What Is ISO 27701?
The international standard for privacy management – and as of 2025, it stands on its own.
ISO/IEC 27701 is an international standard published by the International Organization for Standardization that sets out the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It defines how organisations that collect, store, use, or share personally identifiable information (PII) should govern that data in a structured, auditable, and certifiable way.
Find step-by-step approach to implement ISO 27701 in this video:
From 2019 until October 2025, ISO 27701 was technically an extension of ISO 27001 – meaning an organisation had to hold ISO 27001 certification before it could pursue ISO 27701. The 2025 revision changed that. ISO/IEC 27701:2025 is now a standalone Privacy Information Management System standard, operable independently of ISO 27001, though it remains fully compatible with ISO 27001:2022 and ISO 27002:2022 for organisations that want to manage security and privacy under a single unified system.

| The 2019-to-2025 shift is the most important structural change in the standard’s history and the one most guides haven’t caught up with yet. | 2019 vs 2025: WHAT CHANGED
|
ISO 27701 doesn’t duplicate GDPR, CCPA, India’s DPDP Act, Brazil’s LGPD, or any other privacy regulation. It provides the management system framework – the internal governance, controls, and documented evidence – that makes complying with those laws operational and auditable. The critical point: ISO 27701 certification is not the same as legal compliance with GDPR or any other regulation. The two sit at different layers and both are required independently.
Related reading: What Is a PIMS? · PII Controllers vs PII Processors · Who Needs ISO 27701?
How GCAI helps: GCAI scopes ISO 27701 engagements against the 2025 edition – including confirming whether a standalone PIMS or a joint ISMS+PIMS implementation is the right fit before any implementation work begins.
What Is a PIMS?
The actual thing you’re building when you pursue ISO 27701 – and why most definitions undersell it.
A Privacy Information Management System (PIMS) is the structured internal system through which an organisation governs how it collects, uses, stores, shares, retains, and deletes personally identifiable information. It isn’t a piece of software or a single policy document. It’s an integrated set of policies, procedures, roles, risk assessments, controls, and evidence records that together make privacy management repeatable, verifiable, and improvable over time.
The PIMS concept under ISO 27701 follows the same Plan-Do-Check-Act cycle as ISO 27001’s ISMS, extended to cover privacy-specific requirements. Where an ISMS asks “what information assets do we need to protect and from whom?”, a PIMS asks “what PII do we process, for what purposes, under what legal basis, and with whose authorisation?” – and then builds controls around the answers.

| A functioning PIMS typically consists of six operational components. Most organisations find the data inventory and the subject rights process take longest to build from scratch. | WHAT A PIMS CONTAINS
|
The records produced by a PIMS serve two audiences simultaneously. Internally, they give the privacy team visibility over what’s being processed and where the risks sit. Externally, they’re the evidence an auditor examines to confirm that stated controls are actually operating. A PIMS that exists on paper but can’t produce evidence of actual operation will not pass an ISO 27701 audit – implementation and documentation both matter.
One practical distinction that gets overlooked: a PIMS built for ISO 27701 certification differs from a privacy compliance checklist built for a specific regulation like GDPR in that it’s designed to be regulation-agnostic and reusable. The same PIMS framework, correctly built, can generate the evidence needed for GDPR, India’s DPDP Act, CCPA, and LGPD without rebuilding from scratch for each law.
Related reading: What Is ISO 27701? · PII Controllers vs PII Processors · The ISO 27701 Certification Process
How GCAI helps: GCAI builds PIMS programmes from the six operational components above, structured from the outset to generate evidence reusable across GDPR, DPDP Act, CCPA, and LGPD obligations – not just the regulation the first enterprise customer asked about.
PII Controllers vs PII Processors: What’s the Difference?
Most SaaS companies are both at once. ISO 27701 is one of the few standards that accounts for this directly.
ISO 27701 uses the terms PII controller and PII processor in close alignment with the GDPR’s controller and processor definitions, but applies them within the PIMS framework rather than the GDPR legal regime. A PII controller is the organisation that determines the purposes and means of processing PII. A PII processor is the organisation that processes PII on the controller’s instructions.

