Build or upgrade your ISMS on our platform

ISO 27701

In the wake of the EU’s General Data Protection Regulation (GDPR) and the worldwide increase in privacy laws, there has been a growing need for a code of conduct, or standard, to demonstrate privacy data compliance. ISO 27701, which was released in August of 2019, seeks to provide a truly international approach to privacy protection as a component of information security.

See how simple it is with

What is ISO 27701?

ISO 27701 is a framework for data privacy that builds on ISO 27001. This latest privacy best practice guides organisations on policies and procedures that should be in place to comply with GDPR and other data protection/ privacy regulations and laws.

The ISO 27701 standard, a PIMS (Privacy Information Management System) standard, lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. Companies document their policies, procedures, protocols and activities in line with the standard’s operational checklists, with records then audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard.

ISO 27701 helps companies to maintain an effective privacy and information security system and reduce privacy risks. ISO 27701 is an impressive way of demonstrating to consumers, external organisations and internal stakeholders, that mechanisms are in place to keep data safe and to comply with GDPR and other privacy laws.

ISO 27701 is an extension of ISO 27001 which means that organisations intending to implement ISO 27701 certification must have ISO 27001, or complete both standards simultaneously.

See who we’ve already helped

Why was ISO 27701 developed?

ISO 27701 was developed to provide a standard for data privacy controls, which, when coupled with an ISMS, allows an organisation to demonstrate effective privacy data management. ISO 27701 establishes the parameters for a PIMS in terms of privacy protection and processing personally identifiable information (PII).

The data protection standard

The Data Protection Act (DPA) came into law to regulate how personal or consumer data is used by companies and government agencies in the UK. It safeguards individuals and establishes guidelines for the use of personal data.

The General Data Protection Regulation (GDPR) seeks to establish a common set of data protection laws for all EU member states. Even if they are not in the country where their data is stored, GDPR makes it easier for EU citizens to understand how their data is being used and to file any complaints, should they have a problem with how their information is used.

The ISO 27701 Standard provides the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR and similar laws and regulations.

What’s personally identifiable information?

Personally, identifiable information is the data that can be used to specifically identify a person. By itself, the information may not necessarily be sensitive but, when taken in context, this data can lead to a variety of conclusions about an individual or company.

Personally, identifiable information includes an individual’s name, address, birthday, national insurance number, phone number, email address, and so on. PII may also include electronic identifiers, like IP addresses, geo location tags and ID numbers.

What is privacy information management?

Privacy information management covers the methods an organisation has for collecting, processing, storing, and destroying personally identifiable information, also known as PII.

Putting in place a privacy information management system ensures that organisations comply with regulations like GDPR. The penalty for breaching data protection legislation in the UK and EU can be serious. For example, the maximum fine is about €17 million or 4% of total worldwide turnover (whichever is higher).

What are the building blocks of the standard?

ISO 27701 is an extension of ISO/IEC 27001, which is one of the most widely used international standards for information security management. If your organisation is already acquainted with ISO/IEC 27001, integrating the new privacy controls of PIMS may be relatively straightforward. ISO 27701 is also based on other standards, like ISO 27002 and ISO 29100.  ISO 27701 adds a data privacy layer to previous information security standards. If you are ticking the boxes for other standards you may be ticking some of the boxes for ISO 27701 already.

Important points to remember about ISO 27001 and PIMS:

  • PIMS provides new controller- and processor-specific controls that help organisations overcome the challenges of privacy and security by establishing a point of convergence between what could be two different functions.
  • Security is important for privacy. ISO 22701 PIMS relies on ISO 27001 for security management. IS0 27701 certification is only available as an add-on to ISO 27001 certification and cannot be obtained as a standalone certificate.
REPL-CS was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.

Andy Loakes

Risk and Compliance Director, REPL


ISO 27701 compliance challenges

Under the guidelines of the GDPR, organisations are expected to keep all personally identifiable information safe from theft, loss, and damage. Changes to UK law since May 2018 now mean that organisations must put in place an HR data-hand handling policy, with the capability to show that non-relevant personal data is being deleted appropriately. ISO 27701 helps address these three important compliance challenges:

  1. Too many regulatory requirements to juggle

    Using ISO 27701 as a unified system of data privacy operational control removes the need to focus on multiple regulations. As an international standard, ISO 27701 is designed to meet the requirements of data protection and GDPR, and to be flexible enough to be adapted to specific industry requirements. This enables companies to work within a single framework in meeting multiple regulatory requirements.

