For compliance teams, the proliferation of privacy regulations creates a real operational problem: GDPR, DPDP Act, and CCPA all require similar things — consent management, data subject rights workflows, breach notification, processor agreements — but each regulation phrases its requirements differently, with different enforcement mechanisms and different evidence standards. ISO 27701 solves this by providing a single structured framework that maps to all three simultaneously. If your organisation already holds ISO 27001 certification, ISO 27701 is the most efficient path to demonstrating privacy maturity across every market you operate in.
ISO/IEC 27701:2019
ISO 27701 Annex D mapping
SecComply implementation data
What Is ISO 27701?
ISO 27701 (formally ISO/IEC 27701:2019) is an extension to ISO 27001 and ISO 27002 that specifies requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It provides a framework for processing Personally Identifiable Information (PII) in a manner that is transparent, accountable, and demonstrably compliant.
Unlike GDPR, which is a legal regulation with penalties, ISO 27701 is a voluntary international standard. Its value lies in providing a structured, auditable privacy management framework that simultaneously serves as evidence of compliance readiness under multiple regulations. Certification does not equal GDPR compliance — but it substantially demonstrates it.
The standard is structured to work for two types of organisations, with separate control sets for each:
Your organisation decides why and how PII is processed
- Most SaaS companies collecting customer data
- Enterprises using customer data for marketing or analytics
- Any org determining the purpose of processing
- Must comply with Annex B controls
You process PII on behalf of another organisation
- Cloud infrastructure providers
- Payroll and HR software vendors
- Managed service providers
- Must comply with Annex C controls
How It Relates to ISO 27001
ISO 27701 is not a standalone standard. It extends ISO 27001 — which means the ISO 27001 ISMS is the mandatory foundation. Understanding this architectural relationship prevents the most common ISO 27701 implementation mistake: trying to build a PIMS without first having the ISMS in place.
ISO 27701 layers privacy-specific controls on top of ISO 27001 by extending the context-setting requirements to include privacy considerations, adding privacy-specific objectives to the risk management process, introducing two new annexes of controls (Annex B for controllers, Annex C for processors), and requiring the existing ISMS scope to explicitly cover PII processing activities.
Organisations that do not yet hold ISO 27001 can pursue both certifications simultaneously in a unified programme. This is more efficient than sequential implementation because the evidence collection, auditor engagement, and management processes overlap significantly. The combined audit is typically conducted by the same certification body in a single engagement — reducing cost and team disruption.
What ISO 27701 Actually Requires
The standard follows the same clause structure as ISO 27001. Here is what each major clause adds for privacy:
The RoPA — Foundation of Your PIMS
If there is one artefact that underpins ISO 27701 compliance, it is the Record of Processing Activities. Required under both ISO 27701 and GDPR Article 30, the RoPA is simultaneously an audit artefact, a data governance tool, a DPIA trigger mechanism, and a privacy risk register. At minimum, each entry must capture:
Most organisations build the RoPA as a one-time exercise during certification preparation. In practice, it needs to be a living document with a defined owner, a change management process, and a review cycle tied to new product features, vendor onboarding, and regulatory changes. A stale RoPA is both a compliance gap and a red flag for auditors.
The RoPA is the operational core of any ISO 27701-compliant PIMS — it must be maintained as a living document, not a certification artefact. Auditors examine it closely for completeness, accuracy, and evidence of regular review.
Privacy by Design — From Principle to Evidence
ISO 27701 operationalises the privacy by design principle (GDPR Article 25) by requiring organisations to embed privacy considerations into the design of new systems and product features before implementation begins. For SaaS companies, this has direct engineering implications — it is not a policy statement, it is a development process requirement.
In practice, privacy by design under ISO 27701 means Privacy Impact Assessments are triggered by defined criteria before high-risk processing begins, engineering teams consult privacy controls at the design stage with documented evidence of that consultation, default settings for new products are the most privacy-protective option available, and data minimisation is actively enforced at the schema level — not reviewed after launch.
ISO 27701 auditors look for evidence that privacy by design was applied — not just that a policy exists saying it should be. This means DPIA records for new features, design review notes, schema documentation showing only necessary fields are collected, and evidence that privacy was considered before deployment. Teams that implement this as a process rather than a paperwork exercise produce the strongest audit evidence.
Data Subject Rights — Building the Response Process
ISO 27701 requires organisations to establish operational processes for handling data subject rights requests. Under GDPR these must typically be fulfilled within 30 days. Under DPDP Act the obligation is equally firm. Each right needs a documented owner, a response workflow, an identity verification step, and a request log for audit purposes.
Each right must have a corresponding technical capability — not just a policy. The ability to export a user's data in machine-readable format, delete their records across all systems including backups, and verify the identity of the requesting party must all be tested and evidenced before the audit.