| PII Controller | PII Processor | |
|---|---|---|
| What they decide | Why PII is collected and how it’s used | Only how to execute the controller’s instructions |
| Legal basis | Must establish and document one for each processing activity | Relies on the controller’s legal basis – doesn’t hold its own |
| ISO 27701 controls | Governed by Annex A – 31 controls covering consent, data minimisation, purpose limitation, data subject rights, and transfers | Governed by Annex B – 18 controls covering processing under instructions, supporting rights fulfilment, sub-processor management |
| Data subject rights | Directly responsible for responding to access, erasure, and portability requests | Must support the controller in fulfilling requests; cannot refuse independently |
| Typical examples | SaaS platform collecting user data, employer processing employee data, retailer running a loyalty programme | Cloud hosting provider, payroll processor, analytics vendor, email delivery service |
The dual-role scenario is where most practical guidance breaks down. A SaaS company is almost always acting in both roles simultaneously: it is a processor for its customers’ end-user data (processing that data under the customer’s instructions), while it is a controller for its own employee data, marketing contacts, and website visitor analytics. ISO 27701 explicitly accommodates this – organisations can be certified under both Annex A and Annex B simultaneously, scoped appropriately to each role.
| The dual-role scenario is the norm for B2B SaaS, not an edge case. Treating it as one or the other is a scoping error that surfaces as a gap at audit time. | CONTROLLER OR PROCESSOR? BOTH?
|
A note on joint controllers: when two organisations jointly determine the purposes and means of processing PII – a common scenario in joint product partnerships, data-sharing agreements, and co-marketing arrangements – both are controllers and both need the controller controls of Annex A in place, along with a written agreement between them specifying their respective responsibilities.
Related reading: What Is a PIMS? · ISO 27701 vs GDPR · The ISO 27701 Certification Process
How GCAI helps: GCAI maps controller and processor roles across every data flow before scoping the PIMS, so the Annex A and Annex B control sets are applied correctly to each processing context rather than blanketed across the whole organisation.
Who Needs ISO 27701?
It’s not mandatory for anyone – but the market is making it feel that way in a growing number of sectors.
ISO 27701 is a voluntary standard. No law requires it, and no regulator enforces it. The business case for pursuing it is entirely driven by customer expectations, regulatory pressure, and the operational benefit of having a structured privacy governance system in place. That said, in certain sectors and markets, customer procurement processes have made it effectively table-stakes in the same way ISO 27001 has become non-negotiable for enterprise SaaS sales.
Organisations already holding ISO 27001. The most straightforward path to ISO 27701 is for organisations already certified against ISO 27001. The PIMS extends the existing ISMS controls and can often be audited at the same time by the same certification body, making it a relatively efficient addition rather than a separate programme.
Healthtech, fintech, and B2B SaaS handling sensitive PII. Enterprise customers in regulated industries increasingly ask for ISO 27701 alongside SOC 2 or ISO 27001 as evidence of structured privacy governance, particularly for contracts that involve health data, financial records, or large-scale user data processing.
Organisations subject to GDPR, CCPA, or India’s DPDP Act. ISO 27701 doesn’t replace legal compliance with any of these regulations, but it provides a certifiable management system framework that makes demonstrating accountability – the hardest requirement in GDPR, CCPA, and DPDP Act compliance – structured and auditable.
Organisations without ISO 27001 (from 2025 onwards). The 2025 edition’s standalone certification path makes ISO 27701 accessible to organisations that haven’t pursued ISO 27001 and don’t intend to – particularly those whose core risk is privacy rather than general information security.
| The sectors where ISO 27701 is showing up most frequently in enterprise procurement requirements as of 2025. | HIGHEST DEMAND SECTORS
|
A practical threshold test: if your sales team is fielding questions about your privacy programme in vendor security questionnaires – how you handle data subject requests, how you manage sub-processors, what your data retention policy is – those questions are exactly what a certified PIMS answers. ISO 27701 converts those questionnaire responses from one-off written statements into evidence from an independently audited system.
Related reading: What Is ISO 27701? · What Is a PIMS? · ISO 27701 vs GDPR
How GCAI helps: GCAI reviews the specific procurement requirements and regulatory obligations an organisation faces before recommending whether standalone ISO 27701, a joint ISO 27001+27701 programme, or a phased approach is the right sequence.
ISO 27701 vs GDPR: What’s the Difference?
