What does accreditation mean and why does it matter?
Not all certification bodies are equal. The critical distinction is accreditation — whether the body has been independently verified to conduct ISO 27701 audits to an internationally recognised standard.
In the UK, UKAS (United Kingdom Accreditation Service) is the national accreditation body. A UKAS-accredited certification body has been assessed against ISO/IEC 17021 (requirements for audit and certification bodies) and demonstrated competence in ISO 27701 specifically.
Why this matters:
- Certificate credibility — An accredited certificate carries international recognition through mutual recognition agreements between accreditation bodies worldwide. An unaccredited certificate may not be accepted by customers, regulators or procurement teams.
- Audit quality — Accredited bodies are subject to ongoing oversight. Their auditors must meet competence requirements and follow standardised audit methodologies.
- Appeals process — If you disagree with an audit finding, accredited bodies have formal complaints and appeals procedures governed by their accreditation.
Always verify accreditation directly. In the UK, search the UKAS register. Internationally, check with the relevant national accreditation body or the IAF (International Accreditation Forum).
What are the key selection criteria?
| Criterion | What to check | Why it matters |
|---|---|---|
| Accreditation scope | Confirm the body is accredited specifically for ISO/IEC 27701, not just ISO 27001 | ISO 27001 accreditation alone does not authorise the body to certify against ISO 27701 |
| 2025 edition readiness | Ask whether they are currently issuing certificates against the 2025 edition | Some bodies may still be in the process of updating their audit schemes for the standalone 2025 structure |
| Privacy auditor expertise | Ask about the lead auditor’s qualifications: ISO 27701 Lead Auditor, GDPR knowledge, IAPP certifications | An auditor who understands privacy regulation (not just management systems) will assess your PIMS more effectively |
| Sector experience | Request examples of clients in your industry | An auditor familiar with your sector’s data processing context will understand your controls and risk decisions more quickly |
| Geographic coverage | Confirm they can audit all locations in your certification scope | Multi-site or international organisations need a body that can audit across jurisdictions efficiently |
| Integrated audit capability | If you also hold ISO 27001, ask whether they can conduct combined audits | A combined audit reduces total audit days, travel costs and disruption to your team |
| Pricing transparency | Request an itemised quote covering Stage 1, Stage 2, surveillance and recertification | Some bodies offer lower initial prices but higher surveillance or recertification fees. Our certification cost guide includes typical fee ranges by organisation size |
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
How does the ISO 27701:2025 audit process work?
Understanding the audit process helps you prepare effectively and set expectations with your team:
Stage 1 audit (documentation review)
The auditor reviews your PIMS documentation to assess whether your management system is designed to meet the ISO 27701:2025 requirements. Key documents include:
- PIMS scope and context documentation (Clauses 4.1–4.4)
- Privacy policy (Clause 5.2)
- Privacy risk assessment and treatment plan (Clauses 6.1.2–6.1.3)
- Statement of Applicability referencing Annex A controls
- Internal audit programme and results (Clause 9.2)
- Management review records (Clause 9.3)
Stage 1 is typically 1–2 days. The auditor will raise any concerns that need to be addressed before Stage 2.
Stage 2 audit (implementation audit)
This is the main audit. The auditor verifies that your PIMS is implemented and operating effectively — not just documented. They will:
- Interview staff to confirm awareness and understanding of privacy responsibilities
- Sample evidence for implemented controls (policies acknowledged, risks reviewed, incidents handled)
- Verify that your Statement of Applicability accurately reflects your control implementation
- Assess the effectiveness of your management review and continuous improvement processes
Stage 2 typically takes 2–8 days depending on your organisation’s size and scope.
Audit outcomes
| Finding type | What it means | Impact on certification |
|---|---|---|
| Major nonconformity | A requirement is not met, or a control is absent or fundamentally ineffective | Must be resolved before certification is granted. May require a follow-up audit visit. |
| Minor nonconformity | A requirement is partially met, or implementation is inconsistent | Must be resolved within an agreed timeframe (typically 90 days). Certification can proceed. |
| Opportunity for improvement | A suggestion for enhancing your PIMS, not a requirement failure | No impact on certification. Address at your discretion. |
Surveillance and recertification
After initial certification, you have annual surveillance audits (shorter, focused assessments) and a full recertification audit every three years. Your certification body should provide a clear schedule for these at the outset.
What questions should you ask before committing?
