ISO 27701 is the global benchmark for managing personal data responsibly and securely. It extends the ISO 27001 framework to include specific requirements for privacy, helping organisations build trust through transparent and compliant data practices.
Our ISO 27701 implementation service helps your organisation design and maintain a robust Personal Information Management System (PIMS). We guide you through every stage — from assessing your current compliance level to developing and integrating the necessary controls — ensuring you meet international privacy standards with confidence.
We review your current status and assess the time, effort and tooling required to achieve the standard.
Usually takes between one and two days to complete.
We produce a detailed project plan that outlines the control implementation requirements.
This includes the development of new documentation, amendments to existing documentation and change to working practices.
Our skilled and experienced team work with you to implement the required additional controls and amend the existing controls for ISO 27001.
This involves a number of meetings to develop the documentation and have regular catch up meetings to discuss the change management activities that are required.
Once the implementation has been completed, we will plan and undertake an internal audit of the new controls for ISO 27701 and the amended controls for ISO 27001.
This typically takes two days and we then document our findings in a fully detailed audit report.
We will state where we have found any non-conformities and observations and then suggest options for improvement.
We will also make recommendations on how to address the actions needed prior to certification.
We support our clients through the certification.
An external organisation will have to certify the standard and we will be on hand to support you through the certification audit.
The major benefit of certification in ISO 27701 is that it is the only internationally recognised certification in data privacy management. At this point, there is no certification for being GDPR compliant. However, with this standard in place, an organisation can state that it complies with not only the ISO requirements, but also data protection legislation such as GDPR, HIPAA and CCPA.
There are obvious commercial benefits to becoming ISO 27701 certified. These relate to the competitive edge than can be obtained with having this certification in procurement and bid tendering scenarios.
This certification is an add-on to ISO 27001 (the international standard for information security).
Therefore, you have to have an existing ISO 27001 certification, or you can add this onto a new ISO 27001 certification.
There are an additional 49 controls in addition to those required by ISO 27001. These are focused on the development and management of personal data.
All organisations need to have reviewed and recorded what personal data they process as a Data Controller and as a Data Processor.
Adherence to the basic principles of data protection is very important in ISO 27701. This has to be reflected in the Privacy Management System.
The privacy controls sit alongside your information security controls and are focused on the protection of personal data.
There must be evidence of how the organisation will improve the management of the security of personal data.