  2. Too costly to audit regulation-by-regulation

    Internal and external auditors use ISO 27701 to determine regulatory compliance in one single audit cycle. This saves the organisation money compared to following a disjointed regulation-by-regulation audit process. 

  3. Promises of compliance without proof is potentially risky

    It is not enough for companies to follow best practice data privacy processes; they must also be able to prove compliance with laws and regulations. That means having a robust, integrated process for documentation. Businesses with complex processes may have multiple types of data controller and data processor, cloud providers and partner vendors. Inability to prove compliance with laws or regulations in any part of the supply chain could expose the business to financial and reputational risk.

Benefits of ISO 27701

ISO 27701 is a framework that allows you to show compliance with a wide variety of UK and international privacy laws. Benefits also include:

Demonstrate next-level data protection with ISO 27701

The ISO 27701 standard is one of the ways to show that you are complying with all appropriate data protection, confidentiality and privacy security requirements.

Build trust when managing personal information

When it comes to handling personal information, you need to have a way of ensuring that your organisation is doing everything possible to ensure that information is handled correctly and in compliance with the law. ISO 27701 gives you the standard necessary to build trust when managing data. Suppliers, consumers and partners can have confidence in your policies, procedures and protocols when you work to an international standard like 27701.

Integrates with the leading information security standards

ISO 27701 integrates with the leading information security standards. This enables seamless development and updating of policies and procedures across differing standards, and the sure knowledge that you won’t compromise your compliance with other standards by adopting ISO 27701 standards.

Supports compliance with other privacy regulations

ISO 27701 is the ‘industry standard’ to comply with new data protection legislation. Even though ISO 27701 aligns with the principles of GDPR, it also allows organisations to document compliance with other privacy laws, regulations, standards, and requirements.

Flexible enough to accommodate jurisdictional specifics

The ISO 27701 standard was developed to provide standards for working with personally identifiable information so you can meet different privacy laws. If your company operates outside the EU and you want to follow the equivalent territory specific guidelines equivalent to GDPR, you can bring those jurisdictional specifics into ISO 27701.

Provides transparency between stakeholders

ISO 27701 sets the standard for how privacy data is managed. The standard makes processes transparent for all stakeholders, engendering trust and mutual respect.

Facilitates effective business agreements

When companies are committed to working to the same high privacy data standards there it is easier to make agreements and to work together. ISO 27701 engenders trust and ensures that all stakeholders are on the same page when considering system integration and shared business processes.

What other standards relate to ISO 27701?

ISO 27701

Contains clauses that relate to the following standards:

ISO 29100

Covers privacy framework for Information technology.

ISO 29151

Covers the code of practice for the security of personally identifiable information

ISO 27018

Covers the code of practice for the security of personally identifiable information (PII) in public clouds operating as PII processors.

The standard also maps its parameters and safeguards to the GDPR requirements (for example, ISO 27701’s controls governing obligations to PII principals cover GDPR provisions relating to data subjects’ rights).

It’s also worth mentioning that BS 10012 is somewhat similar to ISO 27701, however, it doesn’t include the obligation to implement ISO 27001.

ISO 27701 vs ISO 27001 – what are the differences

ISO 27701 and ISO 27001 are two standards that are often used interchangeably by non-information security professionals when referring to information security.

Both ISO 27001 and ISO 27701 standards are IT security management standards. The difference between the two standards is that ISO 27001 focuses on the gap between risk management and security controls whereas ISO 27701 is a standard geared towards meeting privacy regulations and laws like GDPR and the Data Protection Act. ISO 27701 is focused on privacy data risks.

How do ISO 27001 and ISO 27701 integrate with each other?

ISO 27701 is an extension of ISO 27001. It’s one of the risk management standards, but it ensures that the business complies with GDPR and other relevant PII regulations. Before you can benefit from ISO 27701’s security benefits, you must first implement ISO 27001.

How Does ISO 27701 Relate To GDPR?

Organisations must secure and ensure the integrity of all sensitive data they process under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). However, neither the GDPR nor the DPA provide clarification on the actions companies must take to ensure data privacy. This is where ISO 27701 comes in. ISO 27701 provides the requirements and guidelines for a best-practice process for running a privacy information management system (PIMS) with effective data security and privacy capabilities.

