The short version
ISO/IEC 27701:2019 is a Privacy Information Management System (PIMS) standard published by ISO and IEC in August 2019. It is structured as an extension to ISO/IEC 27001 (information security management) and ISO/IEC 27002 (security controls), adding privacy-specific clauses and two new annexes: Annex A for PII Controllers and Annex B for PII Processors.
The critical fact most founders miss: ISO 27701 cannot be certified independently. ISO 27001 certification is a hard prerequisite. The two are usually pursued in parallel or sequentially — 27001 first, then a 27701 scope addition.
The payoff: an internationally recognised privacy certification that maps cleanly to GDPR obligations, accelerates enterprise procurement, reduces DPA scrutiny on cross-border transfers, and demonstrates accountability under GDPR Art. 24.
What is ISO 27701?
ISO 27701 is the first international management-system standard purpose-built for privacy. Where ISO 27001 manages information security risk, ISO 27701 manages privacy risk — specifically, risk to PII Principals (data subjects) arising from how the organisation processes PII (personal data).
The standard borrows the management system structure from ISO 27001 (Plan-Do-Check-Act, leadership, risk assessment, internal audit, management review, continual improvement) and adds:
- Privacy-specific extensions to ISO 27001 clauses 4–10 — e.g. PIMS scope, privacy policy, privacy risk assessment, privacy roles, privacy objectives.
- Privacy-specific extensions to ISO 27002 controls in clauses 6.1–6.13 — e.g. acceptable use of PII, secure deletion, asset inventory including PII.
- Annex A (clause 7) — 31 additional controls for organisations acting as PII Controllers (you determine purposes and means).
- Annex B (clause 8) — 18 additional controls for organisations acting as PII Processors (you process PII on behalf of another controller).
Most B2B SaaS companies are both — controllers for their own marketing, sales, HR, and billing data; processors for customer data on the platform. Both Annexes apply.
Who needs ISO 27701?
ISO 27701 is most valuable for:
- Companies already pursuing or holding ISO 27001 — the incremental cost of adding 27701 to scope is modest (typically 20–40% on top of 27001 audit fees).
- SaaS with GDPR compliance obligations — EU/UK customers, EU/UK data subjects, or processors handling EU/UK data. 27701 provides an auditable demonstration of GDPR accountability.
- Enterprise SaaS responding to procurement RFPs — large enterprises (especially in finance, healthcare, regulated industries) increasingly ask for ISO 27701 alongside ISO 27001 and SOC 2.
- Processors handling sensitive PII categories — health data, financial data, children's data, biometric data, special category data under GDPR Art. 9.
- Companies operating across multiple privacy regimes — 27701 is jurisdiction-agnostic and maps to GDPR, LGPD, POPIA, PIPL, CCPA, PIPEDA. One certification, many regimes.
It is less valuable for: small SaaS without GDPR exposure, US-only companies serving consumers (where SOC 2 + CCPA notices are usually sufficient), and pre-revenue startups (build the product first; certify later).
ISO 27701 structure compared to ISO 27001
The cleanest way to understand 27701 is by mapping it to 27001:
| ISO 27001 Clause | ISO 27001 Topic | ISO 27701 Extension |
|---|---|---|
| 4 | Context of the organisation | Add privacy interested parties (PII principals, regulators, data importers) |
| 5 | Leadership | PIMS policy, privacy roles (DPO-equivalent), privacy commitment |
| 6 | Planning | Privacy risk assessment methodology + privacy risk treatment plan |
| 7 | Support | Privacy resources, competence (privacy training), awareness, documented PIMS information |
| 8 | Operation | PII processing controls integrated into operational processes |
| 9 | Performance evaluation | PIMS monitoring, internal PIMS audit, management review of PIMS |
| 10 | Improvement | Nonconformity and corrective action for privacy |
| Annex A (27001) | 93 security controls | Privacy extensions to 27002 controls + Annex A.7 (Controller) + Annex B.8 (Processor) |
If you have ISO 27001 in place, you are roughly 60% of the way to ISO 27701. The remaining 40% is privacy-specific documentation, roles, processes, and the Annex A/B controls.
