Skip to content
27kay27kay

ISO 27701: Adding Privacy to Your ISMS

(updated: ) · 5 min read · 27kay
ISO 27001ISO 27701GDPRcomplianceISMS

It extends ISO 27001 - it does not replace it

ISO 27701 is a privacy extension to ISO 27001. It adds privacy-specific requirements and controls to your existing information security management system, turning your ISMS into a Privacy Information Management System (PIMS). You cannot implement ISO 27701 without ISO 27001 as the foundation - it is an extension, not a standalone standard. If you process personal data and your clients or regulators expect formal privacy management, ISO 27701 is the most structured path to demonstrating it.

What ISO 27701 actually adds

ISO 27001 protects information broadly. ISO 27701 narrows the focus to personally identifiable information (PII) and adds requirements specific to privacy management. The additions fall into three areas:

Extended management system requirements. ISO 27701 adds privacy considerations to existing ISO 27001 clauses. Your context analysis now includes privacy regulations and data subject expectations. Your risk assessment must consider privacy risks alongside security risks. Your Statement of Applicability expands to include privacy controls.

Privacy-specific controls. The standard provides additional controls beyond ISO 27001’s Annex A. These cover consent management, data subject rights (access, erasure, portability), purpose limitation, data minimization, retention and deletion, cross-border transfers, and privacy impact assessments. These are the controls that directly support GDPR compliance.

Controller and processor guidance. ISO 27701 includes separate annexes for organizations acting as PII controllers (you decide why and how data is processed) and PII processors (you process data on someone else’s behalf). This distinction matters because the obligations are different - and many organizations act as both depending on the context.

Controller vs processor - why the distinction matters

ISO 27701 Annex A covers requirements for PII controllers. Annex B covers PII processors. Understanding which role you play for each data processing activity determines which controls apply.

As a PII controller, you need controls for:

  • Establishing lawful basis for processing (consent, legitimate interest, contractual necessity)
  • Responding to data subject rights requests within regulatory timeframes
  • Conducting data protection impact assessments for high-risk processing
  • Managing data sharing with third parties and cross-border transfers
  • Defining and enforcing retention periods

As a PII processor, your obligations focus on:

  • Processing data only according to the controller’s documented instructions
  • Implementing security measures agreed with the controller
  • Notifying the controller of breaches without undue delay
  • Supporting the controller in fulfilling data subject rights requests
  • Managing sub-processors with equivalent contractual protections

A SaaS company serving enterprise clients is typically a processor for customer data and a controller for its own employee and marketing data. You need controls from both annexes, applied to the right processing activities.

What changes in your existing ISMS

If you already have an ISO 27001 certified ISMS, adding ISO 27701 is not starting over. It is an extension - roughly 30-40% additional work on top of your existing system. Here is what changes in practice:

Scope statement. Your ISMS scope expands to explicitly include PII processing activities and the applicable privacy regulations (GDPR, CCPA, or others depending on your jurisdiction).

Risk assessment. Your existing methodology stays, but you add privacy-specific risk scenarios. What happens if personal data is exposed? What if you cannot fulfill a deletion request? What if a sub-processor has a breach? These privacy risks feed into your risk treatment plan alongside your existing security risks.

Policies and procedures. You add privacy-specific documentation: a data protection policy, procedures for handling data subject requests, a records of processing activities (ROPA) register, a data breach notification procedure, and privacy impact assessment templates.

Controls. Your Statement of Applicability adds ISO 27701’s privacy controls. Many of your existing ISO 27001 controls already contribute - access management, encryption, logging, and supplier management all apply to privacy. The gap is typically in consent management, purpose limitation, data subject rights workflows, and retention/deletion processes.

Roles. You may need to formalize a Data Protection Officer (DPO) role or equivalent privacy function. ISO 27701 requires clear accountability for privacy decisions.

The GDPR connection

ISO 27701 was explicitly designed with GDPR in mind. Annex D of the standard provides a detailed mapping between ISO 27701 controls and GDPR articles. This makes it the most practical framework for demonstrating GDPR compliance through a certifiable standard.

The mapping covers all major GDPR requirements: lawfulness of processing (Article 6), data subject rights (Articles 15-22), data protection by design (Article 25), records of processing (Article 30), breach notification (Articles 33-34), data protection impact assessments (Article 35), and international transfers (Chapter V).

This does not mean ISO 27701 certification equals GDPR compliance - the regulation is broader than any single standard. But it provides auditable evidence that you have implemented systematic controls for the areas GDPR cares about most. When a regulator or client asks “how do you protect personal data?”, an ISO 27701 certificate backed by your PIMS documentation gives a concrete, verifiable answer.

When ISO 27701 makes sense

You process significant volumes of EU personal data. If GDPR compliance is a major concern for your organization, ISO 27701 provides the most structured approach to demonstrating it.

Your clients specifically ask for it. Enterprise procurement teams, particularly in regulated industries like healthcare and financial services, increasingly expect privacy certifications beyond basic ISO 27001.

You are a data processor handling sensitive data. If clients entrust you with their customers’ personal data, ISO 27701 certification proves you have systematic controls for processor obligations.

You already have ISO 27001. The extension model means you can add ISO 27701 to your existing certification scope without building a separate management system. The incremental effort is manageable.

If your organization processes minimal personal data - say, a B2B infrastructure company with no consumer-facing services - ISO 27001 alone may be sufficient. The data privacy frameworks guide covers when different privacy frameworks make sense.

How 27kay can help

We help organizations extend their existing ISO 27001 ISMS with ISO 27701 privacy controls. For organizations starting fresh, we build integrated security-and-privacy management systems from day one so you get both certifications from a single implementation.

Whether you need a gap assessment against ISO 27701, help building your ROPA and DPIA processes, or full implementation support through to certification, let’s talk - we will scope the work based on your current ISMS maturity and your privacy obligations.