ISO 27701 Explained: How to Extend Your ISO 27001 ISMS to Cover Privacy and GDPR Compliance

If your organization already holds ISO 27001 certification — or is actively working toward it — there is a question your enterprise customers and legal team will eventually ask: what does your information security program actually do about privacy? ISO 27001 covers the confidentiality, integrity, and availability of information assets. It does not, by itself, provide a certifiable framework for collecting, processing, storing, and managing personal data. That gap is exactly what ISO 27701 was designed to close.

ISO 27701 is the international standard for privacy information management. It extends an existing ISO 27001 Information Security Management System to incorporate a Privacy Information Management System, giving organizations a single integrated framework that addresses both information security and data privacy — and that maps directly to the requirements of GDPR, CCPA, and other major privacy regulations.

This guide explains what ISO 27701 requires, how it works alongside ISO 27001, how it maps to the GDPR, what the certification process entails, and why an increasing number of enterprise buyers are treating it as a prerequisite rather than a differentiator.

What ISO 27701 Actually Is

ISO 27701 was published in August 2019 as an extension to ISO 27001 and ISO 27002. Its full title is Security Techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. It cannot be implemented or certified in isolation — it requires an existing ISO 27001 ISMS as its foundation and adds privacy-specific requirements, controls, and guidance on top of it.

The standard introduces the concept of a Privacy Information Management System, or PIMS. A PIMS is not a separate management system that sits alongside your ISMS. It is an extension of it. The same governance structures, management review cycles, internal audit processes, risk assessment methodology, and continual improvement mechanisms that operate in your ISMS are extended to cover privacy. You are not building a second system. You are expanding the scope and depth of the one you already have.

ISO 27701 distinguishes between two roles that any organization processing personal data may occupy: the Privacy Information Controller and the Privacy Information Processor. These map directly to the GDPR concepts of data controller and data processor. Controllers determine the purposes and means of processing personal data. Processors process personal data on behalf of controllers. ISO 27701 provides separate sets of controls and guidance for each role, recognizing that the privacy obligations of a company that owns customer data are fundamentally different from those of a company that processes it under contract.

Why Organizations Are Pursuing ISO 27701

Enterprise procurement teams — particularly in financial services, healthcare, and the public sector — are no longer satisfied by a single ISO 27001 certificate as evidence of privacy maturity. The question they are increasingly asking is not whether you have an ISMS, but whether your organization has formally committed to privacy management, had that commitment independently audited, and can demonstrate ongoing compliance with the obligations that arise from handling personal data.

ISO 27701 certification answers that question with a third-party verified credential. It signals that your organization has assessed its privacy risks, implemented controls proportionate to those risks, and operates under a governance structure that keeps privacy management active between audits rather than treating it as a once-a-year documentation exercise.

There is also a regulatory rationale. GDPR Article 42 explicitly contemplates the use of approved certification mechanisms to demonstrate compliance with the regulation's requirements. ISO 27701 is widely recognized as the most mature and globally accepted privacy management standard, and while formal GDPR adequacy decisions regarding ISO 27701 certification vary by jurisdiction, regulators and data protection authorities in multiple EU member states have acknowledged it as a strong indicator of GDPR alignment.

For organizations that operate across multiple jurisdictions, ISO 27701 provides a single framework that can be mapped to regional privacy laws, rather than requiring separate compliance programs for each. The GDPR mapping is the most detailed and widely used, but the standard's guidance is intended to apply to any privacy regulation that distinguishes between controllers and processors.

How ISO 27701 Extends ISO 27001

The structure of ISO 27701 closely follows ISO 27001's framework. It is divided into clauses that modify and extend the ISO 27001 clauses, and into Annexes A and B, which provide privacy-specific controls for controllers and processors, respectively.

The standard extends ISO 27001 Clause 4 (Context of the Organization) to require that privacy considerations be incorporated into the organization's understanding of its internal and external context. This means identifying interested parties with privacy interests — data subjects, regulators, customers acting as controllers — and understanding their requirements as inputs to the PIMS.

Clause 6 (Planning) is extended to require incorporating privacy risks into the risk assessment process. ISO 27001 already requires a risk assessment that covers information assets; ISO 27701 extends this to require that personal data processing activities be inventoried, that the risks to data subjects arising from that processing be assessed, and that treatment decisions be made proportionate to those risks.

