verified_user
Standardful
Homechevron_rightStandardschevron_rightISO/IEC 27701:2025
ActiveInternational Standardupdate Standard Updated: October 2025fact_check Fact checked: Jun 28, 2026

ISO/IEC 27701:2025

Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO/IEC 27701:2025 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Technology, Services, Finance & Banking, Healthcare, Government and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/IEC 27701:2025.

privacy_tip

Privacy Extension to ISMS

Extends ISO 27001 with privacy-specific requirements, creating a Privacy Information Management System (PIMS) that maps controls to both PII controller and PII processor roles.

balance

GDPR Alignment

Annex D provides a detailed mapping between ISO 27701 controls and GDPR articles — enabling organizations to demonstrate compliance with European privacy regulations through certification.

groups

Dual-Role Coverage

Provides separate control sets for PII controllers (Annex A) and PII processors (Annex B), allowing organizations to certify for one or both roles depending on their data processing activities.

list_alt PIMS Framework

  • Extension of ISO/IEC 27001 ISMS with privacy controls
  • Clause 7: PII controller-specific guidance and controls
  • Clause 8: PII processor-specific guidance and controls
  • Annex A: PII controller reference control objectives
  • Annex B: PII processor reference control objectives
  • Annex D: Mapping to GDPR requirements
  • Privacy risk assessment and treatment methodology
  • Integration with existing information security management

Who Needs to Comply?

groups

Organizations that process personally identifiable information and want to demonstrate privacy compliance — especially those subject to GDPR, CCPA, LGPD, or other privacy regulations. Applicable to PII controllers, PII processors, or both.

Key Requirements

1

Privacy Risk Assessment

Extend the ISO 27001 risk assessment process to include privacy risks specific to PII processing. Consider the impact on data subjects and the likelihood of privacy breaches.

2

PII Controller Obligations

Implement controls for lawful basis of processing, consent management, data subject rights (access, rectification, erasure, portability), privacy by design, and data protection impact assessments.

3

PII Processor Requirements

Process PII only on documented instructions from the controller. Implement controls for sub-processor management, data breach notification, cross-border transfers, and data return or deletion.

4

Privacy Governance

Appoint responsible personnel (e.g., Data Protection Officer), maintain records of PII processing activities, conduct privacy impact assessments, and establish procedures for handling data subject requests.

5

Third-Party Management

Establish and maintain agreements with PII processing partners. Verify third-party privacy controls through audits, assessments, or certifications. Manage sub-processor chains with appropriate contractual safeguards.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define PIMS scope and roles

Identify processing activities, jurisdictions, products, systems, controller and processor roles, personal data categories, privacy obligations, and interfaces with the existing information-security or compliance management system.

2
Phase 2schedule Duration: 6-10 weeks

Map privacy controls and obligations

Assess gaps against ISO/IEC 27701 requirements for privacy governance, risk assessment, data-subject rights, privacy notices, lawful processing, processor management, records, privacy by design, and transfer controls.

3
Phase 3schedule Duration: 10-24 weeks

Implement PIMS operations

Deploy policies, processing records, DPIA or PIA workflows, data-subject request handling, incident processes, supplier controls, retention schedules, training, metrics, and privacy-control evidence.

4
Phase 4schedule Duration: Ongoing

Audit and improve privacy management

Run internal audits, management reviews, corrective actions, and certification readiness checks. Refresh the PIMS when laws, products, vendors, data flows, or organizational roles change.

Compliance Checklist

0 / 12

checklist PIMS governance

checklist Privacy operations

checklist Assurance and improvement

Penalties & Enforcement

warning

No direct legal penalties — ISO/IEC 27701 is a voluntary standard. However, certification provides evidence of due diligence for privacy regulators and can mitigate penalties under GDPR (up to 4% of global turnover) and similar regulations.

Frequently Asked Questions

What does ISO/IEC 27701 provide?

expand_more

ISO/IEC 27701 specifies requirements for establishing, implementing, maintaining, and continually improving a privacy information management system for organizations acting as controllers, processors, or both.

Is ISO 27701 only an extension to ISO 27001?

expand_more

The 2025 edition is positioned as a privacy information management system standard. Many organizations still integrate it with ISO 27001 because privacy controls depend heavily on information-security governance and evidence.

Does ISO 27701 prove GDPR or LGPD compliance?

expand_more

No single certification proves compliance with every privacy law. ISO 27701 helps organize governance, records, rights handling, risk assessment, and processor controls that support legal compliance programs.

What evidence is important for ISO 27701?

expand_more

Useful evidence includes PIMS scope, processing records, privacy-risk assessments, notices, consent records, data-subject request logs, supplier contracts, transfer assessments, incident records, internal audits, and management reviews.

Who should own a PIMS?

expand_more

Ownership often sits with privacy, legal, compliance, security, or risk leadership, but effective operation requires product, engineering, HR, marketing, procurement, and support teams to maintain controls in daily work.

Official Documentation

View All

Implementation Timeline

edit_document
2017
Development begins as ISO/IEC 27552 project
check_circle
Aug 2019
ISO/IEC 27701:2019 published as PIMS extension to ISO 27001
trending_up
2020
Growing adoption as GDPR compliance demonstration tool
cloud
2023
Microsoft, Apple, and major cloud providers achieve certification
update
Oct 2025
ISO/IEC 27701:2025 update published with improved alignment

Related Categories