Definition · Plain-language
ISO 27701
ISO/IEC 27701:2019 is the extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, adding requirements for the protection of personally identifiable information (PII).
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
An extension to ISO 27001
ISO/IEC 27701:2019 is not a standalone standard: it extends ISO/IEC 27001 (and applies ISO/IEC 27002 controls) by adding specific controls and implementation guidance for privacy information management. It was published in August 2019 as the first international standard addressing privacy information management systems (PIMS). Organisations must hold ISO/IEC 27001 certification, or must pursue it concurrently, in order to be certified to ISO/IEC 27701. This integrated approach means that an organisation's information security management system (ISMS) and its privacy information management system (PIMS) are audited and managed together, reducing duplication of governance effort and providing a coherent security-and-privacy management architecture.
Requirements for Controllers and Processors
ISO/IEC 27701 addresses privacy obligations separately for PII Controllers and PII Processors, reflecting the distinction between these roles familiar from data protection law. PII Controllers determine the purposes and means of processing personally identifiable information — equivalent to Data Controllers under GDPR. PII Processors process PII on behalf of Controllers — equivalent to Data Processors under GDPR. Each role has specific clauses in the standard covering their distinct obligations. Annex D of the standard provides a systematic mapping of ISO/IEC 27701 controls to GDPR requirements — including the accountability principle under Article 5(2), data subject rights under Articles 12–22, lawful basis requirements and data breach obligations — giving organisations a structured approach to demonstrating GDPR accountability through PIMS implementation.
Certification and business value
Certification to ISO/IEC 27701 involves a combined audit covering both the ISO/IEC 27001 ISMS scope and the ISO/IEC 27701 PIMS extension, conducted by an accredited third-party certification body. The certificate provides independently verified assurance that the organisation has implemented systematic privacy information management aligned with international standards. This has practical commercial value in B2B contexts: enterprise customers and public-sector procurers increasingly require evidence of privacy governance from suppliers; ISO/IEC 27701 certification provides auditable, third-party verified evidence beyond self-assessment. It also supports demonstration of the GDPR accountability principle (Article 5(2)), which requires controllers to demonstrate compliance rather than merely assert it — a requirement that voluntary certification schemes directly address.
Key facts
At a glance
- Published: ISO/IEC 27701:2019
- Extends: ISO/IEC 27001 and ISO/IEC 27002 with privacy information management controls
- Covers: PII Controllers and PII Processors separately, mirroring GDPR roles
- GDPR mapping: Annex D systematically maps controls to GDPR requirements
- Certification: requires concurrent ISO/IEC 27001 certification in same scope
- Purpose: third-party privacy governance assurance for B2B due diligence and regulatory accountability
Common misconceptions
What people often get wrong
Often heard: ISO 27701 can be certified independently of ISO 27001.
Actually: ISO/IEC 27701 is an extension to ISO/IEC 27001. Certification requires that the ISO/IEC 27001 ISMS is in place and certified (or certified concurrently) for a scope that covers the PIMS activities. There is no standalone ISO/IEC 27701 certification without a corresponding ISO/IEC 27001 basis.
Often heard: ISO 27701 is only for EU organisations complying with GDPR.
Actually: ISO/IEC 27701 is an internationally applicable standard referenced against multiple privacy laws beyond GDPR, including CCPA, LGPD (Brazil), PIPL (China) and others. Annex D provides specific GDPR mappings, but the standard itself addresses privacy information management applicable to any jurisdiction with privacy legislation.
Often heard: ISO 27701 certification guarantees GDPR compliance.
Actually: ISO/IEC 27701 certification demonstrates that systematic privacy management controls are in place and operating, supporting the GDPR accountability principle. Formal GDPR compliance depends on meeting all applicable legal requirements including lawful basis, data subject rights, breach notification and international transfer obligations, which cannot be fully addressed by a management system standard alone.
Going deeper