Clause 8 (Operation) is extended to require documented records of processing activities — directly reflecting the GDPR's Article 30 requirement — along with data protection impact assessment procedures for high-risk processing and documented policies governing the handling of data subject rights requests.

The most substantive additions appear in Annexes A and B, which contain the privacy-specific controls.

Annex A: Controls for Privacy Information Controllers

Annex A provides 31 controls organized into seven categories specifically for organizations acting as controllers. These address the core operational requirements of managing personal data responsibly.

The first category covers conditions for collection and processing. Controllers must define the lawful basis for each processing activity, document the purposes for which personal data is collected, and ensure that personal data is not processed for purposes incompatible with those originally stated. This maps directly to GDPR Articles 5 and 6, which establish the principles of purpose limitation and lawful basis.

The second category addresses obligations to data subjects. Controllers must have documented procedures for responding to requests to access, rectify, erase, restrict, and port personal data. Response timelines must be defined, and records of requests and responses must be maintained. Under GDPR, the one-month response window for data subject requests is a legal obligation. ISO 27701 makes the existence of a procedure to meet that obligation a certification requirement.

Privacy by design and by default is addressed explicitly. Controllers must ensure that data protection considerations are incorporated into the design of new products, systems, and processes, and that privacy settings default to the most protective option available. This aligns with GDPR Article 25 and means that privacy review must be embedded in product development workflows rather than applied retrospectively.

Data retention and disposal are also addressed. Controllers must define retention periods for each category of personal data, based on the purpose of processing and any legal obligations, and must have documented procedures for securely disposing of data when retention periods expire.

Annex B: Controls for Privacy Information Processors

Annex B provides 18 controls for organizations acting as processors. These address the obligations that arise when processing personal data under contract on behalf of another organization.

Processors must ensure that they process personal data only on documented instructions from the controller. They must have contractual mechanisms in place that establish the boundaries of authorized processing — as required by the GDPR's Data Processing Agreement. They must have procedures for notifying controllers in the event of a personal data breach in a timely manner, allowing the controller to meet its own 72-hour notification obligation under GDPR Article 33.

Sub-processing is addressed directly. Processors must maintain records of sub-processors engaged in processing personal data covered by the PIMS, obtain authorization from controllers before engaging sub-processors, and ensure that sub-processors are bound by the same privacy obligations as the processor itself. This is a significant operational requirement for SaaS companies that rely on cloud infrastructure, analytics platforms, or third-party APIs that touch personal data.

Data subject rights are also addressed for processors. Even when a data subject request is received by the controller, processors must have mechanisms to support the controller in fulfilling the request — particularly for erasure requests, which may require deleting data across systems operated by the processor.

How ISO 27701 Maps to GDPR

ISO 27701 Annex D provides an explicit mapping between the standard's controls and the specific articles of GDPR. This mapping is one of the most practically useful features of the standard for European organizations and for non-European organizations that process the personal data of EU residents.

The mapping is not one-to-one. A single GDPR article may be addressed by multiple ISO 27701 controls, and a single ISO 27701 control may support compliance with multiple GDPR articles. But the mapping provides a structured basis for using ISO 27701 implementation as evidence of GDPR alignment in the event of a regulatory inquiry or audit.

Key GDPR requirements and their ISO 27701 counterparts include: Article 5 (principles relating to processing) mapped to controller controls on lawful basis, purpose limitation, and data minimization; Article 13 and 14 (transparency and information requirements) mapped to controls on privacy notices and consent management; Article 25 (privacy by design and by default) mapped to controls on product development and default settings; Article 28 (processor obligations) mapped to Annex B controls on sub-processing and contracted processing; Article 30 (records of processing activities) mapped to controls on maintaining processing inventories; Article 33 and 34 (breach notification) mapped to controls on incident response and breach reporting procedures; and Article 35 (data protection impact assessments) mapped to controls on high-risk processing assessment.

Organizations that implement ISO 27701 rigorously and maintain the required documentation have a structured body of evidence ready for regulatory review. This does not guarantee GDPR compliance; compliance depends on how controls are actually operated, not on whether they are documented, but it provides a framework that significantly reduces the gap between certified privacy management and regulatory expectations.

