Mastering ISO/IEC 27701: A Complete Guide

What Is ISO 27701?

The international standard for privacy management – and as of 2025, it stands on its own.

ISO/IEC 27701 is an international standard published by the International Organization for Standardization that sets out the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It defines how organisations that collect, store, use, or share personally identifiable information (PII) should govern that data in a structured, auditable, and certifiable way.

Find step-by-step approach to implement ISO 27701 in this video:

From 2019 until October 2025, ISO 27701 was technically an extension of ISO 27001 – meaning an organisation had to hold ISO 27001 certification before it could pursue ISO 27701. The 2025 revision changed that. ISO/IEC 27701:2025 is now a standalone Privacy Information Management System standard, operable independently of ISO 27001, though it remains fully compatible with ISO 27001:2022 and ISO 27002:2022 for organisations that want to manage security and privacy under a single unified system.

Timeline infographic showing the ISO 27701 PIMS certification journey, including 10 weeks of preparation, 20 weeks of implementation, and 6 weeks of audit and certification.
ISO 27701 PIMS Certification Timeline: The certification process typically spans planning, implementation, and auditing phases over approximately 36 weeks.
The 2019-to-2025 shift is the most important structural change in the standard’s history and the one most guides haven’t caught up with yet. 2019 vs 2025: WHAT CHANGED

  • 2019 edition: ISO 27701 was an extension – ISO 27001 certification was a hard prerequisite for any organisation pursuing PIMS certification.
  • 2025 edition: ISO 27701 is now standalone – organisations without ISO 27001 can implement and certify a PIMS directly, without a prior ISMS in place.
  • Existing 27701:2019 certifications: organisations have a transition window to migrate to the 2025 edition; the exact deadline is set by the certifying body, but migration is required to maintain accredited status.
  • Integration still recommended: for most organisations already holding ISO 27001, running both as a joint programme remains the most efficient path.

 

ISO 27701 doesn’t duplicate GDPR, CCPA, India’s DPDP Act, Brazil’s LGPD, or any other privacy regulation. It provides the management system framework – the internal governance, controls, and documented evidence – that makes complying with those laws operational and auditable. The critical point: ISO 27701 certification is not the same as legal compliance with GDPR or any other regulation. The two sit at different layers and both are required independently.

 

Related reading: What Is a PIMS?  ·  PII Controllers vs PII Processors  ·  Who Needs ISO 27701?

How GCAI helps: GCAI scopes ISO 27701 engagements against the 2025 edition – including confirming whether a standalone PIMS or a joint ISMS+PIMS implementation is the right fit before any implementation work begins.

What Is a PIMS?

The actual thing you’re building when you pursue ISO 27701 – and why most definitions undersell it.

A Privacy Information Management System (PIMS) is the structured internal system through which an organisation governs how it collects, uses, stores, shares, retains, and deletes personally identifiable information. It isn’t a piece of software or a single policy document. It’s an integrated set of policies, procedures, roles, risk assessments, controls, and evidence records that together make privacy management repeatable, verifiable, and improvable over time.

The PIMS concept under ISO 27701 follows the same Plan-Do-Check-Act cycle as ISO 27001’s ISMS, extended to cover privacy-specific requirements. Where an ISMS asks “what information assets do we need to protect and from whom?”, a PIMS asks “what PII do we process, for what purposes, under what legal basis, and with whose authorisation?” – and then builds controls around the answers.

Pie chart showing key components of an ISO 27701 Privacy Information Management System, including PII inventory, privacy risk register, data subject rights processes, consent management, supplier oversight, and DPIA programmes.
Key Elements of a PIMS Framework: Effective ISO 27701 implementation requires strong data inventory, risk management, consent handling, and third-party oversight processes.
A functioning PIMS typically consists of six operational components. Most organisations find the data inventory and the subject rights process take longest to build from scratch. WHAT A PIMS CONTAINS

  • PII processing inventory – a comprehensive record of what personal data is collected, where it goes, who can access it, how long it’s retained, and under what legal basis.
  • Privacy risk register – a live assessment of risks to PII across systems, vendors, and data flows, feeding into the organisation’s control decisions.
  • Data subject rights process – a documented, operational workflow for receiving and responding to access, correction, erasure, and portability requests.
  • Consent management records – evidence of how consent is captured, stored, and withdrawn, and what processing relies on other legal bases.
  • Supplier and sub-processor oversight – contracts, DPAs, and review processes covering every third party that handles PII.
  • DPIA programme – a risk assessment process triggered whenever a new or changed processing activity is likely to result in a high risk to individual privacy.