How do ISO 27001 and GDPR integrate with each other?

ISO 27001 is the international best practice standard for an information security management system (ISMS) adopted by many countries around the world. More than 35 countries have signed up to implement GDPR. ISO 27701 can help with compliance with GDPR.


What is the Scope and Purpose of ISO 27005?

The ISO/IEC 27000 set of guidelines apply to all types and sizes of organisations – a very dynamic category, which is why it would be inappropriate to require uniform approaches, processes, risks, and controls.

Other than that, the principles offer broad guidelines within the context of a management framework. Managers are urged to use formal approaches that are applicable to and suitable for their organisation’s unique circumstances, rationally and methodically addressing risks to information.

Identifying and putting information risks under management supervision enables them to be managed effectively, in a manner that adapts to trends and capitalises on growth opportunities, resulting in the ISMS evolving and becoming more successful over time.

ISO 27005 further facilitates compliance with ISO 27001, since the latter specification requires that all controls applied as part of an ISMS (information security management system) be risk-based. This condition can be met by implementing an ISO 27005-compliant information security risk management framework.


ISO 27701 vs BS 10012

As already pointed out, ISO 27701 is the international standard that defines the framework for how personally identifiable information should be managed. The standard BS 10012 is a standard for the United Kingdom, developed and approved by the British Standards Institute. It defines a best-practice framework for a personal information management system that is in line with the GDPR laws. One of the key differences between ISO 27701 and BS 10012 is that ISO 27701 is designed in such a way that the PIMS is an extension of the ISMS specifications and controls defined in ISO 27001, while BS 10012 is a completely different set of requirements against which an organisation can be accredited without having to get a prior ISO 27001 certification. ISO 27701 is designed to be able to meet the compliance requirements, laws and regulations in different jurisdictions and industries.

How Does ISO 27701 Relate to BS 10012?

ISO 27701 and BS 10012 are competing standards for the processing and control of personally identifiable information. BS 10012 is suitable for organisations operating in the UK that are looking to ensure GDPR and Data Protection Act compliance.

ISO 27701 is an international standard. This international standard covers the requirements of BS 10012 but is more far reaching and is more flexible in its applications.

Do you need both ISO 27701 and BS 10012?

ISO 27701 does not align itself with any particular data protection regulation, whereas BS 10012 is for compliance with the GDPR and DPA 2018. ISO 27701 has a broader scope of implementation, allowing organisations that meet the requirements to comply with a variety of privacy regulations, including GDPR. If your company just needs to show compliance with the GDPR and the Data Protection Act of 2018, you might find that BS 10012 meets your needs. However, if you need to show compliance with several data protection regulations, the ISO 27701 standard may be more suitable. You don’t need both standards, but BS10012 may not be sufficient for your needs.


ISO/IEC 27701 Implementation

Implementing ISO/IEC 27701 is a robust way to start a privacy information management system within any company. Many companies choose to pursue ISO 27701 alongside ISO 27001. This can reduce cost and the overall time and effort involved in achieving both standards. Here at, we provide cloud-based solutions that your organisation can use to document compliance with ISO 27001 and then ISO 27701. We take the uncertainty and guesswork out of the process by providing a framework for compliance with ISO standards.


Who should implement ISO 27701?

ISO 27701 offers an international standard for any organisation handling privacy data. Any company that holds personally identifiable information, irrespective of size and type, may benefit from ISO 27701 implementation. ISO 27701 helps to mitigate the financial and regulatory risks associated with privacy data breaches. ISO 27701 is for private, public companies and even government agencies that need to take a risk-based approach to holding and processing personal information.

What roles are involved in implementing ISO 27701?

Given the scope and the scale of the ISO 27701 standard, it comes as no surprise that different roles are involved in implementing the standard. These roles typically include:

  • The Lead Implementer/ Project Manager
  • Chief Privacy Officer / Data Protection Officer
  • Privacy Manager/Data Protection Manager
  • Internal Auditor
  • External Auditor
  • Privacy Analyst- for taking functional requirements and converting to technical implementation
  • Database and Software Professionals
  • can help make the process more understandable and easier to implement.
See our platform in action

Understanding ISO 27701

ISO 27701 is the international standard for privacy information management. Two main objectives of ISO 27701 are to protect private information assets and to demonstrate compliance with privacy and data protection regulations – regardless of location or industry.

