ISO/IEC 27701 extends ISO/IEC 27001 and ISO/IEC 27002 with requirements and guidance for a Privacy Information Management System (PIMS), covering the processing of personally identifiable information (PII).
ISO/IEC 27701 is the privacy extension to ISO/IEC 27001 and 27002. It turns an existing information security management system into a Privacy Information Management System (PIMS) by adding requirements and controls specific to handling personally identifiable information (PII), distinguishing the roles of PII controller and PII processor. It is widely used to demonstrate accountability against regulations such as the GDPR.
Because it builds on ISO 27001, an established ISMS is a prerequisite. The incremental effort focuses on the privacy-specific controls and documentation rather than rebuilding a management system from scratch.
Public information about the framework itself. We don't claim certifications, assessment status, or authorizations for our own product.
How the platform supports your ISO/IEC 27701 program — from first scope to ongoing monitoring.
Ensure an ISO 27001 ISMS is in place, since 27701 extends it.
Determine where you act as PII controller, processor, or both, and apply the matching controls.
Connect controller/processor controls to tests and evidence, reusing ISO 27001 work.
Keep records of processing and accountability documentation current over time.
Public, high-level control or requirement areas — for orientation, not a complete control list.
ISO/IEC 27701 shares controls with frameworks you may already run. A passing test can satisfy requirements in more than one place — so adding the next framework means reusing work, not repeating it.
No. ISO 27701 is an extension, so a working ISO 27001 ISMS (certified or being certified) is a prerequisite.
It does not grant legal compliance, but it provides a recognized framework that maps to GDPR obligations and supports demonstrable accountability.
27701 defines separate control sets for organizations acting as PII controllers and as PII processors; you apply whichever roles you hold.
Get a guided demo, or start by scanning any domain for free.