 

The records produced by a PIMS serve two audiences simultaneously. Internally, they give the privacy team visibility over what’s being processed and where the risks sit. Externally, they’re the evidence an auditor examines to confirm that stated controls are actually operating. A PIMS that exists on paper but can’t produce evidence of actual operation will not pass an ISO 27701 audit – implementation and documentation both matter.

One practical distinction that gets overlooked: a PIMS built for ISO 27701 certification differs from a privacy compliance checklist built for a specific regulation like GDPR in that it’s designed to be regulation-agnostic and reusable. The same PIMS framework, correctly built, can generate the evidence needed for GDPR, India’s DPDP Act, CCPA, and LGPD without rebuilding from scratch for each law.

 

Related reading: What Is ISO 27701?  ·  PII Controllers vs PII Processors  ·  The ISO 27701 Certification Process

How GCAI helps: GCAI builds PIMS programmes from the six operational components above, structured from the outset to generate evidence reusable across GDPR, DPDP Act, CCPA, and LGPD obligations – not just the regulation the first enterprise customer asked about.

PII Controllers vs PII Processors: What’s the Difference?

Most SaaS companies are both at once. ISO 27701 is one of the few standards that accounts for this directly.

ISO 27701 uses the terms PII controller and PII processor in close alignment with the GDPR’s controller and processor definitions, but applies them within the PIMS framework rather than the GDPR legal regime. A PII controller is the organisation that determines the purposes and means of processing PII. A PII processor is the organisation that processes PII on the controller’s instructions.

 

PII Controller PII Processor
What they decide Why PII is collected and how it’s used Only how to execute the controller’s instructions
Legal basis Must establish and document one for each processing activity Relies on the controller’s legal basis – doesn’t hold its own
ISO 27701 controls Governed by Annex A – 31 controls covering consent, data minimisation, purpose limitation, data subject rights, and transfers Governed by Annex B – 18 controls covering processing under instructions, supporting rights fulfilment, sub-processor management
Data subject rights Directly responsible for responding to access, erasure, and portability requests Must support the controller in fulfilling requests; cannot refuse independently
Typical examples SaaS platform collecting user data, employer processing employee data, retailer running a loyalty programme Cloud hosting provider, payroll processor, analytics vendor, email delivery service

 

The dual-role scenario is where most practical guidance breaks down. A SaaS company is almost always acting in both roles simultaneously: it is a processor for its customers’ end-user data (processing that data under the customer’s instructions), while it is a controller for its own employee data, marketing contacts, and website visitor analytics. ISO 27701 explicitly accommodates this – organisations can be certified under both Annex A and Annex B simultaneously, scoped appropriately to each role.

The dual-role scenario is the norm for B2B SaaS, not an edge case. Treating it as one or the other is a scoping error that surfaces as a gap at audit time. CONTROLLER OR PROCESSOR? BOTH?

  • Customer data processed under a data processing agreement – you are a processor. Annex B applies.
  • Your own employees’ HR and payroll data – you are a controller. Annex A applies.
  • Website analytics and marketing contacts you manage independently – you are a controller. Annex A applies.
  • Sub-processors you engage to process customer data on your behalf – you are the controller in that relationship; Annex A obligations for sub-processor management apply.

 

A note on joint controllers: when two organisations jointly determine the purposes and means of processing PII – a common scenario in joint product partnerships, data-sharing agreements, and co-marketing arrangements – both are controllers and both need the controller controls of Annex A in place, along with a written agreement between them specifying their respective responsibilities.

 

Related reading: What Is a PIMS?  ·  ISO 27701 vs GDPR  ·  The ISO 27701 Certification Process

How GCAI helps: GCAI maps controller and processor roles across every data flow before scoping the PIMS, so the Annex A and Annex B control sets are applied correctly to each processing context rather than blanketed across the whole organisation.

Who Needs ISO 27701?

