How does the ISO 27701:2025 certification audit work?
The ISO 27701:2025 certification audit follows the same two-stage approach used for all ISO management system standards. Understanding what each stage involves removes the uncertainty and lets you prepare with confidence.
The process is carried out by an accredited certification body, and the auditors’ goal is not to catch you out — it is to confirm that your Privacy Information Management System (PIMS) meets the requirements of the standard and operates effectively in practice.
Stage 1: Documentation review
Stage 1 is sometimes called the “readiness review.” The auditor assesses whether your documentation and management system design are sufficient to proceed to Stage 2. This stage is typically conducted remotely, although some certification bodies may visit on-site.
During Stage 1, the auditor will review:
- Your PIMS scope and Statement of Applicability
- Privacy policy, objectives and risk assessment methodology
- The management system requirements (Clauses 4–10) and how you have addressed them
- Your internal audit programme and management review records
- Evidence that your PIMS has been operational for a sufficient period (typically at least three months)
The auditor will produce a Stage 1 report identifying any areas of concern. These are not formal nonconformities, but they signal areas that need attention before Stage 2.
Stage 2: Implementation assessment
Stage 2 is the main audit. It confirms that your PIMS is not just documented but genuinely implemented and effective. Stage 2 is conducted on-site or via a combination of on-site and remote sessions, depending on your certification body and organisational setup.
The auditor will:
- Interview staff across different functions to verify awareness and understanding
- Sample evidence of control implementation (policies, procedures, records, system configurations)
- Assess whether risks have been identified and treated appropriately
- Evaluate the effectiveness of your Annex A privacy controls
- Check corrective actions from your internal audit and management review
What do auditors actually look for?
Auditors assess your PIMS against the requirements of ISO 27701:2025. But beyond simple compliance, they are looking for evidence that your privacy management system is genuinely embedded in how your organisation operates.
Key areas auditors focus on include:
| Area | What the auditor checks | Evidence they expect |
|---|---|---|
| Leadership commitment | Is top management actively involved in privacy governance? | Management review minutes, resource allocation decisions, privacy objectives |
| Risk assessment | Are privacy risks identified, assessed and treated systematically? | Risk register, risk treatment plan, risk acceptance criteria |
| Operational controls | Are Annex A controls implemented and working? | Procedure records, system configurations, training records |
| Monitoring and measurement | Are you measuring whether controls are effective? | KPIs, incident records, audit results, trend analysis |
| Continual improvement | Are nonconformities addressed and lessons learned? | Corrective action records, management review outputs, improvement plans |
Auditors typically use a sampling approach. They will not check every control or interview every member of staff, but they will look at enough evidence to form a reasonable conclusion about the effectiveness of your PIMS.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
How should you prepare your team for the audit?
The most common source of audit findings is not poor documentation — it is staff who are unaware of the policies and procedures that apply to their roles. Preparing your team is as important as preparing your evidence.
Before the audit
- Brief all staff who may be interviewed. They should understand the PIMS scope, their role within it, and where to find relevant policies.
- Run a mock audit. Simulate the auditor’s approach by interviewing staff and sampling evidence. This identifies gaps before the real audit does.
- Confirm evidence is accessible. Auditors should not have to wait while someone searches for records. Organise evidence packs by clause and control.
- Assign an audit liaison. Nominate one person to coordinate logistics, schedule interviews, and handle auditor queries.
During the audit
- Answer the question asked. Avoid volunteering information beyond what the auditor requests.
- Be honest. If a process is not fully implemented, say so. Auditors appreciate transparency far more than evasion.
- Provide evidence promptly. Have records, screenshots, system access and documents ready for the areas being assessed.
- Take notes. Record auditor observations and questions — these are valuable input for post-audit improvement.
ISMS.online makes audit preparation significantly easier by keeping all your policies, controls, risk assessments, evidence and audit records in one place. When the auditor asks for evidence, you can navigate directly to the relevant record rather than searching through shared drives and spreadsheets.
What are the most common audit findings?
