What is ISO 27701?

ISO 27701, published in August 2019, is an international standard that provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It extends the requirements and guidance of ISO 27001 (information security management systems) and ISO 27002 (security controls) to include privacy-specific considerations. Organizations must first implement ISO 27001 before they can adopt ISO 27701.

The standard provides a framework for managing personal information that can be used by both data controllers (referred to as PII controllers) and data processors (referred to as PII processors). It includes specific control sets for each role, covering areas such as conditions for collection and processing, obligations to PII principals, privacy by design, PII sharing and transfer, and data handling throughout the information lifecycle. ISO 27701 also maps its requirements to GDPR provisions, making it useful for demonstrating GDPR compliance.

Certification to ISO 27701 is available through accredited certification bodies and is increasingly recognized as evidence of robust privacy management practices. It provides a structured approach that can satisfy requirements across multiple jurisdictions simultaneously. ComplyIQ helps organizations track and manage ISO 27701 control implementation, while the broader IQWorks platform supports the technical controls required for PIMS certification.