← All guides
ISO 2770112 min read15 July 2026

ISO 27701 PIMS Implementation Guide: Extending ISO 27001 for GDPR Privacy Compliance (2026)

ISO/IEC 27701 is the international standard for privacy information management systems (PIMS). It extends ISO 27001 with dedicated PII controller and processor controls, maps to GDPR, and provides a certification path. Here's the complete implementation guide.

What is ISO/IEC 27701 and why does it matter in 2026?

ISO/IEC 27701:2019 (Privacy Information Management System — Requirements and Guidelines) is the first international standard for a Privacy Information Management System (PIMS). It extends ISO/IEC 27001 and ISO/IEC 27002 with privacy-specific controls and provides a structured path for organisations to demonstrate compliance with privacy regulations — particularly GDPR.

In 2026, ISO 27701 has become the gold standard for organisations that want to demonstrate privacy accountability to regulators, enterprise customers, and partners. The European Data Protection Board (EDPB) has indicated that ISO 27701 certification can contribute to demonstrating GDPR compliance, although it doesn't automatically guarantee it. Enterprise procurement teams increasingly ask for ISO 27701 certification alongside ISO 27001, particularly for cloud providers, SaaS platforms, and data processors handling EU personal data.

If your organisation is already ISO 27001 certified, adding ISO 27701 is significantly less effort than building a PIMS from scratch — the extension builds directly on your existing ISMS. If you're not yet ISO 27001 certified, you'll need to implement both simultaneously.

ISO 27701 architecture: the two main components

The standard has two primary sets of additional controls, depending on your role in the processing chain:

  • Section 7 — Additional controls for PII controllers: These controls apply when your organisation determines the purpose and means of processing personal data. This is the typical position of SaaS companies that collect and process data directly from users.
  • Section 8 — Additional controls for PII processors: These apply when you process personal data on behalf of another organisation (the controller). Cloud infrastructure providers, analytics platforms, and B2B SaaS products often operate as processors.

Many organisations are simultaneously controllers and processors — controllers for their own customer data, processors for the data of their clients' customers. You need to implement both Section 7 and Section 8 controls in that case.

Step 1: Determine your PII controller/processor role

This determination isn't always straightforward. The key question is: who decides why the personal data is being processed and how?

  • If you run a SaaS HR platform and process employee data on behalf of your client companies, you are likely a processor for that data (your clients are controllers).
  • If you run a B2C e-commerce platform and process your customers' purchase history, you are a controller.
  • If you process your own marketing leads, you are a controller for that data even if you're primarily a processor elsewhere.

Document this determination for each processing purpose in your Records of Processing Activities (RoPA) — ISO 27701 requires this analysis as part of the PIMS scope.

Step 2: Establish the PIMS scope statement

Your PIMS scope statement must be aligned with your ISO 27001 ISMS scope. You can't have a PIMS scope that extends beyond your ISMS scope — the privacy controls are layered on top of the information security controls.

A typical PIMS scope statement for a SaaS company might read: "The PIMS covers the design, development, operation, and support of [Product Name], including all personal data processed as a controller (customer accounts, marketing data, analytics) and as a processor (end-user data processed on behalf of B2B clients), within the organisational boundaries defined in ISMS-SCOPE-001."

Get top management sign-off on this scope statement — it's a formal PIMS document requirement.

Step 3: Extend your ISO 27001 risk assessment with privacy risks

ISO 27701 requires your existing information security risk assessment process to be extended to cover privacy risks. This means:

  • Adding a privacy risk category to your risk assessment methodology
  • Assessing likelihood and impact of privacy breaches (not just security incidents)
  • Considering harm to data subjects — not just harm to the organisation
  • Integrating DPIA (Data Protection Impact Assessment) outcomes into the risk register

Privacy risks have a distinct character from information security risks: the primary harm is often to individuals (data subjects) rather than the organisation. Your risk assessment methodology needs to capture this — likelihood of harm to data subjects, severity, reversibility, and number of affected individuals.

Step 4: Implement Data Protection Impact Assessments (DPIAs)

ISO 27701 §6.3 requires a formal DPIA process. Under GDPR Art. 35, DPIAs are mandatory for high-risk processing — but ISO 27701 expects you to have a defined trigger-based process for all potentially high-risk activities.

Define DPIA triggers, for example:

  • New processing of special category data (Art. 9 GDPR: health, biometric, racial/ethnic origin, etc.)
  • Systematic profiling with significant effects on individuals
  • Large-scale processing of personal data
  • Processing involving automated decision-making
  • Combining datasets that weren't originally collected together
  • Processing data of vulnerable groups (children, employees, patients)
  • New technologies or processing methods not previously assessed

Your DPIA template should capture: purpose description, necessity and proportionality assessment, risk identification and evaluation, risk mitigation measures, and DPO/management sign-off. Keep DPIA records — they're evidence of privacy-by-design and are reviewable by supervisory authorities.

Step 5: PII controller controls (ISO 27701 §7)

If you are a controller, Section 7 of ISO 27701 adds the following key controls:

7.2 — Conditions for collection and processing

  • Lawful basis documentation: Document the lawful basis (GDPR Art. 6) for each processing purpose — consent, contract, legal obligation, vital interests, public task, or legitimate interests. Legitimate interests require a documented LIA (Legitimate Interests Assessment).
  • Purpose specification: Processing purposes must be specified, explicit, and limited to what was declared. Maintain purpose documentation per processing activity.
  • PII minimisation: Technical controls to enforce collection of only necessary data — form field validation, mandatory/optional field labelling, data minimisation reviews on new features.

