Why should procurement teams care about ISO 27701?
Every organisation that shares personal data with a supplier takes on risk. Data protection regulations (GDPR, LGPD, PDPA, and others) hold controllers accountable for their processors’ privacy practices. A supplier breach becomes your breach in the eyes of regulators and affected individuals. Understanding the cost of non-compliance makes the case for rigorous supplier evaluation.
ISO 27701 certification provides an independent, auditable signal that a supplier has implemented a structured privacy information management system. But not all certifications are equal — scope, accreditation, and ongoing compliance all matter. This guide helps you evaluate what you are actually getting.
What should you check on an ISO 27701 certificate?
An ISO 27701 certificate is a formal document issued by a certification body after a successful audit. Here is what to verify:
| Certificate element | What to check | Why it matters |
|---|---|---|
| Certification body | Is the body accredited by a recognised national accreditation body (e.g., UKAS, ANAB, DAkkS)? See our guide on choosing a certification body | Non-accredited certifications carry less weight and may not meet the rigour expected by regulators. |
| Standard version | Does it reference ISO 27701:2019 or ISO 27701:2025? | The 2025 edition is the current version. Suppliers on the 2019 edition should have a transition plan. |
| Scope statement | Does the scope cover the services and data processing relevant to your contract? | A narrow scope may exclude the specific processing activities you rely on. |
| Role (controller/processor) | Is the supplier certified as a PII controller, processor, or both? | Ensure the certified role matches your contractual relationship. |
| Validity dates | Is the certificate current? When is the next surveillance audit? | Expired or lapsed certificates provide no assurance. |
| Statement of Applicability | Which controls from Annex A are included or excluded? | Excluded controls may indicate gaps relevant to your data processing requirements. |
How do you assess whether the scope is adequate?
Scope is the most critical element to evaluate. A supplier may hold a valid ISO 27701 certificate but have scoped it narrowly — covering only part of their business or a subset of their services.
Questions to assess scope adequacy
- Does the certification scope explicitly cover the service(s) you are procuring?
- Does it include all locations where your data will be processed, stored, or accessed?
- Does it cover the full data lifecycle — collection, processing, storage, transfer, and deletion?
- Are subprocessors used by the supplier included within the scope, or are they excluded?
- If the supplier operates in multiple jurisdictions, does the scope cover all relevant ones?
If the answer to any of these is “no” or “unclear,” you need further assurance — either through additional documentation from the supplier or through your own due diligence.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What questions should you ask certified suppliers?
Beyond the certificate itself, a set of targeted questions helps you understand the supplier’s actual privacy maturity:
Management system questions
- When was your last surveillance or recertification audit, and what were the findings?
- How many nonconformities were identified in your most recent audit? How were they resolved?
- How frequently do you conduct internal audits of your PIMS?
- Who is your management representative for privacy, and how do they report to senior leadership?
- Can you share your most recent management review outputs (redacted if needed)?
Operational questions
- How do you handle data subject access requests for data processed on our behalf?
- What is your breach notification process and timeline?
- How do you manage subprocessor changes, and how will we be notified?
- What data retention and deletion processes apply to our data on contract termination?
- Can you provide evidence of your most recent privacy risk assessment?
Technical questions
- How is our data isolated from other customers’ data?
- What encryption standards are applied at rest and in transit?
- How is access to our data controlled and logged?
- Where is our data physically stored, and are there any transfers outside our specified jurisdictions?
What are the red flags in vendor privacy assessments?
Not every supplier with privacy claims deserves confidence. Watch for these warning signs:
| Red flag | What it suggests |
|---|---|
| Certificate from a non-accredited body | The audit may lack rigour. Accreditation ensures the certification body meets international standards for competence and impartiality. |
| Scope does not cover your services | The supplier may have certified a different part of their business. Your data may not benefit from the certified PIMS. |
| Reluctance to share the Statement of Applicability | The SoA shows which controls are in scope. Refusal to share it (even redacted) may indicate uncomfortable exclusions. |
| No clear breach notification process | If the supplier cannot articulate their incident response timeline and escalation path, their PIMS may be immature. |
| Still on ISO 27701:2019 with no transition plan | The 2025 edition brings significant changes. Suppliers without a transition plan risk lapsing when the 2019 edition is withdrawn. |
| Cannot name subprocessors | If a supplier cannot provide a current subprocessor list, they may not have the oversight required by the standard. |
| No evidence of continuous improvement | A PIMS that was set up for the audit but is not actively managed provides diminishing assurance over time. |
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How should you integrate ISO 27701 into your procurement framework?
