NLEN
Home Knowledge Base ISO 27001 NIS2 DORA ISO 42001 ISO 27701 GDPR Web Pentest AI & LLM Security AI Governance GRC Platform About Careers Contact vCISO Netherlands DPO-as-a-service NIS2 Healthcare NEN 7510 Healthcare NIS2 Manufacturing NIS2 Accounting Case Studies ISO 27001 Pillar NIS2 Pillar DORA Pillar vs IRM360 vs Vanta vs Drata
Home ISO 27701 — Privacy

ISO 27701 Privacy Management

ISO 27701 is the privacy extension to your existing ISO 27001 certification. You build a Privacy Information Management System (PIMS) with which you demonstrably comply with the GDPR — both as a controller and as a processor. Useful when your clients or procurement bodies ask for proof of privacy management. We implement ISO 27701 as an integrated engagement on your existing ISMS, so you avoid duplicate effort.

ISO 27701 Privacy ISMS

What is ISO 27701?

ISO/IEC 27701:2019 is an extension of ISO 27001 and ISO 27002 specifically focused on privacy management. The standard introduces a Privacy Information Management System (PIMS) and provides practical guidance for compliance with privacy regulations such as the GDPR.

The standard applies to both controllers (determine the purpose and means of processing) and processors (process on behalf of others). For organisations already ISO 27001-certified, the step to ISO 27701 is relatively small.

ISO 27701 & GDPR

The GDPR requires organisations to demonstrate that they process personal data lawfully, transparently and for specific purposes. ISO 27701 provides a structured framework to establish and document this accountability — from processing records and Data Protection Impact Assessments (DPIAs) to data breach procedures and processor agreements.

Benefits of ISO 27701

  • Demonstrable GDPR compliance: Certification shows external parties that your privacy management is in order
  • Processor relationships: Strengthen the confidence of contracting authorities who engage you as a processor
  • Structured privacy management: Processes for DPIAs, processor agreements and data subject rights embedded in your management system
  • Synergy with ISO 27001: Shared structure, shared audits, lower total effort

Our approach

  • Privacy gap-analyse: Beoorsment of your current privacy practices against ISO 27701 and the GDPR
  • PIMS-implementation: Opzetten van privacypolicy, verwerkingsregister, DPIA-procedure en datalekprotocol
  • Integration with ISMS: Seamless integration with your existing ISO 27001 management system
  • Certification: Guidance with combined ISO 27001/27701 audit

ISO 27701 Key Points

  • Extension of ISO 27001
    • Valid for controllers & processors
  • Published: 2019
  • Supports GDPR compliance
    • Gecombineerde audit mogelijk

Gerelateerde Services

Privacy in order?

We assess your GDPR compliance and guide you towards ISO 27701 certification.

Free Consultation

Demonstrably privacy compliant?

Plan a consultation on ISO 27701 and GDPR compliance. We bring your privacy practices up to standard — and integrate this seamlessly into your existing ISMS.

Free Consultation

Difference from ISO 27001

ISO 27701 is an extension on top of ISO 27001. While ISO 27001 delivers an Information Security Management System (ISMS), ISO 27701 adds a Privacy Information Management System (PIMS). You can only achieve ISO 27701 if you also have an ISO 27001 scope or have it certified in the same audit. The standard introduces additional controls for controllers and processors.

Demonstrable GDPR Compliance

ISO 27701 aligns directly with the GDPR and is recognised by supervisory authorities as support for privacy measures. The certificate is usable in tenders, supplier assessments and DPIAs. For organisations that process personal data on behalf of clients (think of SaaS platforms, payroll providers) ISO 27701 is a strong asset.

The role of the DPO

The Data Protection Officer (DPO) is an explicit role in ISO 27701, with responsibilities for advice, monitoring and contact with data subjects. The processing activities register (ROPA), the incident notification process for data breaches and the management of processor agreements are also embedded in the standard. We provide both implementation and DPO-as-a-service.

Frequently Asked Questions

Can I achieve ISO 27701 without ISO 27001?

No. ISO 27701 is an extension and requires an ISO 27001 ISMS to be in place. In practice, simultaneous certification is common: one audit for 27001 and 27701, which saves time and costs.

How long does certification take?

With existing ISO 27001: typically 3 to 6 months for the extension to 27701. Starting from scratch: 9 to 12 months for the combined implementation of 27001+27701. Depends on scope and size.

Is ISO 27701 mandatory?

Not legally mandatory, but required in many sectors as a tender requirement or client condition. For organisations processing large amounts of personal data, it is a strong commercial and compliance asset.