Third-Party Privacy Risk — Processor Obligations
ISO 27701 places significant emphasis on the privacy risks introduced by third-party processors and sub-processors. For PII controllers, only engage processors who provide sufficient guarantees of appropriate privacy controls — SOC 2 reports, ISO 27701 certificates, or equivalent evidence. Data Processing Agreements must be in place with all processors handling your customers' PII, specifying PII categories, processing purposes, sub-processor notification obligations, and security requirements.
Maintain a register of all processors and sub-processors including their processing locations — to identify cross-border transfer implications — and establish a notification process for when processors engage new sub-processors or experience a breach affecting your data. This processor register must be kept current and reviewed as part of each management review cycle.
Regulatory Mapping — One Standard, Three Regimes
| Regulation | Key ISO 27701 Coverage | What It Demonstrates |
|---|---|---|
| GDPR | Annex D provides article-by-article mapping covering Articles 5, 6, 7, 13–17, 25, 28, 30, 32, 33, 35 | Principles of processing, lawful basis, consent, data subject rights, privacy by design, processor agreements, RoPA, security, breach notification, and DPIAs |
| DPDP Act (India) | Sections 6 (consent), 7 (notice), 8 (obligations), 11 (data principal rights) | Consent management, data minimisation, purpose limitation, data subject rights — aligned but formal mapping documentation still maturing |
| CCPA / CPRA | Data subject rights controls — access, deletion, portability, opt-out | California consumer rights and CCPA's data inventory obligations via the RoPA requirement |
| HIPAA | Privacy Rule safeguards, access controls, minimum necessary standard | Technical and administrative safeguards for PHI overlap significantly with ISO 27701 PII controls |
What the Certification Audit Looks Like
ISO 27701 is audited as an extension of ISO 27001 — typically by the same certification body in the same audit engagement. Auditors assess evidence across three areas: documentation, implementation, and operational maturity.
Documentation — Privacy policy and PIMS scope, RoPA covering all PII processing activities, DPIA records for high-risk processing, processor agreements and sub-processor registers, data subject rights request logs.
Implementation evidence — Consent management logs, data minimisation enforcement evidence, access control restrictions to PII-handling personnel, retention schedules and deletion or anonymisation records.
Operational maturity — Completed internal PIMS audits, management review records addressing privacy metrics, corrective actions from privacy incidents, privacy training completion records for all staff handling PII.
Implementation Roadmap — 6 to 9 Months from ISO 27001
Conduct a gap assessment against ISO 27701 requirements using your existing ISO 27001 ISMS as the baseline. Define the PIMS scope — which legal entities, systems, and PII processing activities are in scope. Confirm whether your organisation operates as a PII controller, processor, or both.
Build or update the RoPA to cover all in-scope PII processing activities. Document the legal basis for each processing activity. Review and update all processor agreements to ensure ISO 27701 alignment. Establish the data subject rights request process and assign ownership.
Implement the DPIA process and conduct DPIAs for any in-scope high-risk processing. Update data retention schedules and implement or verify technical deletion and anonymisation capabilities. Deploy or verify consent management mechanisms. Deliver privacy awareness training to all staff handling PII.
Conduct an internal PIMS audit against ISO 27701 requirements. Perform a management review explicitly addressing privacy performance. Remediate findings from the internal audit. Engage the certification body and schedule the Stage 1 and Stage 2 audit — combined with your ISO 27001 surveillance or recertification if timing aligns.
Frequently Asked Questions
ISO 27701 is an international standard that extends ISO 27001 to cover privacy, providing a framework for building and maintaining a Privacy Information Management System (PIMS). Published in 2019, it specifies requirements for processing Personally Identifiable Information in a transparent, accountable, and demonstrably compliant manner for both PII controllers and PII processors.
ISO 27701 is technically an extension to ISO 27001 and cannot stand alone without it as the foundation. However, organisations do not need to achieve ISO 27001 certification first — they can pursue both certifications simultaneously in a single unified programme. For organisations already certified to ISO 27001, adding ISO 27701 requires extending the existing ISMS to cover privacy controls, not rebuilding it from scratch.
A RoPA is a documented inventory of all PII processing activities within an organisation. Required under both ISO 27701 and GDPR Article 30, each entry captures the processing purpose, legal basis, categories of data subjects and PII, recipients and third parties, retention periods, and security measures. The RoPA must be maintained as a living document with a defined owner, change management process, and regular review cycle.
No. ISO 27701 certification does not equal GDPR compliance, but ISO 27701 Annex D provides a direct article-by-article mapping to GDPR covering Articles 5, 6, 7, 13-17, 25, 28, 30, 32, 33, and 35. In practice, ISO 27701 certification is widely accepted by regulators and enterprise customers as strong evidence of GDPR compliance readiness.
For organisations starting from ISO 27001 certification, a realistic ISO 27701 implementation timeline runs 6 to 9 months across four phases: gap assessment and scoping (months 1-2), foundation controls including RoPA and processor agreements (months 3-4), operational controls including DPIAs and consent management (months 5-6), and internal audit and certification (months 7-9).