Knowledge Center / ISO 27701
ISO / IEC · Global

ISO/IEC 27701

A privacy extension (PIMS) to ISO 27001 for managing personal data.

ISO/IEC 27701 extends ISO/IEC 27001 and 27002 with requirements and guidance for a Privacy Information Management System (PIMS) — managing personally identifiable information (PII). It is an add-on: you certify ISO 27001 and extend it with 27701.

What it adds

  • PIMS-specific requirements extending the ISO 27001 clauses.
  • Additional guidance on ISO 27002 controls for privacy.
  • A set of controls for PII controllers (Annex A of 27701).
  • A set of controls for PII processors (Annex B of 27701).
  • Mapping guidance to GDPR and other privacy regimes.

Controller vs processor

RoleFocus of controls
PII controllerConsent, purpose, data-subject rights, transparency, privacy by design
PII processorProcessing on instructions, sub-processor management, assisting the controller

How it helps GDPR / DPDP

ISO 27701 provides a certifiable, auditable structure for a privacy programme and maps to GDPR articles — giving independent assurance to regulators and customers, and a strong foundation for India’s DPDP Act.

Certification path

  1. Have (or implement) an ISO 27001 ISMS.
  2. Determine your role(s): controller and/or processor.
  3. Implement the PIMS requirements and the relevant Annex A/B controls.
  4. Extend the risk assessment and SoA to privacy.
  5. Certify 27701 alongside (or after) ISO 27001.
How CyberSigma helps
We extend your ISO 27001 ISMS into a certified PIMS with ISO 27701 — implementing controller/processor controls and mapping to GDPR and DPDP.

Frequently asked questions

Can I certify ISO 27701 on its own?
No — ISO 27701 is an extension of ISO 27001, so you need an ISO 27001 ISMS (existing or concurrent) as its foundation.
Official documents

Need help with ISO 27701?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.