ISO 27701 is a list of requirements and guidelines that may be used as a framework to build a Privacy Information Management System. Its purpose is to provide a roadmap for developing and maintaining information systems that process privacy information and store personal data.


How to get started with ISO 27701

If you own a business that processes personal data, then you need to understand how the new ISO 27701 standard applies to you. Understanding the basics of ISO 27701 can be a challenge. This is especially true if you’re used to working to different standards.

Implementing ISO 27701

As with most official standards, ISO 27701 can be a little tricky to get your head around. helps you by providing a cloud-based solution to document compliance with the requirements of ISO 27701.

Implementing ISO 27701 will give you a solid framework for compliance with laws and regulations, from the GDPR regulations to HIPAA level protection.

Demonstrating Good Practice

Implementing ISO 27701 is about demonstrating ‘good practice’ for personal information management. ISO 27701 has become an integral part of the data management framework for businesses in many sectors. This important standard is a shift from the ISO 27001 information security technical and asset emphasis to a more risk-based business focus.

Plan, Do, Check, Act

Plan, Do, Check, Act (PDCA) is a continuous improvement cycle that many progressive companies use, and is a vital element in the implementation of ISO 27701. Others may use different names for the phases — but the key idea is the same: Plan what should be done; do the best job you can on implementation and execution of that task; check the results against your plan; and when the necessary plan changes act to improve performance.


Requirements of ISO 27701

The requirements to achieve ISO/IEC 27701 compliance include:

  • Design, build and implement a Personal Information System for your organisation.
  • Follow the ISO 27701 guidelines when designing and implementing the PIMS.
  • The PIMs should define strict systems and tactical controls for managing personally identifiable information, including how this information is obtained, used, shared and deleted.
  • Define strict user roles and strong passwords for all stakeholders processing and controlling privacy data.

ISO 27701 certification requires that you have ISO 27001 certification. Your Personal Information Management System builds upon your Information Security Management System (ISMS). You can get certified to ISO 27701 at the same time as doing ISO 27001. Doing both concurrently is normally easier, less resource intensive and cheaper than doing them in series.

ISO 27701 is divided into clauses, just like other ISO standards, with Clauses 5–8 detailing the additional requirements and updates that must be added to ISO 27001:

  • Clause 5 outlines the PIMS requirements for ISO/IEC 27001 compliance.
  • Clause 6 outlines the PIMS guidance for ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 of the PIMS provides guidance for PII Processors.

The following Annexes are also included in the standard:

  • PIMS-specific reference control goals and controls are mentioned in Annex A. (PII Controllers)
  • PIMS-specific reference management goals and controls are mentioned in Annex B. (PII Processors)
  • Mapping of Annex C to ISO/IEC 29100
  • Mapping to the General Data Protection Regulation (GDPR) in Annex D (GDPR).
  • Annex E to ISO/IEC 27018 and ISO/IEC 29151 Mapping
  • Appendix F What is the relationship between ISO/IEC 27701 and ISO/IEC 27001 and ISO/IEC 27002?

It’s important, however, that you learn all of the policies, procedures, and controls in place and that they’re followed consistently throughout your organisation.

We needed ISO 27001 to win new corporate clients and we needed it quickly. As a small business with limited resources, we were looking for a one-stop solution to radically speed up our implementation. has done exactly that.

Evan Harris



Annex L/SL

Annex L/SL provides a structure and frames of reference for standards to ensure alignment and consistency. Having a unified way for ISO Management System Standard standards to be written aids compatibility across standards. This is particularly important when pursuing ISO 27701 and ISO 27001 at the same time.

  1. Clause 1 – Scope

    This clause establishes the scope of ISO 27701. It explains that the management system is intended for use in all organisations and it does not apply to procedures that must be followed by a single organisation. This requirement is focused on both the PII processors and controllers. It also applies to the PII processors who are accountable for processing the PII.

  2. Clause 2 – Normative references

    Normative references are citations of documents that are considered part of the standard. These documents may give guidance on how to implement the standard, or they can be used in conjunction with the standard to allow users to gain a more detailed understanding of how things are supposed to work.

