ISO 27701: The Privacy Extension to ISO 27001

Building Privacy on Top of Security

If you’re already ISO 27001 certified and handling personal data (which every SaaS company does), ISO 27701 is the natural next step. Published in 2019, ISO 27701 extends the ISO 27001 Information Security Management System to include Privacy Information Management, creating a PIMS (Privacy Information Management System).

The key word is “extends.” ISO 27701 isn’t a standalone standard. It builds directly on ISO 27001, adding privacy-specific requirements to the existing management system clauses and Annex A controls. If you have a functioning ISMS, adding ISO 27701 is significantly less work than building a privacy program from scratch.

What ISO 27701 Adds

Extended Management System Requirements

ISO 27701 adds privacy-specific considerations to each ISO 27001 clause:

• Context: Identify privacy-related interested parties, applicable privacy regulations, and the role your organization plays (controller, processor, or both)
• Leadership: Ensure leadership commitment extends to privacy objectives, not just security
• Planning: Include privacy risks in your risk assessment methodology
• Support: Extend awareness and training programs to cover privacy
• Operation: Integrate privacy into operational planning and control
• Performance Evaluation: Measure and monitor privacy program effectiveness
• Improvement: Include privacy in your continual improvement process

PII Controller Controls (Annex A)

If your organization determines the purposes and means of processing personal data (controller role), you need to implement controls covering:

• Conditions for collection and processing
• Obligations to data subjects (rights fulfillment)
• Privacy by design and by default
• PII sharing, transfer, and disclosure
• Data protection impact assessments

PII Processor Controls (Annex B)

If your organization processes personal data on behalf of controllers (processor role), you need controls covering:

• Processing only on documented instructions
• Sub-processor management
• Assisting controllers with data subject requests
• Return and deletion of PII at end of contract
• PII transfer controls

Most B2B SaaS companies need to implement controls from both annexes, since they act as controllers for their own data and processors for their customers’ data.

How It Maps to Privacy Regulations

One of ISO 27701’s most valuable features is its built-in mapping to privacy regulations:

GDPR

The standard was designed with GDPR in mind. Annex D provides a detailed mapping between ISO 27701 controls and GDPR articles. Implementing ISO 27701 doesn’t automatically mean GDPR compliance (you still need to address jurisdiction-specific requirements), but it provides the operational framework that GDPR’s accountability principle demands.

Key GDPR requirements addressed by ISO 27701:

• Lawful basis for processing (documented in your PIMS)
• Data subject rights procedures
• Data Protection Impact Assessments
• Privacy by design and default
• Records of processing activities
• Data processor agreements
• International transfer safeguards
• Breach notification processes

CCPA/CPRA

While ISO 27701 was designed primarily with GDPR in mind, its controls map well to CCPA/CPRA requirements:

• Data inventory and classification
• Consumer rights fulfillment processes
• Service provider agreement requirements
• Data minimization and purpose limitation

Other Privacy Laws

The framework-agnostic nature of ISO 27701 means it supports compliance with virtually any privacy regulation: Brazil’s LGPD, Canada’s PIPEDA, Australia’s Privacy Act, and the growing number of US state privacy laws. The management system provides consistent operational practices while specific regulatory requirements are addressed through your compliance mapping.

The Certification Path

ISO 27701 certification requires an existing ISO 27001 certification (or simultaneous certification to both). The typical path:

1. You’re already ISO 27001 certified: Add ISO 27701 to your existing ISMS scope. Your certification body conducts an audit of the privacy extension alongside your next surveillance or recertification audit.

2. You’re pursuing both simultaneously: Build your ISMS with privacy integrated from the start. Your certification body audits both standards together.

Either way, the audit is incremental. The auditor evaluates the privacy-specific additions, not the entire ISO 27001 management system again.

Timeline

For organizations already ISO 27001 certified, adding ISO 27701 typically takes 3-4 months:

Month 1: Gap assessment against ISO 27701 requirements. Identify what your existing ISMS already covers and what needs to be added.

Month 2: Implement privacy-specific controls. This typically includes data inventory updates, privacy impact assessment procedures, data subject rights processes, processor management controls, and updates to your risk assessment to include privacy risks.

Month 3: Internal audit of the privacy extensions. Management review covering privacy program performance.

Month 4: Certification audit of the ISO 27701 extension.

Who Should Pursue ISO 27701

You’re already ISO 27001 certified and process personal data. The incremental effort is modest and the value is significant, especially if you operate internationally.

Your customers are asking about privacy compliance. ISO 27701 certification provides a recognized, auditable demonstration that you manage privacy systematically.

You need to comply with multiple privacy regulations. Rather than building separate compliance programs for GDPR, CCPA, and other regulations, ISO 27701 gives you a unified management system that addresses the common operational requirements across all of them.

You want to differentiate on privacy. ISO 27701 certification is still relatively uncommon. Early adoption signals maturity and commitment to privacy that customers and regulators notice.

Practical Considerations

You need ISO 27001 first. ISO 27701 is an extension, not standalone. If you’re not yet ISO 27001 certified, plan for both together.

Scope your roles carefully. Determine where you act as a controller and where you act as a processor. This determines which annexes apply and what controls you need.

Leverage your existing ISMS. The whole point of ISO 27701 is building on what you have. Don’t create parallel processes. Extend your existing risk assessment, internal audit, and management review to include privacy.

Don’t forget the regulatory mapping. ISO 27701 provides the framework, but you still need to map its controls to the specific regulations that apply to your business and address any gaps.

At Concerto, we help SaaS companies extend their ISO 27001 programs to include ISO 27701, building a unified security and privacy management system that satisfies customers and supports regulatory compliance across jurisdictions. Schedule a consultation to discuss adding privacy to your management system.