Understanding common findings helps you address them before the auditor arrives. Many of these overlap with common implementation mistakes. These are the issues certification bodies report most frequently:
| Finding | Why it happens | How to avoid it |
|---|---|---|
| Incomplete risk assessment | Privacy risks are treated separately from information security risks, or not all processing activities are considered | Ensure your risk assessment covers all PII processing activities and aligns with your data inventory |
| Weak management review | Management reviews are superficial or do not cover the required inputs | Use a structured agenda that covers all inputs specified in the standard (audit results, risk changes, improvement opportunities) |
| Missing internal audit evidence | Internal audits are conducted but not properly documented | Record audit plans, findings, corrective actions and follow-up. ISMS.online provides built-in audit management to track this |
| Staff awareness gaps | Staff cannot explain the policies or controls that apply to their roles | Run awareness sessions before the audit and ensure policy acceptance records are up to date |
| Outdated documentation | Policies or procedures reference superseded processes or organisational structures | Schedule regular document reviews and use version control to track changes |
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What happens after the audit?
After Stage 2, the auditor will present their findings in a closing meeting and issue a formal audit report. The possible outcomes are:
- Recommendation for certification — No major nonconformities found. Minor observations may be noted for improvement.
- Conditional recommendation — Minor nonconformities identified. You will need to submit evidence of corrective action within a defined timeframe (typically 90 days).
- Certification not recommended — Major nonconformities found. A follow-up audit will be required after you address the issues.
Once certified, your certificate is valid for three years, subject to annual surveillance audits. These are shorter than the initial certification audit and focus on a subset of requirements to confirm continued compliance.
Surveillance and recertification
| Audit type | When | Scope |
|---|---|---|
| Surveillance audit 1 | ~12 months after certification | Subset of requirements, plus any areas flagged in initial audit |
| Surveillance audit 2 | ~24 months after certification | Different subset of requirements |
| Recertification audit | ~36 months (before expiry) | Full reassessment, similar to initial certification |
ISMS.online helps you stay audit-ready between assessments by maintaining a continuous record of policy reviews, risk updates, corrective actions and management review outputs — so you are never scrambling to prepare when the next surveillance audit is due.
Why choose ISMS.online for audit preparation?
- Centralised evidence: All policies, controls, risk assessments and audit records in one platform, ready for auditor review.
- Built-in audit management: Plan, execute and track internal audits with findings, corrective actions and follow-up — all linked to the relevant controls.
- Policy rollout and acceptance: Distribute policies to staff, track who has read and accepted them, and export adoption reports for auditors.
- Risk register with treatment plans: Demonstrate a systematic approach to privacy risk with linked controls, owners and review dates.
- Management review templates: Structured agendas and outputs that cover every input the standard requires.
- Continuous monitoring: Dashboards and KPIs show the current health of your PIMS at a glance, supporting surveillance audit readiness.
- Version-controlled documentation: Automatic version history and document check-out ensure auditors always see the current, approved version.
FAQs
How long does the ISO 27701:2025 certification audit take?
Stage 1 typically takes one to two days, and Stage 2 takes two to five days depending on the size and complexity of your organisation. There is usually a gap of four to eight weeks between Stage 1 and Stage 2 to allow you to address any findings.
Can the audit be conducted remotely?
Stage 1 is commonly conducted remotely. Stage 2 typically requires on-site presence, although many certification bodies now offer hybrid approaches combining remote and on-site assessment. Your certification body will confirm the approach during planning.
What happens if we receive a major nonconformity?
A major nonconformity means certification cannot be granted until the issue is resolved. You will need to implement corrective action and undergo a follow-up audit (or provide sufficient evidence) before the certification body can make a recommendation. This is not uncommon and does not mean your implementation has failed.
Do we need ISO 27001 before we can be audited for ISO 27701:2025?
ISO 27701:2025 can now be certified as a standalone standard, so ISO 27001 certification is no longer a prerequisite. However, if you already hold ISO 27001, the audit scope for ISO 27701 will focus on the privacy-specific additions.
How should we choose a certification body?
Look for a certification body accredited by a national accreditation body (such as UKAS in the UK). Consider their experience with ISO 27701 specifically, their auditor availability, and whether they offer integrated audits if you hold other ISO certifications. Request proposals from two or three bodies to compare approach, timeline and cost.