They work at different layers. One is a management system standard. The other is the law.
The most persistent misconception about ISO 27701 is that achieving it means being GDPR-compliant. It doesn’t, and conflating the two creates real risk for organisations that treat a PIMS certification as a substitute for GDPR legal compliance work. The two instruments are complementary and designed to work together – but they operate at entirely different levels.
GDPR is a binding legal regulation that imposes specific obligations: establishing a lawful basis for every processing activity, executing Data Processing Agreements with processors, conducting Data Protection Impact Assessments for high-risk processing, notifying supervisory authorities within 72 hours of a breach, and responding to data subject access requests within one month. These are legal obligations enforced by supervisory authorities. An ISO 27701 certification does not fulfil any of them on its own.
| ISO 27701 | GDPR | |
|---|---|---|
| What it is | Voluntary international management system standard | Binding EU/UK privacy regulation |
| Issued by | International Organization for Standardization (ISO) | European Union; enforced by supervisory authorities |
| Enforced by | Certification body at audit; market expectation | Supervisory authorities; state attorneys general (UK) |
| What you get | An audited PIMS certificate (3-year validity, annual surveillance) | Legal compliance status – no certificate issued |
| Establishes lawful basis? | No – documents and governs your processes, but does not create a GDPR-recognised legal basis | Yes – Article 6 lawful bases must be established independently |
| Replaces DPAs/DPIAs? | No – supports them through PIMS controls but does not replace the GDPR legal instruments | GDPR requires both independently of any standard |
| Cross-law applicability | Yes – Annex D maps to GDPR; PIMS evidence reusable across CCPA, DPDP Act, LGPD, POPIA | EU/UK specific; other laws have equivalent but separate frameworks |
What ISO 27701 does for GDPR is make compliance operational, structured, and evidenced. The PIMS’s PII processing inventory directly supports the GDPR Article 30 Record of Processing Activities requirement. The DPIA programme within the PIMS supports Article 35 obligations. The data subject rights process supports Articles 15–22. The evidence produced by a functioning PIMS is the same evidence a supervisory authority looks for when investigating a complaint.

| ISO 27701’s Annex D provides a direct mapping between PIMS controls and GDPR articles – the most complete privacy law cross-reference in any ISO standard. | WHAT ONE PIMS CAN COVER
|
Related reading: What Is ISO 27701? · PII Controllers vs PII Processors · The ISO 27701 Certification Process
How GCAI helps: GCAI implements ISO 27701 and GDPR compliance as parallel workstreams sharing a single evidence base – so the RoPA, DPIA records, and data subject rights process serve both the certification audit and the GDPR accountability obligation without duplication.
The ISO 27701 Certification Process
Two audit stages, a three-year certificate, and annual surveillance visits in between.
ISO 27701 certification follows the same two-stage audit process used for ISO 27001, conducted by an accredited third-party certification body. For organisations pursuing ISO 27701 alongside ISO 27001, both audits are typically run together by the same auditor to reduce duplication. For organisations pursuing standalone ISO 27701 under the 2025 edition, the audit is conducted against the PIMS requirements directly.

| Phase | What happens | Typical duration |
|---|---|---|
| Gap assessment | Identify where current privacy controls fall short of PIMS requirements; prioritise remediation sequencing | 2–4 weeks |
| Scope definition | Define the boundaries of the PIMS – which business units, systems, PII flows, and regulatory contexts are included | 1–2 weeks |
| PII inventory & RoPA | Build a comprehensive record of all processing activities, legal bases, data categories, sub-processors, and retention periods | 3–6 weeks |
| Control implementation | Deploy Annex A controls (controller), Annex B controls (processor), or both; document evidence of each | 2–4 months |
| DPIA programme | Conduct DPIAs for high-risk processing activities; embed into product and project workflows going forward | Ongoing from this point |
| Internal audit | Assess whether the PIMS is operating as documented; produce audit report and corrective actions | 2–4 weeks |
| Management review | Senior leadership review of PIMS performance, risks, and improvement actions – documented for audit evidence | Annual minimum |
| Stage 1 audit | Certification body reviews PIMS documentation, scope, and readiness; issues findings and confirms readiness for Stage 2 | 1–2 days on-site/remote |
| Stage 2 audit | Full operational audit; auditor confirms controls are functioning, evidence is current, and PIMS meets the standard | 2–5 days on-site |
| Certification issued | Certificate valid for 3 years; annual surveillance audits confirm continued compliance | 3-year cycle |
The Annex A and Annex B controls are the heart of what an auditor is checking. Annex A (PII controller) contains 31 controls grouped around conditions for collection and processing, obligations to data subjects, privacy by design and by default, and PII sharing. Annex B (PII processor) contains 18 controls focused on processing only under documented instructions, supporting the controller’s obligations, sub-processor management, and cross-border transfer safeguards.
