What is ISO/IEC 27701?
ISO/IEC 27701:2019 is the international standard that specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). It extends the ISO/IEC 27001 Information Security Management System (ISMS) with privacy-specific controls, making it the de facto international certification for privacy management.
Scope and structure
ISO 27701 addresses both controllers and processors of personally identifiable information (PII). The standard adds privacy-specific requirements to the ISO 27001 clauses and supplements ISO 27002 controls with PIMS-specific guidance in Annexes A (controllers) and B (processors).
Alignment with GDPR and KVKK
ISO 27701 was designed to align with major privacy frameworks, including the EU GDPR, Türkiye’s KVKK, the CCPA/CPRA and others. Although ISO 27701 certification is not a substitute for GDPR compliance, it provides documented evidence of accountability and may support compliance with Article 24, 25, 28, 32 and 42 obligations under GDPR.
Certification process
Certification requires an existing ISO 27001 certification (or simultaneous certification) and is granted by accredited third-party certification bodies. Audits assess scope definition, risk assessments, applicable PII processing operations, controls implementation, and the documented PIMS. Surveillance audits typically occur annually, with full re-certification every three years.
Business value
ISO 27701 is increasingly required in vendor diligence, RFPs and DPAs — particularly for cloud, SaaS, AI and data-processing vendors serving regulated industries. Certification demonstrates demonstrable governance, supports Article 28 GDPR processor due diligence, and can reduce contractual liability and audit burden.