  3. Clause 3 – Terms and definitions

    There are many common terms used in the ISO 27000 series (ISO 27001, ISO 27002, ISO 27003, and ISO 27004) that are not explicitly defined in these standards. This clause provides a definition for each of them to provide further clarity of their usage throughout the series.

  4. Clause 4 – Context of the organisation

    ISO 27701 clause 4 defines what areas the Management System should cover. In order to meet clause 4 requirements, an organisation needs to identify all of the processes, procedures, tasks and activities that fall under the scope of ISO 27701 and ensure they are covered in the various elements of the Management System.

  5. Clause 5 – Leadership

    The 5th clause of PIMS requirements of ISO 27701 aims to ensure the ISO 27001 implementation will go smoothly. PIMS clause 5 ensures that management and auditors understand the differences between the two standards and that there is no confusion about their respective responsibilities. Clearly defining these roles helps to prevent potential conflict or misunderstanding.

  6. Clause 6 – Planning – PIMS specific guidance related to ISO 27002

    Risks and opportunities should still be considered when planning in an ISMS setting. A solid framework will be built on the basis of an information technology risk evaluation. As a result, risk assessment should be used to set information security goals. These goals should be in line with the company’s general goals. Furthermore, the goals must be promoted within the organisation.

  7. Clause 7 – Support

    This clause covers PIMS specific implementation guidance for PII controllers. Under this clause, the PII controller is expected to develop a list of all data processing activities and the type of technical and organisational measures utilised. Further, the PII controller is also expected to develop internal procedures to support the success of the ISMS. This includes protocols on employee identity authentication, safe handling of removable media along with mobile devices used for data transfer as well as secure disposal methods of any unneeded or expired media.

  8. Clause 8 – Operation

    Clause 8 deals with the details of your operations, how you go about them every day, and tracking to see what progress you are making toward your objectives.

  9. Clause 9 – Performance evaluation

    Clause 9 stipulates that the organisation shall ensure that: a) its management system is regularly reviewed to ensure that its arrangements, controls and procedures are fit for purpose. The management system should be periodically monitored to verify that processes, outputs and outcomes conform to the requirements.

  10. Clause 10 – Improvement

    The purpose of this clause is to ensure that the management of the business and its processes reflect the results of your performance evaluation. This clause ensures that improvements are made in response to the analysis of risk assessments and to the findings of your processes used for ongoing performance evaluation. Nonconformities must be resolved by taking the necessary actions and, if possible, mitigating the causes. There are lots of reasons to pursue ISO 27701 and our cloud-based solution at can help your organisation make sure its documentation processes for privacy information management fall within the framework of the ISO 27701.

Compliance vs certification

ISO 27701 compliance and certification can be confusing, as at face value they appear to mean the same thing. ISO 27701 compliance means that your organisation has put in place the controls needed to satisfy the requirements of ISO 27701; a set of best practices for privacy information management. Compliance with standards is important. An ISO 27701 certificate is the document that confirms a particular organisation has gone through the processes and documented everything necessary to become ISO 27701 compliant. Certification means you have demonstrated compliance.


Is ISO 27701 certification right for me?

If your company deals with personally identifiable information, you may need to look into ISO 27701 certification. ISO 27701 certification will make you stand out compared to companies that are not certified.

Additionally, in the event of a data breach, the Information Commissioner’s Office (ICO) in the United Kingdom has stated that organisations that implement certification or have a comprehensive system in place to handle their data security may be seen more favourably by regulators.


ISO 27701 Certification process

The process of implementing ISO 27701 is relatively easy for organisations that already have ISO 27001 certifications.

The ISO 27701 certification can be obtained in three steps:

  1. You must first engage a qualified certification body that will conduct an audit of your organisation.
  2. After you’ve agreed on a proposal, an assessor will give your organisation a detailed audit. The assessor must make a compulsory visit during the initial certification audit. They’ll look to see if you’ve put in place a completely functional personal information management system.
  3. Once the assessor has completed the audit, the certification body will decide whether your organisation has met the criteria. If the outcome is positive, they will give you a certificate stating that your company complies with the standard’s specifications. The certification is valid for the next three years, or until your ISO 27001 certificate expires, whichever comes first.

