Contact us to find out how we can help.


When Will ISO 27701 Be Updated?

ISO 27701, like ISO 27001, is expected to be updated regularly to maintain its relevance and effectiveness.

Alignment with ISO 27001 Revisions

  • As new versions of ISO 27001 are published, associated standards, including ISO 27701, will also be updated.
  • This ensures that your information security and cyber security practices remain aligned with the latest industry standards.


How Brexit Affects ISO 27701 in Relation to GDPR

ISO 27701 won’t be significantly affected by Brexit, since it is still the best method of protecting individuals’ privacy, and the GDPR’s requirements have been transferred into the UK GDPR.

Regulations like the GDPR will continue to protect the information of EU citizens in the UK.


complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Streamline your workflow with our new Jira integration! Learn more here.