It’s not mandatory for anyone – but the market is making it feel that way in a growing number of sectors.

ISO 27701 is a voluntary standard. No law requires it, and no regulator enforces it. The business case for pursuing it is entirely driven by customer expectations, regulatory pressure, and the operational benefit of having a structured privacy governance system in place. That said, in certain sectors and markets, customer procurement processes have made it effectively table-stakes in the same way ISO 27001 has become non-negotiable for enterprise SaaS sales.

Organisations already holding ISO 27001. The most straightforward path to ISO 27701 is for organisations already certified against ISO 27001. The PIMS extends the existing ISMS controls and can often be audited at the same time by the same certification body, making it a relatively efficient addition rather than a separate programme.

Healthtech, fintech, and B2B SaaS handling sensitive PII. Enterprise customers in regulated industries increasingly ask for ISO 27701 alongside SOC 2 or ISO 27001 as evidence of structured privacy governance, particularly for contracts that involve health data, financial records, or large-scale user data processing.

Organisations subject to GDPR, CCPA, or India’s DPDP Act. ISO 27701 doesn’t replace legal compliance with any of these regulations, but it provides a certifiable management system framework that makes demonstrating accountability – the hardest requirement in GDPR, CCPA, and DPDP Act compliance – structured and auditable.

Organisations without ISO 27001 (from 2025 onwards). The 2025 edition’s standalone certification path makes ISO 27701 accessible to organisations that haven’t pursued ISO 27001 and don’t intend to – particularly those whose core risk is privacy rather than general information security.

 

The sectors where ISO 27701 is showing up most frequently in enterprise procurement requirements as of 2025. HIGHEST DEMAND SECTORS

  • B2B SaaS selling into enterprise healthcare, financial services, or government accounts.
  • Data analytics and adtech – where large-scale behavioural data processing is the core product.
  • HR tech and payroll platforms – employee data is sensitive PII that enterprise buyers scrutinise closely.
  • Cloud infrastructure and managed service providers – typically acting as processors for multiple controllers simultaneously.
  • Any organisation subject to GDPR accountability obligations or the India DPDP Act’s consent framework.

 

A practical threshold test: if your sales team is fielding questions about your privacy programme in vendor security questionnaires – how you handle data subject requests, how you manage sub-processors, what your data retention policy is – those questions are exactly what a certified PIMS answers. ISO 27701 converts those questionnaire responses from one-off written statements into evidence from an independently audited system.

 

Related reading: What Is ISO 27701?  ·  What Is a PIMS?  ·  ISO 27701 vs GDPR

How GCAI helps: GCAI reviews the specific procurement requirements and regulatory obligations an organisation faces before recommending whether standalone ISO 27701, a joint ISO 27001+27701 programme, or a phased approach is the right sequence.

ISO 27701 vs GDPR: What’s the Difference?

They work at different layers. One is a management system standard. The other is the law.

The most persistent misconception about ISO 27701 is that achieving it means being GDPR-compliant. It doesn’t, and conflating the two creates real risk for organisations that treat a PIMS certification as a substitute for GDPR legal compliance work. The two instruments are complementary and designed to work together – but they operate at entirely different levels.

GDPR is a binding legal regulation that imposes specific obligations: establishing a lawful basis for every processing activity, executing Data Processing Agreements with processors, conducting Data Protection Impact Assessments for high-risk processing, notifying supervisory authorities within 72 hours of a breach, and responding to data subject access requests within one month. These are legal obligations enforced by supervisory authorities. An ISO 27701 certification does not fulfil any of them on its own.

 

ISO 27701 GDPR
What it is Voluntary international management system standard Binding EU/UK privacy regulation
Issued by International Organization for Standardization (ISO) European Union; enforced by supervisory authorities
Enforced by Certification body at audit; market expectation Supervisory authorities; state attorneys general (UK)
What you get An audited PIMS certificate (3-year validity, annual surveillance) Legal compliance status – no certificate issued
Establishes lawful basis? No – documents and governs your processes, but does not create a GDPR-recognised legal basis Yes – Article 6 lawful bases must be established independently
Replaces DPAs/DPIAs? No – supports them through PIMS controls but does not replace the GDPR legal instruments GDPR requires both independently of any standard
Cross-law applicability Yes – Annex D maps to GDPR; PIMS evidence reusable across CCPA, DPDP Act, LGPD, POPIA EU/UK specific; other laws have equivalent but separate frameworks

 

What ISO 27701 does for GDPR is make compliance operational, structured, and evidenced. The PIMS’s PII processing inventory directly supports the GDPR Article 30 Record of Processing Activities requirement. The DPIA programme within the PIMS supports Article 35 obligations. The data subject rights process supports Articles 15–22. The evidence produced by a functioning PIMS is the same evidence a supervisory authority looks for when investigating a complaint.

