Instant downloadAuditor-writtenSecure Stripe checkout

ISO 27701: The Complete Guide to Privacy Information Management

ISO 27701 privacy information management extends ISO 27001 to cover how you handle personal data, giving you a certifiable Privacy Information Management System (PIMS). Where ISO 27001 protects information in general, ISO 27701 privacy information management adds the controls, roles, and documentation needed to manage privacy and support regulations like the GDPR. This guide explains what it is, how it works as an extension, and how to get certified.

ISO 27701 privacy information management PIMS toolkit
An editable ISO 27701 privacy information management toolkit that extends ISO 27001.

What is ISO 27701?

ISO/IEC 27701:2019 specifies requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System. In plain terms, it takes your information-security management system and extends it to cover the privacy of personal data (PII — personally identifiable information).

It’s the privacy counterpart to ISO 27001 — and, importantly, it’s built directly on top of it.

The key thing to understand: it’s an extension

ISO 27701 is not a standalone standard. It extends ISO 27001 and ISO 27002. You can’t certify to ISO 27701 without an ISO 27001 information security management system underneath it — the two work together as one integrated system.

We explain exactly how they fit together in our guide to how ISO 27701 and ISO 27001 work together.

Why ISO 27701 privacy information management matters

  • Privacy law is everywhere. GDPR, and a growing wave of similar laws worldwide, demand demonstrable privacy governance.
  • It proves accountability. Certification is independent evidence that you manage personal data responsibly.
  • It builds customer trust. Increasingly, buyers and partners ask how you protect personal data, not just how you secure systems.
  • It maps to GDPR. The standard includes a mapping that helps you demonstrate alignment — more in our guide to ISO 27701 and GDPR.

Controllers and processors

A defining feature of ISO 27701 is that it addresses two roles: PII controllers (who decide why and how personal data is processed) and PII processors (who process it on a controller’s behalf). Your obligations differ depending on which you are — often you’re both. We unpack this in our guide to PII controllers vs processors.

Skip the blank page.

The ISO 27701 Toolkit gives you the full privacy extension — privacy policies, PII controller and processor controls, records of processing, and GDPR-aligned templates — as fully editable, auditor-written files mapped to ISO/IEC 27701:2019.

Explore the ISO 27701 Toolkit →

How the standard is structured

ISO 27701 adds privacy-specific requirements to the ISO 27001 clauses, and introduces additional controls:

  • Annex A — PIMS-specific controls for PII controllers
  • Annex B — PIMS-specific controls for PII processors

These extend the familiar ISO 27001 Annex A / ISO 27002 controls into the privacy domain.

The documentation you’ll need

Beyond your ISO 27001 documentation, ISO 27701 adds privacy-specific policies and records. See the full breakdown in the complete documentation checklist.

Getting certified

Because it extends ISO 27001, certification is usually pursued alongside or after ISO 27001. We walk through the process in our guide to the ISO 27701 certification process.

Who should adopt ISO 27701 privacy information management

Any organisation that processes personal data at scale — SaaS providers, processors handling customer data, and enterprises with privacy obligations — is a strong candidate. Because ISO 27701 privacy information management is an extension, you must have or pursue ISO 27001 first; the two are certified together. The standard is published by ISO, and while certification demonstrates a mature privacy programme, it is not a substitute for legal compliance with any specific law. ISO 27701 helps you operationalise privacy, but your legal obligations still come from regulations like the GDPR.

How to get started

The fastest path is to start from a complete PIMS document set — privacy policies, controller and processor controls, records of processing, and GDPR-aligned templates — layered onto your ISO 27001 foundation.

Skip the blank page.

The ISO 27701 Toolkit gives you the full privacy extension — privacy policies, PII controller and processor controls, records of processing, and GDPR-aligned templates — as fully editable, auditor-written files mapped to ISO/IEC 27701:2019.

Explore the ISO 27701 Toolkit →

Explore the ISO 27701 series

Shopping Cart