Everything You Need to Know About ISO 27701

February 27, 2024 | ISO 27001

According to a study by Cisco, 94% of organizations say their customers won’t buy from them if data is not properly protected. In today’s business landscape, privacy is paramount—that’s where ISO 27701 comes in. As an extension of ISO 27001, ISO 27701 is the first international privacy standard to provide a certification for organizations demonstrating the privacy controls they have in place.

BARR is accredited by the ANSI National Accreditation Board (ANAB) to perform certification services to both ISO/IEC 27001 and 27701 standards. Take a look at everything you need to know about ISO 27701 below. 

ISO 27001 vs. ISO 27701—What’s the Difference?

Established in 2005, ISO 27001 defines requirements for an information security management system (ISMS). The framework helps organizations manage the security of services, data, intellectual property, or any information entrusted to you by a third party. 

As an extension of ISO 27001, ISO 27701 was implemented in August 2019 as a way to outline requirements for establishing, implementing, maintaining, and continually improving an organization’s privacy information management system (PIMS). 

ISO 27701 provides guidance for organizations complying with international privacy regulations such as the General Data Protection Regulation (GDPR). It’s a highly effective way of demonstrating an organization’s commitment to data privacy. 

Understanding the difference between security and privacy is important when looking at both ISO 27001 and ISO 27701. Security is the process or system in place to protect that data, whereas privacy refers to the individual’s ability to control the access to their personal data.

Privacy depends on security, therefore ISO 27701 depends on having ISO 27001 in place—it cannot be obtained independently. 

Take a look at some key differences and similarities between ISO 27001 and ISO 27701 below.

ISO 2700


Who Needs ISO 27701?

ISO 27701 is most relevant for personally identifiable information (PII) controllers and processors, but it can also be used by any organization around the world, regardless of industry or size. 

Organizations should understand the context in which they handle data—as either controllers or processors. A data controller is the entity that determines the “why” and “how” for processing personal data, while the data processor is the entity that performs the data processing. 

Similarly to ISO 27001, ISO 27701 uses a risk-based approach, which means organizations adopting ISO 27701 are not required to implement every possible control for every situation. Instead, BARR will work with you to identify, prioritize, and mitigate risks according to your organization’s specific needs. 

You’ll want to consider ISO 27701 if your organization:

  • Handles both controller and processor-specific controls 
  • Wants to demonstrate a commitment to privacy
  • Is small to medium-sized or enterprise level—all sizes can benefit from this certification
  • Needs to comply with GDPR standards 
  • Already has an ISO 27001 certification in place

“For organizations eager to stand out in a crowded market of cloud service providers, these certifications serve as differentiators that not only demonstrate the maturity of your information security management systems, but also affirm your commitment to protecting and securing consumer and third-party data,” said BARR founder and CEO Brad Thies.

The ISO 27701 Certification Process 

BARR serves as your trusted partner throughout each step of the way. See below for our step-by-step approach to ISO 27701 certification.

  • Pre-Certification: BARR begins with pre-certification activities. We will conduct a client evaluation and engagement acceptance review. As part of this process, we’ll need information over your PIMS scope and boundaries of your system to determine fee arrangements and resourcing needs.
  • Pre-Assessment (optional): BARR offers an optional pre-assessment. This is not a required step, but a formal readiness assessment against the ISO/IEC 27701 standard can be helpful in assisting organizations prepare for initial certification. The desired outcome is to identify deficiencies in the client PIMS seeking certification to the ISO/IEC 27701 standard prior to the assessment.
  • Initial Certification Audit: The next step is the initial certification audit, which includes two stages. Stage 1 is an evaluation of the management system and documentation with a primary focus on the design of the system. The Stage 2 audit evaluates the implementation and effectiveness of the management system. This stage is performed at the client location(s). BARR Certifications will then determine if it will issue certification to the client.
  • Surveillance Audit: If an initial certificate is issued, it’s valid for three years. Surveillance audits are conducted at least annually to help ensure a certified organization is able to maintain its compliance to the standard.
  • Recertification: Before the certificate expires, BARR Certifications and the client will plan arrangements for recertification. 
  • Notice of Changes: If during the three-year certification cycle there are changes in scope of the certification (i.e., reduction or expansion) or changes to requirements, this will be discussed with the BARR Certifications team.

Interested in learning more about ISO 27701? Contact us today. 

Let's Talk