ISO 27701 ↔ GDPR alignment
This is where ISO 27701 earns its keep. Almost every GDPR obligation maps to one or more ISO 27701 clauses:
| GDPR Article | Obligation | ISO 27701 Clause / Annex |
|---|---|---|
| Art. 5 | Principles relating to processing | 7.2.1–7.2.5, 7.4 (multiple) |
| Art. 6 | Lawful basis | 7.2.2 (Identify lawful basis) |
| Art. 7 | Conditions for consent | A.7.2.2, A.7.2.3 (Controllers) |
| Art. 9 | Special category data | 7.2.2 + heightened controls in 7.4 |
| Art. 12–14 | Transparency / information to data subjects | 7.3.2 (Information to PII principals); A.7.3.2 (Controllers) |
| Art. 15–22 | Data subject rights | 7.3.1–7.3.10 (Access, rectification, erasure, restriction, portability, objection) |
| Art. 25 | Data protection by design and by default | 7.4.2, 8.4 (Privacy by Design) |
| Art. 28 | Processor obligations | 7.5.1 (Controller), B.8.2 (Processor) |
| Art. 30 | Records of processing | 7.2.8 (Identify and document purpose) |
| Art. 32 | Security of processing | 6.1 (PII risk assessment) + ISO 27001 Annex A controls |
| Art. 33–34 | Breach notification | B.8.5.7 (Processor obligation to notify controller); ISO 27001 A.5.24–5.28 |
| Art. 35 | DPIA | 7.2.5 (PII impact assessment) |
| Art. 37 | DPO appointment | 5.3 (Roles, responsibilities and authorities) |
| Art. 44–49 | International transfers | 7.5.3 (Countries and international organisations) |
This mapping is why ISO 27701 is sometimes called "the GDPR certification you can actually get" — GDPR itself is a regulation, not a certification scheme, but ISO 27701 provides the closest auditable equivalent.
Controller vs Processor obligations
ISO 27701 treats Controllers and Processors as distinct roles with distinct annexes. If you are both (as most SaaS are), both apply.
Annex A — PII Controller controls (Clause 7)
- A.7.2 — Conditions for collection and processing. Identify lawful basis, get consent where required, document purpose, identify legal basis for processing of children's PII, contracts with PII processors, joint controller relationships.
- A.7.3 — Obligations to PII Principals. Information to PII principals (privacy notice), providing mechanisms for modifying or withdrawing consent, providing mechanism to object, providing copy of PII processed, deletion, automated decision-making controls.
- A.7.4 — Privacy by design and default. Limit collection, processing, retention, accuracy; minimisation; deidentification; temporary files; PII transmission controls.
- A.7.5 — PII sharing, transfer, and disclosure. Identify and document the basis for transfer, countries to which PII can be transferred, records of transfer, records of disclosure to third parties.
Annex B — PII Processor controls (Clause 8)
- B.8.2 — Conditions for collection and processing. Customer agreement, organisation's purposes, marketing and advertising use, infringing instructions, customer obligations, records related to processing PII.
- B.8.3 — Obligations to PII Principals. Mechanisms for fulfilling PII principal requests.
- B.8.4 — Privacy by design and default. Temporary files, return/transfer/disposal of PII, PII transmission controls.
- B.8.5 — PII sharing, transfer, and disclosure. Disclosure basis, countries, records of disclosure, notification of PII disclosure requests, legally binding PII disclosures, disclosure of sub-contractors, engagement of sub-contractors, changes to sub-contractors, breach notification.
The Annex B controls map almost directly to the obligations a processor signs up to in a GDPR Art. 28 DPA. If you maintain a good DPA and follow it operationally, you're already doing most of Annex B.
Six major benefits of ISO 27701 certification
- Auditable GDPR compliance evidence. A certificate from an accredited body provides third-party assurance of your privacy controls. Replaces "trust us, we're GDPR-compliant" with an audit report.
- Enterprise procurement acceleration. Increasingly requested in RFPs alongside ISO 27001 and SOC 2. Reduces back-and-forth on security questionnaires.
- Cross-border transfer assurance. Demonstrates appropriate safeguards under GDPR Chapter V — useful supplementary measure for Schrems II Transfer Impact Assessments.