ISO 27701 certification works best as part of a structured vendor evaluation process, not as a standalone checkbox:
Tiered evaluation approach
- Tier 1 (high risk): Suppliers processing large volumes of sensitive PII. Require ISO 27701 certification, review the SoA, conduct detailed due diligence, and schedule periodic reassessment.
- Tier 2 (medium risk): Suppliers with access to PII but limited processing scope. Accept ISO 27701 certification as primary evidence, supplemented by targeted questions on scope and incident response.
- Tier 3 (low risk): Suppliers with minimal PII access. Certification is a positive signal but may not be mandatory. Focus on contractual protections.
Contractual considerations
Use the supplier’s ISO 27701 certification as a contractual baseline, but reinforce it with:
- A requirement to maintain certification throughout the contract term
- An obligation to notify you of any certification changes (scope reductions, nonconformities, suspensions)
- Right-to-audit clauses for situations where the certificate alone is insufficient
- Defined breach notification timelines aligned with your regulatory obligations
- Data deletion requirements on contract termination, with evidence
How does your own ISO 27701 certification strengthen procurement?
Procurement is a two-way street. Achieving your own ISO 27701:2025 certification demonstrates to suppliers (and regulators) that you take privacy seriously. It also provides a structured framework for managing vendor risk as part of your PIMS.
Within ISMS.online, supplier management integrates directly with your PIMS — linking supplier assessments to risks, controls, and audit findings in a single system. This makes vendor privacy evaluation a managed, repeatable process rather than an ad hoc exercise.
Why Choose ISMS.online for Privacy Procurement Management?
- Integrated supplier management: Assess, monitor, and manage supplier privacy compliance within your PIMS — not in a separate spreadsheet.
- Pre-built ISO 27701:2025 framework: The standard’s requirements are mapped and ready, including supplier-related controls.
- Risk-linked vendor assessments: Connect supplier risks to your organisation’s risk register so vendor privacy gaps are visible at the management level.
- Evidence trail: Store certificates, SoAs, due diligence records, and correspondence in one auditable location.
- Automated review cycles: Set reminders for certificate expiry, surveillance audit dates, and periodic reassessments.
- Support for both sides: Whether you are evaluating suppliers or preparing for your own certification, the platform covers both scenarios.
- Collaborative approach: Share relevant compliance evidence with customers and partners directly from the platform.
Ready to strengthen your procurement privacy evaluation? Book a demo to see how ISMS.online makes vendor assessment part of your privacy management system.
FAQs
Should we require ISO 27701 certification from all suppliers?
Not necessarily. A risk-based approach is more practical. Require certification from high-risk suppliers who process significant volumes of PII. For lower-risk suppliers, use certification as a positive indicator alongside contractual protections and targeted due diligence questions.
What is the difference between ISO 27701:2019 and 2025 for procurement purposes?
The 2025 edition can be achieved as a standalone certification without requiring ISO 27001. It also includes updated controls and improved alignment with current privacy regulations. Suppliers certified to the 2019 edition should have a documented transition plan.
Can a supplier be certified to ISO 27701 but still have privacy gaps?
Yes. Certification provides assurance within its defined scope, but it does not guarantee perfection. A supplier may have a narrow scope that excludes certain services, or their PIMS may not cover all the processing activities relevant to your contract. This is why reviewing the scope statement and Statement of Applicability is essential.
How often should we reassess certified suppliers?
At minimum, verify certificate validity annually (aligned with surveillance audit cycles). For high-risk suppliers, conduct a more detailed reassessment every 12–18 months, reviewing scope changes, audit findings, incident history, and subprocessor updates. ISMS.online can automate these review reminders within your PIMS.
What if a supplier refuses to share their Statement of Applicability?
This is a significant red flag. The SoA is a standard audit artefact and sharing it (redacted if necessary) is common practice. If a supplier refuses, request a summary of excluded controls and the justification for each exclusion. If transparency is still lacking, consider whether the supplier meets your risk appetite.
