Strengthen Your Data Privacy & Security
with ISO 27701

ISO/IEC 27701 is the international standard for Privacy Information Management Systems (PIMS). Originally published as an extension of ISO 27001 and ISO 27002, it was developed to address a specific gap; while ISO 27001 provides a robust framework for information security, it does not explicitly cover personal data governance or privacy obligations. ISO 27701 adds privacy-specific controls and requirements to an existing Information Security Management System (ISMS), providing organizations with a structured and auditable approach to managing personally identifiable information (PII). It is designed to support compliance with data protection regulations such as the GDPR, Brazil's LGPD, California's CCPA, and other privacy frameworks worldwide. The standard applies to organizations acting as PII controllers, PII processors, or both.

No. Since the publication of ISO/IEC 27701:2025 in October 2025, the standard no longer requires ISO 27001 as a prerequisite. The previous version (ISO/IEC 27701:2019) was designed as an extension of ISO 27001 and could not be implemented or certified independently. The 2025 edition changes this significantly: ISO 27701 is now a standalone standard, with its own management system structure (Clauses 4 through 10) following the ISO High-Level Structure. Organizations can implement and certify their Privacy Information Management System (PIMS) independently. This change responds to a practical need. Many privacy-focused organizations, particularly in SaaS, cloud, and digital services environments, needed to demonstrate personal data governance without first building a full ISMS under ISO 27001. The 2025 edition removes that barrier to entry. That said, both standards remain fully compatible. Organizations that already hold ISO 27001 will find significant overlap in controls and documentation, making integration straightforward and efficient. For organizations that handle sensitive data alongside AI systems, obtaining ISO 27001 and ISO 27701 together remains the most comprehensive option, as it covers both information security and privacy under a single governance framework. Organizations currently certified under ISO 27701:2019 have a transition period of approximately three years to migrate to the new edition. New certifications should already be conducted under the 2025 edition. Zertia can structure both combined engagements (ISO 27001 + ISO 27701) and independent ISO 27701 certifications, depending on each organization's needs and maturity.

No. ISO 27701 certification does not automatically constitute GDPR compliance. The GDPR is a legal framework with specific requirements that go beyond the scope of any single standard, including provisions on data subject rights, lawful bases for processing, impact assessments, and international data transfers. However, ISO 27701 provides a structured and auditable framework that directly addresses many GDPR requirements, particularly in the areas of data governance, processing controls, third-party management, and proactive accountability. Organizations that achieve ISO 27701 certification are significantly better positioned to demonstrate compliance to supervisory authorities, clients, and partners. The certificate does not replace legal assessment, but it provides the operational infrastructure that makes compliance demonstrable and defensible.

ISO 27701 is relevant to any organization that processes personal data, whether as a data controller or a data processor. This includes technology companies handling user data, cloud service providers processing data on behalf of clients, healthcare organizations managing patient records, financial institutions processing customer information, and any business subject to privacy regulations in its operating jurisdictions. For organizations that already hold ISO 27001, adding ISO 27701 extends their security posture to explicitly cover privacy. For companies operating across multiple regulatory jurisdictions, ISO 27701 provides a single, internationally recognized framework for privacy governance, rather than managing compliance on a regulation-by-regulation basis.

ISO 27701 governs how an organization manages personal data. ISO 42001 governs how an organization manages AI systems. The intersection is significant: AI systems frequently process large volumes of personal data, creating privacy risks that both frameworks need to address. Organizations deploying AI in areas such as HR technology, financial services, healthcare, or marketing typically need to address AI governance and privacy management simultaneously. Holding ISO 42001 and ISO 27701 together, built on an ISO 27001 foundation, provides comprehensive coverage across AI risk, information security, and data protection. Zertia certifies all three standards and can design integrated audit programs that cover the full governance stack.

For organizations that already hold ISO 27001 certification, ISO 27701 can typically be added in 4 to 8 weeks as an extension audit. For organizations implementing ISO 27001 and ISO 27701 simultaneously, the combined process generally takes 3 to 6 months depending on organizational size and complexity. The process includes a review of privacy-specific controls, an assessment of PII processing activities, and verification that the PIMS extension is fully integrated with the underlying ISMS.

ISO 27701 certification follows the same three-year cycle as ISO 27001. Annual surveillance audits verify ongoing conformity with both the ISMS and the PIMS extension. At the end of the cycle, a recertification audit is required to renew the certificate.

Costs depend on the scope of your privacy management system, the volume and sensitivity of personal data processed, the number of processing activities in scope, and whether ISO 27001 certification is already in place. Zertia provides transparent, customized quotes following an initial scoping conversation. Our pricing includes all audit phases, the certification decision, and certificate issuance with no hidden fees. Contact our team to receive a detailed proposal tailored to your specific situation.