ISO/IEC 27701 extends ISO/IEC 27001 and 27002 with requirements and guidance for a Privacy Information Management System (PIMS) — managing personally identifiable information (PII). It is an add-on: you certify ISO 27001 and extend it with 27701.
What it adds
- PIMS-specific requirements extending the ISO 27001 clauses.
- Additional guidance on ISO 27002 controls for privacy.
- A set of controls for PII controllers (Annex A of 27701).
- A set of controls for PII processors (Annex B of 27701).
- Mapping guidance to GDPR and other privacy regimes.
Controller vs processor
| Role | Focus of controls |
|---|---|
| PII controller | Consent, purpose, data-subject rights, transparency, privacy by design |
| PII processor | Processing on instructions, sub-processor management, assisting the controller |
How it helps GDPR / DPDP
ISO 27701 provides a certifiable, auditable structure for a privacy programme and maps to GDPR articles — giving independent assurance to regulators and customers, and a strong foundation for India’s DPDP Act.
Certification path
- Have (or implement) an ISO 27001 ISMS.
- Determine your role(s): controller and/or processor.
- Implement the PIMS requirements and the relevant Annex A/B controls.
- Extend the risk assessment and SoA to privacy.
- Certify 27701 alongside (or after) ISO 27001.
How CyberSigma helps
We extend your ISO 27001 ISMS into a certified PIMS with ISO 27701 — implementing controller/processor controls and mapping to GDPR and DPDP.
Frequently asked questions
Can I certify ISO 27701 on its own?
No — ISO 27701 is an extension of ISO 27001, so you need an ISO 27001 ISMS (existing or concurrent) as its foundation.
Official documents
CyberSigma resources
Need help with ISO 27701?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
