Glossary · Frameworks & standards
What is ISO 27701?
Also known as: ISO/IEC 27701, PIMS standard
ISO 27701 is an international standard that extends ISO 27001 and ISO 27002 with requirements for a Privacy Information Management System (PIMS). It adds privacy-specific controls for organizations acting as data controllers or processors and maps closely to regulations such as the GDPR, turning an existing security management system into a privacy management system.
Key takeaways
- An extension of ISO 27001 and ISO 27002, not a standalone standard.
- Defines a Privacy Information Management System (PIMS).
- Adds distinct control sets for PII controllers and PII processors.
- Maps to GDPR and other privacy regimes to streamline compliance.
- Requires an existing or concurrent ISO 27001 ISMS to certify against.
What is a Privacy Information Management System?
A Privacy Information Management System (PIMS) is the privacy analogue of an ISMS. ISO 27701 specifies how to plan, implement, operate, and continually improve the management of personally identifiable information (PII), layering privacy governance on top of an organization's information security management system.
Rather than reinventing the wheel, ISO 27701 reuses the structure of ISO 27001 and supplements its controls with privacy-specific guidance, so organizations can build privacy management into a framework they may already operate.
How does ISO 27701 extend ISO 27001 and 27002?
ISO 27701 cannot be certified on its own; it requires an ISO 27001 information security management system as its foundation. It refines ISO 27001 requirements with privacy considerations and adds privacy-specific guidance to ISO 27002 controls.
Critically, it introduces two additional sets of controls:
- Controls for organizations acting as PII controllers — those that determine why and how personal data is processed.
- Controls for organizations acting as PII processors — those that process personal data on behalf of a controller.
Many organizations are both controllers and processors depending on the data, so they may implement both sets.
How does ISO 27701 relate to the GDPR?
ISO 27701 includes mappings to major privacy regulations, most notably the GDPR, helping organizations demonstrate how their controls correspond to specific legal obligations. While certification is not itself a finding of legal compliance, it provides strong, auditable evidence of a privacy program.
A common pitfall is assuming ISO 27701 certification automatically equals GDPR compliance. It supports and evidences compliance, but legal obligations such as lawful basis, data subject rights handling, and breach notification still require organizational and legal diligence beyond the standard.
A platform such as CATAAM can manage ISO 27701 alongside ISO 27001 so security and privacy controls are governed as one program.
Frequently asked questions
- Can I get ISO 27701 certified without ISO 27001?
- No. ISO 27701 is an extension that depends on an ISO 27001 information security management system, which must be in place or implemented at the same time.
- Does ISO 27701 guarantee GDPR compliance?
- No. It maps to the GDPR and provides strong evidence of a privacy program, but legal compliance still depends on factors outside the standard's scope.
- What is the difference between a controller and a processor in ISO 27701?
- A controller decides the purposes and means of processing personal data, while a processor handles it on the controller's behalf. ISO 27701 provides separate controls for each role.
- Who should adopt ISO 27701?
- Organizations that handle personal data and want a structured, certifiable privacy management system that integrates with their existing security program, especially those subject to the GDPR.