Infographic illustrating how ISO 27701 PIMS supports global privacy regulations, including GDPR, UK GDPR, CCPA/CPRA, LGPD, POPIA, and India's DPDP Act 2023.
Global Privacy Alignment with ISO 27701: PIMS helps organizations comply with major international data protection regulations and strengthen privacy governance.
ISO 27701’s Annex D provides a direct mapping between PIMS controls and GDPR articles – the most complete privacy law cross-reference in any ISO standard. WHAT ONE PIMS CAN COVER

  • GDPR (EU) – Annex D maps all relevant GDPR articles directly to PIMS controls.
  • UK GDPR – substantively identical mapping applies; ICO recognises ISO 27701 as a relevant accountability measure.
  • CCPA/CPRA (California) – PIMS controls covering opt-out rights, data inventory, and vendor management map directly.
  • India DPDP Act 2023 – consent framework, data fiduciary obligations, and breach notification align with PIMS core controls.
  • Brazil LGPD and South Africa POPIA – both structurally similar to GDPR; PIMS evidence transfers with minimal rework.

 

Related reading: What Is ISO 27701?  ·  PII Controllers vs PII Processors  ·  The ISO 27701 Certification Process

How GCAI helps: GCAI implements ISO 27701 and GDPR compliance as parallel workstreams sharing a single evidence base – so the RoPA, DPIA records, and data subject rights process serve both the certification audit and the GDPR accountability obligation without duplication.

The ISO 27701 Certification Process

 

Two audit stages, a three-year certificate, and annual surveillance visits in between.

ISO 27701 certification follows the same two-stage audit process used for ISO 27001, conducted by an accredited third-party certification body. For organisations pursuing ISO 27701 alongside ISO 27001, both audits are typically run together by the same auditor to reduce duplication. For organisations pursuing standalone ISO 27701 under the 2025 edition, the audit is conducted against the PIMS requirements directly.

Diagram explaining the evolution of ISO 27701 certification, highlighting its extension from ISO 27001 and pathways toward standalone privacy certification.
The Evolution of ISO 27701 Certification: Originally designed as an extension of ISO 27001, PIMS certification continues to evolve toward independent privacy management standards.
Phase What happens Typical duration
Gap assessment Identify where current privacy controls fall short of PIMS requirements; prioritise remediation sequencing 2–4 weeks
Scope definition Define the boundaries of the PIMS – which business units, systems, PII flows, and regulatory contexts are included 1–2 weeks
PII inventory & RoPA Build a comprehensive record of all processing activities, legal bases, data categories, sub-processors, and retention periods 3–6 weeks
Control implementation Deploy Annex A controls (controller), Annex B controls (processor), or both; document evidence of each 2–4 months
DPIA programme Conduct DPIAs for high-risk processing activities; embed into product and project workflows going forward Ongoing from this point
Internal audit Assess whether the PIMS is operating as documented; produce audit report and corrective actions 2–4 weeks
Management review Senior leadership review of PIMS performance, risks, and improvement actions – documented for audit evidence Annual minimum
Stage 1 audit Certification body reviews PIMS documentation, scope, and readiness; issues findings and confirms readiness for Stage 2 1–2 days on-site/remote
Stage 2 audit Full operational audit; auditor confirms controls are functioning, evidence is current, and PIMS meets the standard 2–5 days on-site
Certification issued Certificate valid for 3 years; annual surveillance audits confirm continued compliance 3-year cycle

 

The Annex A and Annex B controls are the heart of what an auditor is checking. Annex A (PII controller) contains 31 controls grouped around conditions for collection and processing, obligations to data subjects, privacy by design and by default, and PII sharing. Annex B (PII processor) contains 18 controls focused on processing only under documented instructions, supporting the controller’s obligations, sub-processor management, and cross-border transfer safeguards.

