Guide

How to implement ISO 27701 in your organization

Implementation guide for a privacy information management system aligned with ISO/IEC 27701:2019. ISO 27001 extension for personal data, PII controller/processor roles, and regulatory mapping.

ISO 27701 extends ISO 27001 and ISO 27002 to cover privacy information management. It is the reference standard for demonstrating compliance with data protection regulations such as GDPR, Argentina's Personal Data Protection Law, and Brazil's LGPD.

Step by step

Verify prerequisites: operational ISO 27001 ISMS

ISO 27701 does not work as a standalone standard. It requires an ISO 27001-compliant ISMS already implemented or being simultaneously implemented. Verify that base Annex A controls are operational before extending them.

Auditor's tip: If you do not have ISO 27001 yet, you can implement both standards in parallel. But do not attempt to certify ISO 27701 without the 27001 base already audited.

Define the organization's role: PII controller or processor

ISO 27701 differentiates between PII controller (who determines processing purposes) and processor (who processes data on behalf of the controller). This role determines which Annex A and B controls apply to your organization.

Conduct a personal data processing inventory

Map all personal data flows: what data is collected, on what legal basis, where it is stored, who accesses it, to whom it is transferred, and how long it is retained. This record is the basis for the Privacy Impact Assessment (PIA).

Auditor's tip: Use a tabular format with columns: data category, legal basis, system, owner, international transfer (yes/no), retention. Auditors expect this level of granularity.

Implement privacy-specific controls

Beyond ISO 27001 controls, implement the extended controls from ISO 27701 Annexes A and B: consent, right of access, portability, anonymization, breach notification, and privacy by design in new systems.

Map controls to applicable regulations

ISO 27701 includes a GDPR mapping in its Annex D. Create an equivalent mapping to your jurisdiction's regulations (Law 25.326 in Argentina, LGPD in Brazil) to demonstrate how each control satisfies local legal requirements.

Auditor's tip: This regulatory mapping is a differentiator in audits: it demonstrates the system is not generic but adapted to the organization's legal reality.

Key points

ISO 27701 is not standalone: it requires ISO 27001 as a base. Plan joint or sequential implementation.
The data processing inventory is the most critical artifact: without it, privacy controls lack context.
Mapping to local regulations transforms generic compliance into a concrete demonstration for regulators.

Frequently asked questions

Not independently. ISO 27701 is an extension of ISO 27001. You can implement both simultaneously, but 27701 certification requires 27001 to be certified or in process.

No. ISO 27701 is a management framework that facilitates compliance but does not replace it. Conformity with the standard does not automatically equal legal compliance; you need the specific regulatory mapping.

Typically 3 to 6 additional months, depending on the complexity of data processing and the maturity of existing privacy processes.

Comparison

ISO 27001 vs ISO 42001: key differences between information security and AI management

View Comparison

Available now

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Key points

ISO 27701 is not standalone: it requires ISO 27001 as a base. Plan joint or sequential implementation.

The data processing inventory is the most critical artifact: without it, privacy controls lack context.

Mapping to local regulations transforms generic compliance into a concrete demonstration for regulators.

Frequently asked questions

Not independently. ISO 27701 is an extension of ISO 27001. You can implement both simultaneously, but 27701 certification requires 27001 to be certified or in process.

Typically 3 to 6 additional months, depending on the complexity of data processing and the maturity of existing privacy processes.

How to implement ISO 27701 in your organization

Step by step

Verify prerequisites: operational ISO 27001 ISMS

Define the organization's role: PII controller or processor

Conduct a personal data processing inventory

Implement privacy-specific controls

Map controls to applicable regulations

Key points

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

ISO 27001

ISMS

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

How to implement ISO 27701 in your organization

Step by step

Verify prerequisites: operational ISO 27001 ISMS

Define the organization's role: PII controller or processor

Conduct a personal data processing inventory

Implement privacy-specific controls

Map controls to applicable regulations

Key points

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

ISO 27001

ISMS

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?