7.3 — Obligations to PII principals

  • Privacy notices: Art. 13/14 GDPR-compliant notices at point of collection: identity of controller, DPO contact, purposes, lawful basis, recipients, retention periods, data subject rights, and transfers.
  • Consent management: If relying on consent, implement a consent management platform or equivalent: granular consent, timestamped records, easy withdrawal, and re-consent on material changes.
  • Data subject rights: Documented procedures for all GDPR rights — access (Art. 15, 30-day deadline), rectification (Art. 16), erasure (Art. 17, "right to be forgotten"), restriction (Art. 18), portability (Art. 20), objection (Art. 21). Include escalation path and DPO involvement for complex cases.

Step 6: PII processor controls (ISO 27701 §8)

If you are a processor, Section 8 adds:

  • Data Processing Agreements (DPAs): Art. 28 GDPR requires a DPA with every controller you process data for. Your standard DPA must include all Art. 28(3) mandatory provisions: processing only on documented instructions, confidentiality obligations, sub-processor requirements, security measures (Art. 32), DPIA assistance, deletion/return obligations, and audit support.
  • Sub-processor management: Maintain a list of all sub-processors; notify controllers before engaging new sub-processors; ensure sub-processors are bound by equivalent contractual obligations via Art. 28(4)-compliant sub-processor agreements; retain liability for sub-processor compliance.
  • Controller instruction compliance: Document that all processing is within the scope of controller instructions. If you receive an instruction that you believe violates applicable law, you have an obligation to inform the controller — document how you handle such situations.
  • Incident notification: Notify controllers of personal data breaches involving their data — agree on timelines in the DPA (typically without undue delay, practically meaning <24h to give controllers enough time to meet GDPR's 72h supervisory authority notification deadline).

Step 7: Privacy by design in your SDLC

ISO 27701 §5 and Annex B require privacy by design and by default to be embedded in your software development lifecycle. This means:

  • Requirements phase: Privacy requirements captured alongside functional requirements — what data is needed, what's the lawful basis, how long retained, who has access.
  • Design phase: DPIA trigger assessment; data flow diagrams; architectural decisions documented (pseudonymisation approach, encryption, access control design).
  • Development: Secure coding standards covering PII handling; no PII in logs by default; data minimisation enforced by code (not just policy).
  • Testing: No production PII in test environments (or documented anonymisation process if unavoidable); privacy controls tested before release.
  • Release/deployment: Privacy settings default to most protective — opt-in rather than opt-out; data sharing off by default; analytics minimal by default.

Step 8: The ISO 27701 certification path

Unlike ISO 27001 which has a well-established certification market, ISO 27701 certification is performed as an extension to the ISO 27001 certification. The process:

  1. Pre-requisite: ISO 27001 certification (must already hold or achieve simultaneously)
  2. Stage 1 audit: Documentation review — your PIMS scope, policy framework, risk assessment, controls selection, Statement of Applicability extended to cover ISO 27701 clauses
  3. Stage 2 audit: On-site/remote implementation audit — evidence that controls are operational, records maintained, internal PIMS audit conducted, management review completed
  4. Certification: Certificate valid for 3 years with annual surveillance audits
  5. Surveillance audits: Year 1 and Year 2 — review ongoing operation and address non-conformities
  6. Recertification audit: Year 3 — full audit cycle repeats

Expect the Stage 2 audit for ISO 27701 (as an extension to an existing ISO 27001 certification) to take 0.5–1 additional audit days. The preparation work is typically 3–6 months for an organisation that already has ISO 27001 in place.

Common ISO 27701 implementation gaps

Based on typical implementation assessments, the most common gaps are:

  • Role determination not documented: Most organisations haven't formally documented their controller/processor determination for each processing activity. This is the first thing auditors check.
  • DPAs missing or incomplete: Many processor DPAs are missing key Art. 28(3) provisions — particularly audit rights, sub-processor clauses, and deletion/return procedures.
  • No DPIA process: Having a DPIA template isn't enough — you need a trigger-based process, evidence of DPIAs having been conducted, and a DPO sign-off workflow.
  • Privacy by design is policy-only: The policy says "privacy by design" but there's no evidence it's embedded in the SDLC — no privacy requirements in user stories, no DPIA trigger assessment at design phase.
  • Data subject rights SLAs not met: GDPR requires 30-day response to access requests. Many organisations don't have a documented process or track request timelines.
  • Retention schedules not enforced: Retention periods are in the privacy notice but not enforced by automated deletion — data accumulates indefinitely in production databases and backups.

GDPR and ISO 27701: what the standard covers and what it doesn't

ISO 27701 maps extensively to GDPR but doesn't cover everything. Key things ISO 27701 doesn't directly address:

  • Registration with supervisory authorities (Article 30 RoPA is a GDPR obligation — ISO 27701 expects you to maintain it but doesn't specify format)
  • Specific GDPR derogations and member state implementations
  • Cookie consent under ePrivacy Directive (this requires separate compliance)
  • Children's data (COPPA, GDPR Art. 8) — beyond what §7 covers
  • International data transfers — ISO 27701 expects safeguards but doesn't define which mechanisms (SCCs, BCRs, adequacy decisions)

ISO 27701 certification is best understood as a systematic approach to privacy governance that maps well to GDPR — not as a GDPR compliance certification per se. Your DPO should remain actively involved to address the GDPR-specific requirements that go beyond what the standard covers.

ComplyKit's free ISO 27701 PIMS Gap Assessment covers all 42 controls across 6 domains: PIMS scope and integration, PII controller controls (§7), PII processor controls (§8), privacy risk management and DPIA, privacy by design and technical controls, and governance, audit, and certification readiness. The generated report references specific ISO 27701 clauses and GDPR articles with a prioritised remediation roadmap.