If your company does not have ISO 27001 certification yet, you’ll need to have it first, or to pursue ISO 27001 and ISO 27701 certifications at the same time. can work with you to ensure that your PIMS processes are in line with ISO 27701 requirements. Additionally, our information security professionals and comprehensive suite of infosec written and video resources can guide you through the process of demonstrating compliance with ISO standards.


Who needs to be involved in ISO 27701?

Implementing ISO 27701 is not an easy task. The standard can require business change in different roles and different departments. There are specific professionals, such as the lead implementer and auditors that will be directly involved in the ISO 27701 implementation.

You need to think about who touches the personal data and who needs to be taken into account in the process. A business analyst may help with understanding the level to which different people in your organisation will need to be factored into the process.

Some users that may be involved include:

  • Data protection officer (DPO);
  • Senior operational staff;
  • Records management;
  • Human resources;
  • Database managers;
  • Software teams;
  • Sales and marketing.

Lack of coordination between departments could cause serious business risks and failure to meet the standard’s requirements. If you are looking to implement ISO 27701, then you should seek help from an experienced infosec consultant who will guide you through the process. Here at, we have information security experts who can offer expert advice on ISO 27701 implementation. Call +44 (0)1273 041140 to speak to someone today.

Personal information management system explained

A personal information management system is a set of processes, procedures and organisational structures that are designed to protect personal data from unauthorised access, processing, or use for purposes other than those originally given, as well as to ensure privacy data security. A personal information management system is designed to ensure respect for the privacy of personal information and to be in compliance with all GDPR and data protection laws.

Your Privacy Information Management System dictates whether you are complying with regulations and laws related to personal information. Implementing an ISO 27701 Privacy Information Management System means you are meeting the international standard for best practice in privacy information management.


How long will ISO 27701 take?

The time it takes to become ISO 27701 certified varies from organisation to organisation. It will also depend on whether you already have ISO 27001 certification or if you intend to pursue ISO 27001 and ISO 27701 at the same time. Small to Medium-Sized organisations normally take between 6 and 12 weeks to complete ISO 27001. ISO 27701 is an extension of ISO 27001 and may be faster if you have a system in place already.



If your organisation handles personal data, whether it belongs to your customers, vendors, or employees, current legislation dictates that you must have a system in place to protect the personal information. One of the best ways you can demonstrate compliance to the new laws on data protection is by putting a Personal Information Management System in place and continually improving your processes, policies and protocols. Compliance to laws and regulations can be a complex process. is an easier way to document compliance with ISO 27701, and demonstrate that you are taking data seriously.



IS0 27701 certification provides proof to regulators, internal and external stakeholders, customers and suppliers that your company is taking a proactive, best practice approach to PII security. In some industries, certification to ISO 27701 is a requirement if you want to compete.


Internal audits

An internal auditor investigates your processes, policies and procedures against the requirement for ISO 27701 certification. Internal auditors must follow a thorough process to assess their current PIMs. helps by providing a framework for the audit.


External audit

External audits are conducted by external auditors. The PIMS audit investigates whether the policies, processes and procedures related to PII meet the requirements of ISO 27701. If the result is that the PIMS falls short, there will be the opportunity to make changes to the PIMS. If the PIMS external auditor assesses that the company meets the ISO criteria then the company can gain certification.


Will it create red tape?

ISO 27701 is designed to ensure that companies are meeting best practice standards in their privacy information security. The standard is not about creating red tape. Through the process of ISO 27701 certification your company will build or enhance your personal information management system that is integrated into your corporate policies, procedures and processes.

This standard will facilitate a culture change and an improved way of thinking about privacy data. When you build a suitable personal information policy and system for your company and document it with an easy to use interface like, you can get certified to ISO 27701 without adding layers of red tape.

See how easy it is to get started with

How do I maintain ISO 27701 certification?

Maintaining ISO 27701 certification need not be a daunting prospect, as long as the initial ISO 27701 implementation was completed correctly. However, to keep your ISO 27701 valid, you must perform periodic surveillance audits in combination with your ISO 27001 audit, and then a complete reassessment before certification renewal.


Continual improvement

The best way to maintain ISO 27701 certification is to manage your systems in such a way that you are able to keep doing continuous improvements. Continual improvement is the ongoing effort taken by your organisation to improve how it handles personally identifiable information, identifying emerging risks to compliance, and taking systemic actions to remedy them.


How much does ISO 27701 cost?