- Privacy by design demonstrated. Audit evidence of GDPR Art. 25 compliance. Useful in DPIAs and DPA scrutiny.
- Regulator trust. While not a defence against enforcement, certification is a strong signal of accountability under Art. 24. EDPB and national DPAs increasingly reference 27701 as good practice.
- Reduced DPA enforcement risk. Documented controls and audit trail substantially reduce the risk of "failure to implement appropriate measures" findings under Art. 32.
The certification path
ISO 27701 follows the same audit structure as ISO 27001:
- Prerequisite: ISO 27001 certification. You cannot certify against 27701 alone. Either certify 27001 first, then add 27701, or pursue both in parallel.
- Stage 1 audit (documentation review). Certification body reviews your PIMS documentation: scope, policies, risk assessment, RoPA, SoA, internal audit results, management review minutes.
- Stage 2 audit (operational effectiveness). 1–5 day on-site (or remote) audit verifying operations match documentation. Sampling of controls, interviews with staff, evidence review.
- Certification decision. Independent decision by the certification body. Certificate valid 3 years.
- Surveillance audits. Annual, lighter scope. Verify continued conformity and that improvements are happening.
- Recertification audit. Year 3, full Stage 2-scope audit.
Integrated vs standalone. Most accredited bodies (BSI, Bureau Veritas, LRQA, NQA, DEKRA, DNV) offer integrated 27001 + 27701 audits. A single audit can certify both. This is usually 30–50% cheaper than two standalone audits.
The 8 domains of an ISO 27701 gap assessment
Before formal certification, run a gap assessment. ComplyKit's free ISO 27701 PIMS Gap Assessment covers 26 controls across 8 domains:
- PIMS Policies & Leadership (Clause 5) — PIMS scope, privacy policy, leadership commitment, privacy roles.
- Privacy Risk Assessment (Clause 6) — risk methodology, risk treatment plan, risk owners.
- PII Processing Controls (Clause 7.2) — lawful basis, purpose limitation, minimisation, retention.
- PII Principal Rights (Clause 7.3) — DSR mechanism, privacy notice accuracy.
- Third-Party & Transfer Management (Clause 7.5) — DPAs, sub-processor inventory, international transfers.
- Annex A — Controller-Specific Controls — consent management, direct marketing controls, notice updates, vulnerable subjects.
- Annex B — Processor-Specific Controls — customer instructions, purpose limitation, end-of-contract deletion, incident notification.
- Monitoring, Audit & Improvement (Clauses 9–10) — internal PIMS audit, management review, incident register, continual improvement, privacy by design.
Each control should be in-place, partial, or a gap. The output is a remediation roadmap before you engage a certification body.
What to do next
- Run a gap assessment. Use the free ISO 27701 PIMS Gap Assessment. Score your readiness across 8 domains.
- Confirm ISO 27001 status. If not certified, start there. Use the ISO 27001 Gap Assessment first.
- Document your PIMS scope. What products, services, and data flows are in scope? Who are the PII principals? What roles do you take (controller, processor, both)?
- Build the required privacy documentation. Use ComplyKit generators for the foundational documents: Privacy Policy, DPA, Sub-Processor List, DPIA Template, RoPA, DSR Response Template, Employee Privacy Notice, Data Retention Policy.
- Implement Annex A and B controls. Operationalise consent management, sub-processor management, breach response, international transfer mechanisms.
- Internal audit and management review. At least one full cycle before Stage 1.
- Select a certification body. UKAS, ANAB, DAkkS, or similar accredited body. Ask for an integrated 27001+27701 audit if you don't have 27001 yet.
Related guides
- ISO 27001 vs SOC 2 for SaaS — which to pursue first.
- GDPR Article 32: TOMs for SaaS — what "appropriate security measures" actually means.
- Privacy by Design under GDPR Art. 25 — the operational foundation for ISO 27701.
Run your ISO 27701 gap assessment free → /generate/iso27701-pims-gap-assessment
⚠️ This guide is for informational purposes only and does not constitute legal advice. ISO 27701 certification requires a formal audit by an accredited certification body and ISO 27001 certification as a prerequisite. Engage qualified privacy and security professionals for your certification programme.