Instant downloadAuditor-writtenSecure Stripe checkout

How to Get ISO 27701 Certified: The Process

The ISO 27701 certification process builds directly on ISO 27001, so the path depends on whether you already hold that certificate. If you do, adding ISO 27701 is an extension audit; if not, the two are usually pursued together. This guide explains the ISO 27701 certification process stage by stage, how long it takes, and how to prepare so the privacy audit goes smoothly.

ISO 27701 certification process toolkit
A toolkit that streamlines the ISO 27701 certification process end to end.

First, the prerequisite

You need an ISO 27001 information security management system as the foundation. You can either already hold ISO 27001, or implement it alongside ISO 27701 and certify both together. You cannot certify to ISO 27701 on its own — see how the two standards work together.

The ISO 27701 certification process

  1. Establish (or confirm) your ISO 27001 ISMS. This is the base the PIMS extends.
  2. Determine your role(s). Are you a PII controller, a processor, or both? This sets which controls apply.
  3. Gap analysis. Compare your current privacy practices against ISO 27701’s added requirements and controls.
  4. Extend the system. Add the privacy policy, records of processing, extended Statement of Applicability, and the Annex A/B controls that apply.
  5. Implement & operate. Run the PIMS so it generates privacy records — data-subject requests, assessments, and more.
  6. Internal audit & management review. Cover both security and privacy scope.
  7. Stage 1 & Stage 2 audits. Typically conducted as an integrated audit alongside ISO 27001.
  8. Certification. Pass, and your certificate covers the PIMS, usually valid for three years with surveillance audits.

Get audit-ready faster.

The ISO 27701 Toolkit gives you the complete, auditor-written privacy document set ready to layer onto your ISO 27001 ISMS — so you spend your time implementing, not drafting.

Get the ISO 27701 Toolkit →

How long does it take?

If you already hold ISO 27001, adding ISO 27701 is often a matter of a few months, since the management-system machinery is already running. Building both from scratch takes longer — plan for a combined ISMS-plus-PIMS timeline. Starting from a complete document set is the biggest accelerator; see the documentation checklist.

How to prepare efficiently

  • Get ISO 27001 solid first (or in parallel) — the PIMS depends on it.
  • Map your data flows and build your records of processing early.
  • Confirm your controller/processor role for each processing activity.
  • Choose a certification body accredited for ISO 27701.

Common pitfalls in the ISO 27701 certification process

The most frequent misstep is treating privacy as an afterthought bolted onto a security system. ISO 27701 expects privacy to be embedded — a defined controller or processor role, records of processing, and privacy impact assessments that are actually used. Teams also underestimate the ISO 27001 prerequisite: you cannot certify a PIMS without the underlying ISMS. Run your internal audit and management review across both security and privacy before Stage 2. The standard is published by ISO, and an accredited body issues the certificate after a successful audit.

Frequently asked questions

Can I get ISO 27701 without ISO 27001?

No — ISO 27701 extends ISO 27001, so an ISMS must be in place (or implemented at the same time).

Is it a separate certificate?

It’s typically certified as an extension of your ISO 27001 scope, often through a single integrated audit.

For the full background, read our complete guide to ISO 27701.

Handled well, the ISO 27701 certification process is a manageable extension rather than a second project: reuse your ISO 27001 machinery, add the privacy layer, and one coordinated audit covers both.

Cost follows the same logic as effort: because ISO 27701 rides on your ISO 27001 system, the incremental audit cost is far smaller than a standalone certification. Budget for extra assessor days to cover the privacy scope rather than a second full audit, and the ISO 27701 certification process stays affordable.

Shopping Cart