The cost of ISO 27701 is the sum of the cost of certification and the business costs associated with implementation and continued compliance. The cost of implementation will depend on the resources you have in house, the complexity of your data processes and the system you put in place to comply with and document compliance with ISO 27701. The cost of certification is detailed below:

No. of people working for the organisation No. of days** (Minimum audit time) Estimated certification cost ***
1 – 45 3 – 6 £2850 – £5,700
46 – 125 7 – 8 £6,650 – £7,600
126-425 9 – 10 £8,550 – £9,500
426-625 11 £10,450
626-875 12 £11,400
876-1175 13 £12,350
1176-1550 14 £13,300
1551-2025 15 £14,250


What are the benefits of building your own BS 10012 PIMS vs buying?

Building your own BS 10012 PIMS system tends to be a better way to end up a system that fits your business processes. A bespoke system may save you money and is likely to be easier to use, configure and adapt to your data processors and controllers.

Some organisations find the idea of building their own system daunting and a task that leads them to look for off the shelf systems. Whichever route you choose to follow for your organisation, our cloud-based solutions at will help make sure that you keep the documentation required to meet the standard.

How does make personal information management easy? makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation. On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.


Frameworks for ISO 27701

It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where comes in! Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701. Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.


Highly efficient project oversight and collaboration

Our solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard. Our online system also ensures that system implementers have a single place for reference and collaboration. Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.


Optional supply chain management tools

At we can incorporate supply chain information security management into your ISMS.. Quick and practical performance metrics can also be used to monitor the progress of your suppliers and other third-party partnerships.

Use Clusters to get the whole supply chain together in one location for clarity, insight, and control.


Help and support engaging your people

ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data. At, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey. We also provide video resources and access to information security professionals to help you integrate standards into your company.

ISO 27701 certification

ISO 27701 certification is becoming increasingly important for companies that want to demonstrate compliance with best personal information security practices. Certification normally means adapting and improving processing and requires clear documentation. is a specialist information security management system company that helps you to complete the process of certification.


How to get certified to ISO 27701

Certification to ISO 27701 is a complicated process for some businesses. It can be confusing, especially for those that don’t employ specialists in the field of information security.

If you are interested in getting ISO 27701 certification for your organisation, you will need ISO 27001 certification before you can proceed with ISO 27701 certification. Alternatively, you can obtain both ISO 27001 and ISO 27701 certifications at the same time.

ISO 27701 certification requires that you build a Personal Information Management System that complies with all criteria, and that you document how all requirements are met. The ISO standard is bought and then you go through internal and external auditing processes to get certified.


Why consider ISO 27701 certification?

ISO 27701 certification can be a powerful differentiator for your business. It’s an endorsement of your commitment to implementing a privacy data security system and evidence that you have the experienced staff, policies and procedures to keep personal information secure. If your business stores or manages sensitive customer or financial information, interfaces with payment data or operates vital control systems, there is no question you will look better to consumers, external partners and investors if you get ISO 27001 certification. In addition, ISO 27701 certification ensures that you are meeting rigorous standards of personal information security, reducing risks of fines and reputational damage through the mishandling of data or data breaches.


How can I prepare for ISO 27701 certification?

Preparing for the ISO 27701 certification involves certain steps and processes.

First, you will need to do an analysis of your current management system. You will then go through an internal audit your system against the requirements of ISO 27701. Where you identify deficiencies in your current system you will make changes. When you have completed the process, an on-site audit will be carried out to check the effectiveness of your organisation’s ISMS and PIMS against ISO 27701. If the requirements of the standard are met, your company will receive the ISO 27701 certificate. Note that you must have the ISO 27001 certificate prior to ISO 27701 or certify for both at the same time.

A first and second surveillance audit will be needed to ensure continued compliance in order to qualify for recertification.

How make privacy information management easy

At, we make documenting your privacy information management system easier for your organisation. We provide you with a logical, usable, cloud-based information management interface that will help your organisation check its privacy processes and progress against the ISO 27701/ PIMS standard. Our cloud-based platform allows you to access all your PIMS resources in one place. You can use our easy-to-use platform to document everything you need to show that you meet the requirements of ISO 27701. Our Assured Results Method (ARM) demystifies the requirements of ISO 27701 and gives you confidence as you progress towards the attainment of certification. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 certification.

Call on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27701.

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Take a deep dive into some of our more advanced features