ISO 27701 is one of the most useful and most misunderstood privacy standards in current use. It is sometimes pitched as "the ISO standard for privacy," which is misleading — it is an extension of ISO 27001, not a freestanding management system. That distinction shapes everything about how it should be implemented and what value it delivers.
What ISO 27701 Actually Is
ISO 27701 extends an existing ISO 27001 information security management system with the additional requirements and controls needed to manage personally identifiable information specifically. It does this by augmenting the existing ISMS clauses with privacy-specific guidance and adding new annexes (A and B) covering controls applicable to PII controllers and PII processors respectively.
The implication for implementation is significant. You cannot certify against ISO 27701 without first being certified against ISO 27001 (or implementing both simultaneously). The privacy management system runs on top of the security management system, sharing infrastructure: the same risk methodology, the same internal audit programme, the same management review cadence, the same scope.
The GDPR Question
ISO 27701 is not a GDPR certification. It cannot be — GDPR explicitly says certification is the role of approved bodies designated under the regulation, not international standards bodies. What ISO 27701 does is provide a structured implementation framework that addresses many GDPR requirements. Organisations that implement ISO 27701 well are typically in a much stronger GDPR compliance position, but the certificate itself does not satisfy GDPR.
A useful framing for buyer-side conversations: ISO 27701 is the closest thing to a globally recognised privacy management certification. It is increasingly appearing in enterprise procurement questionnaires alongside SOC 2 and ISO 27001. If you serve regulated industries or work with European enterprise customers, the marginal effort over ISO 27001 alone is usually worthwhile.
What the Annexes Actually Add
Annex A applies to PII controllers — organisations that decide why and how PII is processed. Its controls cover lawful basis, purpose limitation, data subject rights handling, transfers between controllers, and the obligations specific to the controller role. If your organisation collects data from data subjects directly or makes processing decisions, this is most of what you implement.
Annex B applies to PII processors — organisations that process PII on behalf of a controller. Its controls cover the contractual relationship with the controller, restrictions on use, sub-processor management, and the operational practices needed to support a controller in meeting their obligations. Cloud providers, SaaS vendors, and outsourced service providers typically implement Annex B.
How to Approach Implementation
- Treat it as a privacy extension of the existing ISMS scope, not a separate project
- Map your processing activities to controller versus processor role for each — many organisations are both
- Use the existing risk register; add privacy risks rather than starting a new artefact
- Augment internal audit and management review agendas with privacy-specific items
- Update privacy notices, contracts, and rights-handling procedures to reference the new controls
- Plan certification audit alongside or after the next ISO 27001 surveillance audit, not as a separate calendar event
When ISO 27701 Is Not the Right Choice
If you do not have ISO 27001, ISO 27701 is not the place to start. The cost of implementing both simultaneously is high, and most of the privacy-specific value is layered on top of security infrastructure that has to exist anyway. If you are early in your security maturity, get ISO 27001 first, build the operational rhythm, and add ISO 27701 once the foundation is solid. The standard is patient. The benefit is compound.