Most organisations that have achieved ISO 27001 certification have spent months building something valuable: a working Information Security Management System. What many have not yet done is extend that work to cover privacy. ISO 27701 exists precisely to close that gap. It is not a separate standard that replaces your ISMS โ it is a privacy extension that sits on top of it, adding the controls, processes, and accountability structures needed to manage personal data with the same rigour you already apply to information security.
What ISO 27701 Actually Adds
ISO 27701 is formally titled the Privacy Information Management System (PIMS) standard. Published in 2019 as an extension to both ISO 27001 and ISO 27002, its purpose is to help organisations demonstrate accountability for personal data โ both as controllers and as processors. The additions fall into three areas:
- Extended requirements on ISO 27001 Clauses 4โ10 โ the core management system clauses โ with privacy-specific additions at each stage.
- PIMS-specific control guidance extending ISO 27002 Annex A with privacy considerations, plus new controls covering PII handling, purpose limitation, data subject rights, and third-party data sharing.
- Separate guidance for controllers and processors, recognising that accountability looks different depending on your role in each processing activity.
What Your ISMS Covers โ And What It Does Not
| โ ISO 27001 Covers | โ ISO 27001 Does Not Address |
|---|---|
| Risk management for information assets | Legal basis for personal data processing |
| Access control and identity management | PII-specific purpose limitation and minimisation |
| Incident management and response | Data subject rights (access, erasure, portability) |
| Supplier / third-party security obligations | Privacy notices and consent management |
| Internal audit and management review | Privacy Impact Assessments (DPIAs) |
| Asset inventory and classification | Retention and disposal schedules for PII |
| Business continuity planning | Controller-processor contractual requirements |
The gap is not as large as it looks. Most missing elements build on infrastructure that already exists in a mature ISMS. Organisations with a well-maintained ISO 27001 programme typically find that 50 to 70 percent of the ISO 27701 work is already done or largely in place.
The 7 Steps to Extend Your ISMS Into a PIMS
- Step 1 โ Privacy-specific gap assessment: Map your current ISMS against ISO 27701 additional requirements. Identify what is satisfied, what is partially covered, what is genuinely absent. This gap register becomes your implementation roadmap.
- Step 2 โ Define your role (controller, processor, or both): ISO 27701 has separate control sets for each role. Many organisations are controllers in some contexts and processors in others โ your PIMS needs to reflect that reality.
- Step 3 โ Extend your asset inventory to cover PII: Your ISMS already has an asset inventory. Extend it to include a Record of Processing Activities (RoPA) โ documenting what personal data you hold, why, the legal basis, sources, recipients, and retention periods. This is one of the most time-consuming steps and one of the most valuable.
- Step 4 โ Update risk management to include privacy risks: Extend your risk assessment methodology with PII-specific categories: unlawful processing, excessive retention, inadequate consent, unauthorised third-party transfer. Run a privacy-focused risk assessment against your processing activities.
- Step 5 โ Develop PIMS policies and procedures: At minimum: Privacy Policy (internal), Data Subject Rights procedure, DPIA procedure, Privacy by Design checklist, data breach procedure with PII elements, retention and disposal schedule, and controller-processor contract templates.
- Step 6 โ Implement PIMS-specific controls: Annex B extends ISO 27002 controls with privacy guidance. Annex C and D add controls unique to controllers and processors. Most can be implemented as extensions to existing controls.
- Step 7 โ Integrate PIMS into your audit and review cycle: A single, integrated management system โ not two parallel systems. Update your internal audit programme, add privacy metrics to management review, and ensure your PIMS has a named owner.
The Documentation Auditors Will Expect
- Record of Processing Activities (RoPA) โ complete and reviewed
- Privacy Policy โ internal version, signed and dated
- Data Subject Rights procedure with documented response timelines
- DPIA procedure and completed DPIA records for high-risk processing
- Privacy by Design checklist for new projects
- Controller-processor contracts with all relevant vendors
- Data breach procedure with PII-specific notification steps
- Consent management records (where processing relies on consent)
- Data retention schedule โ covering all categories of personal data
- Privacy risk register โ linked to your main ISMS risk register
- Training records โ privacy awareness training for all relevant staff
- Management review minutes โ including PIMS agenda items
The most common finding in first-time ISO 27701 audits is not that privacy controls are absent โ it is that they exist informally without documentation. Your team may handle data subject requests carefully, but if there is no written procedure, no defined response timeline, and no log of requests received, an auditor cannot confirm the control is real. In a PIMS audit, undocumented processes are treated as absent processes.
Combined vs Phased Certification โ Which Approach Is Right
| Combined (27001 + 27701 together) | Phased (27001 first, 27701 later) |
|---|---|
| Single audit โ lower total cost | ISMS foundation fully established before adding complexity |
| Integrated ISMS/PIMS from the start | Privacy gap assessment can be done more thoroughly post-27001 |
| Faster time to full accountability | Easier to resource the implementation in stages |
| Best if privacy obligations are well-understood | Better fit if PII processing scope is still being mapped |
| Suitable under immediate regulatory pressure | Allows team to develop privacy expertise over time |
For most organisations that already hold ISO 27001 certification and face customer-driven or regulatory privacy requirements, the combined or phased extension approach is the right path. Starting from scratch on privacy when you already have a functioning ISMS is unnecessary duplication.
Pre-Implementation PIMS Readiness Checklist
- ISO 27001 certification in place or implementation mature
- Roles defined: controller, processor, or both โ for each activity
- Record of Processing Activities started or in progress
- Data flows mapped for major business functions
- Legal basis identified for each processing activity
- Privacy risks identified and added to risk register
- Data subject rights procedure drafted or in place
- DPIA procedure defined and applied to high-risk activities
- Vendor contracts reviewed for data processing clauses
- Privacy awareness training delivered to relevant staff
- Retention schedule defined for all categories of personal data
- Privacy lead or DPO identified and accountabilities documented
The work required to build a PIMS is mostly documentation, structured process, and a clear understanding of where personal data sits in your organisation. If the ISMS foundation is solid, the extension to a full PIMS is closer than most organisations realise.
Frequently Asked Questions
Typically 50โ70%. Your risk management process, asset inventory, internal audit cycle, management review, access controls, incident management, and supplier management all carry over directly. The new work is primarily: RoPA, consent management, data subject rights procedures, privacy notices, DPIAs, and retention schedules.
No. ISO 27701 is an extension to ISO 27001 and requires the ISMS foundation. However, you can pursue both certifications together in a single integrated programme โ a combined audit is the most efficient approach for organisations not yet ISO 27001 certified.
The Record of Processing Activities (RoPA). Most organisations with ISO 27001 have an asset inventory but have not mapped personal data processing activities at the level of detail ISO 27701 requires โ documenting purpose, legal basis, retention periods, recipients, and cross-border transfers for each activity.
For organisations already ISO 27001-certified with a mature ISMS, 3โ6 months is typical. The timeline depends on the complexity of your data processing activities, the maturity of existing privacy practices, and how many gaps the initial assessment reveals.
If you already hold ISO 27001 and face immediate privacy requirements from customers or regulators, combined certification is more cost-effective. If your ISMS still has gaps or your PII processing scope is not fully mapped, a phased approach lets you strengthen the foundation first and add ISO 27701 at the next surveillance or recertification audit.