Use these questions when evaluating certification bodies:
- Are you UKAS-accredited for ISO/IEC 27701? — Verify the specific standard, not just ISO 27001.
- Are you issuing certificates against the 2025 edition? — Some bodies may still be transitioning their audit schemes.
- Who will be my lead auditor, and what is their privacy background? — The auditor’s competence directly affects the quality of your audit experience.
- Can you provide an itemised quote for the full three-year cycle? — Compare total cost (Stage 1 + Stage 2 + 2 surveillances + recertification), not just the initial audit fee.
- Can you conduct a combined ISO 27001/27701 audit? — If applicable, this saves time and money.
- What is your policy on auditor rotation? — Some organisations prefer consistency; others value fresh perspectives. Understand whether you will have the same auditor across the cycle.
- How do you handle major nonconformities? — Understand the timeline for resolution and whether a follow-up visit incurs additional fees.
- What is your availability? — Popular certification bodies may have lead times of 2–3 months. Factor this into your certification timeline.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
How do you compare quotes fairly?
Request quotes from at least three accredited bodies and compare them on a like-for-like basis:
| Line item | Body A | Body B | Body C |
|---|---|---|---|
| Stage 1 audit (days / cost) | — | — | — |
| Stage 2 audit (days / cost) | — | — | — |
| Surveillance Year 1 (days / cost) | — | — | — |
| Surveillance Year 2 (days / cost) | — | — | — |
| Recertification Year 3 (days / cost) | — | — | — |
| Certificate issuance / UKAS fee | — | — | — |
| Travel / expenses | — | — | — |
| Total 3-year cost | — | — | — |
The cheapest quote is not always the best value. Consider the auditor’s expertise, the body’s reputation, and whether combined audits (if applicable) are offered. A more experienced auditor may identify genuine improvements rather than just ticking boxes. If you are also engaging a consultant, ensure they and the certification body are completely separate.
Why choose ISMS.online for ISO 27701:2025?
- Audit-ready from day one — Pre-built framework with all ISO 27701:2025 requirements and Annex A controls mapped and trackable
- Clean evidence trail — Linked risks, controls, policies and evidence give auditors a clear path to follow, reducing audit duration and findings
- Automated SoA — Generate your Statement of Applicability from your control selections, with justifications and evidence links ready for auditor review
- Internal audit tools — Plan and conduct pre-certification internal audits with finding management and corrective action tracking
- Management review support — Dashboards provide the inputs auditors expect to see in your management review records
- Multi-framework for combined audits — If your certification body conducts a combined ISO 27001/27701 audit, the platform presents both frameworks in one place
- Continuous readiness — Stay audit-ready between surveillance visits with task management, review cycles and compliance dashboards
Ready to prepare for your certification audit? Book a demo and see how ISMS.online supports your ISO 27701:2025 certification journey.
Frequently Asked Questions
Can I switch certification bodies mid-cycle?
Yes, through a process called transfer of certification. The new certification body will review your existing certificate, audit history and any outstanding nonconformities before accepting the transfer. This is typically straightforward but may incur additional fees. Plan any transfer to coincide with a surveillance or recertification audit to minimise disruption.
What is the difference between UKAS and non-UKAS certification?
UKAS accreditation means the certification body has been independently assessed against international standards for audit competence. Non-UKAS (unaccredited) certificates may not be recognised by procurement teams, regulators or international partners. For most commercial purposes, a UKAS-accredited (or equivalent national body) certificate is essential.
How far in advance should I book my audit?
Most certification bodies have lead times of 6–12 weeks for scheduling. Popular bodies or specific auditor requests may require longer. Contact your preferred body early in your implementation to agree a provisional audit date, then confirm when you are confident in your readiness.
Can I have a remote audit?
Yes, remote auditing is now widely accepted, particularly following the practices established during 2020–2022. Most certification bodies offer fully remote or hybrid audits. Remote audits can reduce travel costs and scheduling complexity. However, the certification body will determine whether remote auditing is appropriate based on your organisation’s size, complexity and the scope of the audit.
What if I fail the Stage 2 audit?
If major nonconformities are raised, certification is suspended until they are resolved. You will typically have 90 days to implement corrective actions. The certification body may require a follow-up visit (which incurs additional fees) or accept evidence of resolution remotely, depending on the nature of the findings. Minor nonconformities do not prevent certification but must be addressed within the agreed timeframe.
