ISO/IEC 27701 is the certifiable standard for a privacy information management system (PIMS) – the management-system machinery of ISO 27001 pointed at personal information. Where privacy laws tell you what outcomes you owe people, ISO 27701 gives you the auditable operating system for delivering them: governance, risk assessment, controls, and continual improvement, independently certified. For any company whose customers ask "how do we know you handle personal data properly?" – which is now every B2B company – it's the strongest single answer available.
Newly standalone – and more valuable for itLink to this section
This standard just had its most significant upgrade. The original 2019 edition could only be certified as an extension bolted onto an existing ISO 27001 certificate. The 2025 edition (published October 2025) restructures ISO 27701 as a standalone management system standard with its own Clauses 4–10: you can now certify a PIMS in its own right, whether or not you hold ISO 27001. In practice the two remain natural partners – privacy without security is a contradiction – but the change matters: privacy-led organisations no longer need to sequence an entire ISMS first, and existing certificate holders have a transition window to October 2028 to move to the new edition. Both journeys – fresh certification and transition – are ones we run.
Controller and processor: know which hat you're wearingLink to this section
ISO 27701's control set is split by role, and most organisations wear both hats at once. As a PII controller (you decide why and how personal data is processed – your employees, your marketing database) the controls cover lawful basis, consent, privacy notices, individuals' rights, privacy by design, and disclosure registers. As a PII processor (you handle personal data on customers' behalf – every SaaS product) they cover processing within instructions, subprocessor management, handling legal demands, and returning or destroying data at contract end. The scoping exercise that untangles which activities fall under which role is half the value of the project: it's the map every DPA negotiation and every incident response will use.
One system, many lawsLink to this section
The quiet genius of a PIMS is that it's law-agnostic. GDPR, the Australian Privacy Act, the UK regime, US state laws – all demand substantially overlapping things: know your processing, have a lawful basis, honour rights, secure the data, manage vendors, respond to breaches. ISO 27701 implements that common core once, as an operating system, and each regulation becomes a mapping exercise rather than a separate programme. For Australian organisations facing the Privacy Act reform wave and selling into GDPR markets, this is the efficient path: one certified system, multiple compliance stories.
What certification buys youLink to this section
Privacy claims are cheap; certificates are checked. An accredited ISO 27701 certification gives procurement teams, DPOs, and regulators a third-party-verified answer to the privacy section of due diligence – it demonstrates the "appropriate technical and organisational measures" and accountability that GDPR Articles 24 and 5(2) demand, and it materially shortens enterprise sales cycles the same way ISO 27001 does for security. It also does something internal: it forces privacy out of the legal team's shared drive and into an operating rhythm with owners, metrics, audits, and reviews.
How ISO 27701 relates to other frameworksLink to this section
Pair it with ISO 27001 for the full security-plus-privacy management system (the 2025 edition keeps the machinery aligned, so an integrated audit is straightforward). ISO 27017 covers the cloud dimension of the same estate. And the PIMS artefacts – processing register, PIAs, rights workflows – are precisely the evidence the GDPR and Privacy Act expect you to produce on demand.
How we helpLink to this section
We build privacy management systems that operate, rather than documentation that decays:
- Role and gap analysis. Controller/processor mapping across your real data flows, a gap assessment against the 2025 edition, and a prioritised build plan.
- The PIMS, stood up. Privacy risk assessment, Statement of Applicability, PIA process, rights-request workflows, breach procedures, and the registers – built with the teams who will run them.
- Privacy training with proof. Whole-of-workforce privacy awareness plus role-specific depth (engineering, marketing, support), delivered on our platform with tamper-evident completion records that satisfy the competence and awareness clauses outright.
- Transition from 2019. Already certified? We restructure your extension-based PIMS to the standalone 2025 edition ahead of the 2028 deadline, reusing everything that still serves.
- Certification, end to end. Internal audit, management review, certification-body liaison, and support through Stage 1, Stage 2, and surveillance.
The table below maps the PIMS requirements and the controller and processor control families to how we help with each.
PIMS requirements and privacy controls
The management system (Clauses 4–10)
| Area | Requirement | How we help |
|---|---|---|
| Clause 4 | Context – the organisation's role as PII controller and/or processor, interested parties, and PIMS scope | We determine which hats you wear (controller, processor, often both), which privacy laws bind you, and scope the PIMS around where PII actually flows. |
| Clause 5 | Leadership – privacy policy, roles, and accountability | We draft the privacy policy and governance structure, defining who owns privacy day to day and how it reports to leadership – accountability an auditor can trace. |
| Clause 6 | Planning – privacy risk assessment and treatment | We extend risk assessment to cover risks to PII principals (not just to the business), run the assessments against your real processing, and produce the Statement of Applicability. |
| Clause 7 | Support – competence, awareness, and documented information | Privacy training for the whole workforce is a certifiable requirement here – ours is practitioner-led and role-based, with completions in a tamper-evident ledger that answers the evidence question in one export. |
| Clause 8 | Operation – operating the privacy controls and impact assessments | We operationalise privacy impact assessments, breach handling, and rights-request workflows so they run on schedule and leave records behind. |
| Clauses 9–10 | Performance evaluation and improvement – monitoring, internal audit, management review, and corrective action | We build PIMS metrics, run or train your internal audit function, and drive corrective actions – the operating rhythm that keeps certification through surveillance audits. |
PII controller controls
| Area | Requirement | How we help |
|---|---|---|
| Controller | Purpose, lawful basis, and consent | We document the purpose and legal basis for every processing activity, and rebuild consent capture where it's relied on – specific, informed, withdrawable, and recorded. |
| Controller | Privacy impact assessment | We stand up a proportionate PIA process with templates and worked examples, triggered automatically by new projects, vendors, and AI use cases. |
| Controller | Obligations to PII principals – notices and rights | We write clear privacy notices and build the access, correction, deletion, and objection workflows – with clocks, verification steps, and trained owners. |
| Controller | Privacy by design and by default | We embed minimisation, de-identification, retention limits, and default-off data collection into your development life cycle, recorded as design decisions auditors can inspect. |
| Controller | PII sharing, transfer, and disclosure | We register every recipient of PII – processors, partners, authorities – with the basis and safeguards for each, including cross-border transfer mechanisms. |
PII processor controls
| Area | Requirement | How we help |
|---|---|---|
| Processor | Processing only on documented customer instructions | We align contracts, product behaviour, and internal practice so processing stays within customer instructions – including the marketing and analytics temptations that breach them. |
| Processor | Subprocessor management | We build the subprocessor register, flow-down contract terms, and customer notification process that enterprise DPAs demand. |
| Processor | Disclosure requests and legally binding demands | We define how you handle government and third-party requests for customer PII – verification, challenge, notification – before the first subpoena arrives. |
| Processor | Return, transfer, and disposal of PII | We implement verifiable deletion and return of customer PII at contract end, with records that let your customers close their own compliance loop. |