The Stage 1 audit is where most organisations discover documentation gaps rather than control gaps. The actual controls often exist; the evidence that they’re operating consistently is what’s missing. ISO 27701 BY THE NUMBERS

  • Controls in Annex A (PII controllers): 31
  • Controls in Annex B (PII processors): 18
  • Certificate validity: 3 years
  • Surveillance audits: annually throughout the 3-year cycle
  • Preparation time (with ISO 27001 in place): typically 40–80 hours of additional effort
  • Preparation time (standalone, from scratch): typically 3–6 months depending on organisation size and PII complexity

 

Related reading: What Is a PIMS?  ·  PII Controllers vs PII Processors  ·  ISO 27701 FAQ

How GCAI helps: GCAI runs the gap assessment, builds the PII inventory and RoPA, implements Annex A and B controls, prepares the Stage 1 documentation package, and supports the Stage 2 audit – the full certification programme, not just readiness advice.

ISO 27701 FAQ

The questions that come up most once the basics are out of the way.

Do I need ISO 27001 before pursuing ISO 27701? Not anymore. The 2025 edition of ISO 27701 is a standalone standard – ISO 27001 is no longer a prerequisite. Organisations without an existing ISMS can now implement and certify a PIMS directly. That said, organisations already holding ISO 27001 will find the incremental effort for ISO 27701 significantly lower, since governance, risk, and audit processes already exist and only need to be extended to cover privacy.

 

Is ISO 27701 certification the same as GDPR compliance? No – and this is the most important clarification in the entire guide. ISO 27701 certification means an accredited auditor has confirmed your PIMS is implemented and operating to the standard’s requirements. It does not establish a GDPR lawful basis, does not replace mandatory DPAs with processors, does not conduct DPIAs on your behalf, and does not fulfil breach notification obligations. It provides the framework and evidence that makes GDPR compliance operational, but legal compliance with GDPR is a separate obligation that must be met independently.

 

We’re certified under ISO 27701:2019. Do we need to transition? Yes. The 2019 edition is superseded by the 2025 edition. Existing certifications maintain their validity until the end of the current certification cycle, after which renewal must be against the 2025 standard. The transition involves reviewing scope boundaries, updating Annex A/B control mappings to align with ISO 27002:2022, and updating terminology throughout the PIMS documentation.

 

Can a company be certified as both a PII controller and a PII processor? Yes. ISO 27701 explicitly accommodates dual certification. An organisation acting as a controller for some data flows and a processor for others can be certified under both Annex A and Annex B, with the scope statement specifying which processing activities fall under each role. This is the norm for B2B SaaS businesses.

 

How long does ISO 27701 certification take? For an organisation already holding ISO 27001, additional preparation is typically 40–80 hours of focused effort over one to three months. For an organisation starting from scratch under the 2025 standalone path, a realistic preparation timeline is three to six months, depending on the volume and complexity of PII processing in scope.

 

Does ISO 27701 cover employee data as well as customer data? Yes. ISO 27701 applies to all PII processing within the defined scope, which typically includes employee data (HR, payroll, access logs), contractor data, customer and end-user data, and any third-party data processed on behalf of controllers. Most organisations include employee data in scope from the outset since it’s where controller obligations are clearest and where evidence is easiest to produce.

 

Which privacy laws does ISO 27701 map to? The standard includes Annex D, which maps PIMS controls directly to GDPR articles. The same PIMS framework also supports CCPA/CPRA (California), India’s DPDP Act 2023, Brazil’s LGPD, and South Africa’s POPIA, since all of these laws share structural similarities with GDPR around consent, data subject rights, breach response, and vendor oversight. A correctly implemented PIMS generates evidence usable across all of them without rebuilding for each law separately.

 

Related reading: What Is ISO 27701?  ·  ISO 27701 vs GDPR  ·  The ISO 27701 Certification Process

How GCAI helps: GCAI’s ISO 27701 gap assessment covers the questions above for your specific data environment – including dual-role scoping, the 2019-to-2025 transition plan if applicable, and which privacy regulations your PIMS will need to support.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top