| The Stage 1 audit is where most organisations discover documentation gaps rather than control gaps. The actual controls often exist; the evidence that they’re operating consistently is what’s missing. | ISO 27701 BY THE NUMBERS
|
Related reading: What Is a PIMS? · PII Controllers vs PII Processors · ISO 27701 FAQ
How GCAI helps: GCAI runs the gap assessment, builds the PII inventory and RoPA, implements Annex A and B controls, prepares the Stage 1 documentation package, and supports the Stage 2 audit – the full certification programme, not just readiness advice.
ISO 27701 FAQ
The questions that come up most once the basics are out of the way.
Do I need ISO 27001 before pursuing ISO 27701? Not anymore. The 2025 edition of ISO 27701 is a standalone standard – ISO 27001 is no longer a prerequisite. Organisations without an existing ISMS can now implement and certify a PIMS directly. That said, organisations already holding ISO 27001 will find the incremental effort for ISO 27701 significantly lower, since governance, risk, and audit processes already exist and only need to be extended to cover privacy.
Is ISO 27701 certification the same as GDPR compliance? No – and this is the most important clarification in the entire guide. ISO 27701 certification means an accredited auditor has confirmed your PIMS is implemented and operating to the standard’s requirements. It does not establish a GDPR lawful basis, does not replace mandatory DPAs with processors, does not conduct DPIAs on your behalf, and does not fulfil breach notification obligations. It provides the framework and evidence that makes GDPR compliance operational, but legal compliance with GDPR is a separate obligation that must be met independently.
We’re certified under ISO 27701:2019. Do we need to transition? Yes. The 2019 edition is superseded by the 2025 edition. Existing certifications maintain their validity until the end of the current certification cycle, after which renewal must be against the 2025 standard. The transition involves reviewing scope boundaries, updating Annex A/B control mappings to align with ISO 27002:2022, and updating terminology throughout the PIMS documentation.
Can a company be certified as both a PII controller and a PII processor? Yes. ISO 27701 explicitly accommodates dual certification. An organisation acting as a controller for some data flows and a processor for others can be certified under both Annex A and Annex B, with the scope statement specifying which processing activities fall under each role. This is the norm for B2B SaaS businesses.
How long does ISO 27701 certification take? For an organisation already holding ISO 27001, additional preparation is typically 40–80 hours of focused effort over one to three months. For an organisation starting from scratch under the 2025 standalone path, a realistic preparation timeline is three to six months, depending on the volume and complexity of PII processing in scope.
Does ISO 27701 cover employee data as well as customer data? Yes. ISO 27701 applies to all PII processing within the defined scope, which typically includes employee data (HR, payroll, access logs), contractor data, customer and end-user data, and any third-party data processed on behalf of controllers. Most organisations include employee data in scope from the outset since it’s where controller obligations are clearest and where evidence is easiest to produce.
Which privacy laws does ISO 27701 map to? The standard includes Annex D, which maps PIMS controls directly to GDPR articles. The same PIMS framework also supports CCPA/CPRA (California), India’s DPDP Act 2023, Brazil’s LGPD, and South Africa’s POPIA, since all of these laws share structural similarities with GDPR around consent, data subject rights, breach response, and vendor oversight. A correctly implemented PIMS generates evidence usable across all of them without rebuilding for each law separately.
Related reading: What Is ISO 27701? · ISO 27701 vs GDPR · The ISO 27701 Certification Process
How GCAI helps: GCAI’s ISO 27701 gap assessment covers the questions above for your specific data environment – including dual-role scoping, the 2019-to-2025 transition plan if applicable, and which privacy regulations your PIMS will need to support.