ISO 27701: A Privacy Extension to Your ISMS

ISO 27001 secures information; ISO/IEC 27701 extends it to privacy. If you already run an ISMS, 27701 layers on a Privacy Information Management System (PIMS) — and gives you a certifiable way to demonstrate good privacy practice to customers and regulators.

What it adds

27701 doesn’t replace 27001 — it builds on it. It adds privacy-specific requirements and two extra sets of controls: one for organisations acting as a PII controller, and one for those acting as a PII processor. You implement whichever apply to you (often both).

The GDPR connection

27701’s control set maps closely to GDPR obligations, which is exactly why buyers like it: a certificate is independent evidence that your privacy programme is structured and operating. It doesn’t make you “GDPR certified” (no such thing exists), but it’s the most credible privacy assurance you can hand a customer.

How to certify

• Have a working ISO 27001 ISMS in place (27701 builds on it).
• Determine your role(s): PII controller, processor, or both.
• Implement the relevant Annex A/B privacy controls and update your SoA.
• Run a privacy risk/impact assessment and close gaps.
• Certify 27701 alongside (or just after) your 27001 audit.

The bottom line

If security and privacy are converging in your customer questionnaires, 27701 lets you answer both with one programme. Build it on your existing ISMS and you get privacy assurance without standing up something entirely new.