ISO 27701

What is ISO 27701?

ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines).

ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system).

ISO 27701 is based on the requirements, control objectives and controls of ISO 27001, and includes a set of privacy-specific requirements, controls and control objectives.

Buy your copy of ISO 27701 now >>

GDPR and ISO 27701

Under the GDPR (General Data Protection Regulation), data controllers and processors must implement “appropriate technical and organisational measures” to secure and ensure the privacy of the personal data they process.

The GDPR, however, provides no direction on what these measures should entail.

Fortunately, best-practice guidance on data security can be found in the international standard ISO/IEC 27701:2019 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines (ISO 27701).

ISO 27701 extends the requirements, control objectives and controls in the information security management standard ISO 27001 and its code of practice, ISO 27002, to create a PIMS (privacy information management system).

Like ISO 27001, ISO 27701 advocates a risk-based approach so that each conforming organisation can efficiently address the specific risks to personal data and privacy that it faces – ensuring that the measures it implements are appropriate, as required by the GDPR.

Article 42 of the GDPR discusses data protection certification mechanisms, and data protection seals and marks as a means of demonstrating compliance.

No such mechanisms exist yet, but it is possible to achieve independently accredited certification to ISO 27001.

And because ISO 27701 is an extension of ISO 27001, organisations that implement ISO 27701’s controls as part of their ISMS should be able to use their ISO 27001 certification – subject to successful audit – to demonstrate that they comply with a wide range of data protection laws, including the GDPR.

Find out more about ISO 27001 certification >>

Do you need to implement ISO 27001 before ISO 27701?

No. ISO 27701 has been designed to be used by all data controllers and data processors, irrespective of whether they have already implemented ISO 27001. It builds on the ISO 27001 framework, so it can be implemented simultaneously or added in later.

Organisations that are in the process of implementing or have an ISO 27001-compliant ISMS (information security management system) in place should find it straightforward to use ISO 27701 to extend their security efforts to include their processing of personal data/PII (personally identifiable information).

Those without an ISMS can implement ISO 27001 and ISO 27701 together as a single project, defining the scope of the management system to cover their data processing activities.

Map your path to GDPR and DPA compliance with ISO 27701

Download our free green paper for an introduction to ISO/IEC 27701:2019, the international standard for privacy information management.

Download now

How does ISO 27701 relate to the GDPR?

ISO 27701 is not aligned with any particular data protection law: it aims to help organisations meet all their legal requirements relating to data protection, irrespective of the laws that apply to their processing.

This means there are some differences in terminology between ISO 27001 and the GDPR, including:

ISO 27701



Personal data

PII controller

Data controller

PII processor

Data processor

PII processor

Data subject

 PII processor

Data protection by design

Privacy by default

Data protection by default

However, GDPR compliance was taken into account as part of the Standard’s development.

So, as well as providing generic privacy-specific requirements, controls and control objectives for data/PII controllers and processors, ISO 27701 contains an annex that maps those controls to the GDPR’s requirements.

For instance, data controllers’ obligations for meeting data subjects’ rights under the GDPR are covered by ISO 27701’s controls covering obligations to PII principals.

This means ISO 27701 can be used as a GDPR compliance guide by data controllers and processors.

Other ISO 27701 control mappings

As well as mapping to the GDPR, ISO 27701 includes annexes that map its requirements, controls and control objectives to:

  • ISO 29100 (Information technology – Security techniques – Privacy framework);
  • ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
  • ISO 27018 (Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).

Speak to a GDPR expert

Our qualified GDPR experts are waiting to give you practical advice about the best approach to ensuring the success of your GDPR compliance project. Get in touch today to discuss your options.

This website uses cookies. View our cookie policy