The ISO 27701 Certification Process

Because ISO 27701 is an extension of ISO 27001, the certification process is integrated with the ISO 27001 audit rather than conducted separately. Organizations pursuing ISO 27701 certification for the first time must hold, or simultaneously pursue, ISO 27001 certification.

The certification audit follows the same two-stage structure as ISO 27001. Stage 1 is a documentation review. The auditor examines the PIMS documentation — the extended scope statement, the privacy risk assessment, the records of processing activities, the data subject rights procedures, the data protection impact assessment process, and the Annex A and Annex B controls that apply to the organization's role as controller, processor, or both. The auditor confirms that the PIMS is designed to meet the standard's requirements and identifies any documentation gaps before the operational audit.

Stage 2 is the operational audit. The auditor reviews evidence that the controls documented in Stage 1 are actually operating as described. This includes reviewing records of data subject requests received and fulfilled, evidence of privacy-by-design reviews conducted for product changes, records of processing activities maintained under Article 30-equivalent requirements, data protection impact assessments completed for high-risk processing activities, and evidence that sub-processor management procedures are being followed.

Surveillance audits occur annually for both ISO 27001 and ISO 27701, typically conducted together. Recertification occurs every three years. Because the PIMS is integrated into the ISMS, the operational cadence of the combined program is not significantly more demanding than ISO 27001 alone — the privacy controls are reviewed on the same schedule as the security controls.

Common Gaps Found During ISO 27701 Audits

Organizations implementing ISO 27701 for the first time consistently encounter the same categories of gaps during their Stage 1 and Stage 2 audits.

The records of processing activities are incomplete or informal. Many organizations maintain some version of a data map or processing inventory, but it does not capture all required fields — lawful basis, retention period, data subject categories, recipient categories, international transfer mechanisms — for every processing activity in scope.

The data subject rights procedure exists on paper but has never been tested. Organizations can produce a procedure document describing how they will respond to access, erasure, and portability requests, but cannot produce evidence of actual requests received and responded to within the required timeframes.

Privacy by design has no operational mechanism. The organization's product development process does not include a formal privacy review step. New features are assessed for security requirements but not for privacy implications, meaning the control exists as a policy statement rather than an operational practice.

The sub-processor inventory is incomplete or out of date. SaaS companies, in particular, frequently rely on dozens of third-party services that handle personal data, and maintaining an accurate, up-to-date inventory, with evidence of contractual privacy protections for each sub-processor, is operationally demanding.

Data protection impact assessment procedures have not been applied consistently. Organizations have a DPIA template but cannot demonstrate that it has been used for processing activities that meet the high-risk threshold, or that DPIA outcomes have influenced product or process decisions.

Identifying and addressing these gaps before Stage 1 is the single most effective way to reduce audit findings and avoid costly remediation cycles.

Who Should Pursue ISO 27701 Certification

ISO 27701 is most immediately valuable for three categories of organizations. First, organizations that already hold ISO 27001 certification are seeing growing customer demand for evidence of privacy management maturity, particularly among enterprise buyers in regulated industries. The marginal cost of extending an existing ISMS to incorporate a PIMS is significantly lower than implementing a standalone privacy program from scratch.

Second, organizations that process personal data on behalf of multiple customers need a scalable way to demonstrate processor-role compliance to each customer without conducting bespoke privacy assessments for each contract. ISO 27701 certification allows a processor to point to a single audited credential rather than completing individual customer security questionnaires on privacy topics.

Third, organizations that operate across multiple jurisdictions need a privacy framework that can be mapped to regional regulations without requiring separate compliance programs for each jurisdiction. ISO 27701 provides the operational foundation; the jurisdictional mapping is documented separately and reviewed as part of the PIMS.

For organizations building toward ISO 27001 certification and anticipating future enterprise sales, privacy regulatory scrutiny, or expansion into European markets, incorporating ISO 27701 into the certification scope from the outset is substantially more efficient than retrofitting privacy controls into an established ISMS after the fact.

dsalta helps organizations build integrated ISO 27001 and ISO 27701 programs designed to hold up under audit and scale with their business.

Ready to move to Blog 8 (CCPA/CPRA) whenever you are.