01
Regulator alignment.
ISO 27701 maps directly to GDPR Articles 5 through 49, and the mapping is a valuable artefact in regulator engagements in its own right. DPDP, LGPD, and POPIA have similar alignment.
Product & Regulatory
ISO 27701 — privacy, extended from your ISMS.
A privacy information management system bolted onto your existing ISO 27001 ISMS — designed to demonstrate GDPR, India DPDP, and comparable privacy-regime compliance to regulators and customers.
What it is
The privacy extension to ISO 27001.
ISO/IEC 27701 is an extension of ISO/IEC 27001 and 27002 for privacy information management. It cannot be certified on its own — it requires ISO 27001 as the underlying ISMS. On top of that foundation, 27701 adds privacy-specific controls for both PII controllers and PII processors, and imposes additional requirements on the ISMS itself to address privacy risks alongside information-security risks.
The practical value is regulator-readable. ISO 27701 maps explicitly to GDPR requirements and aligns well to India's DPDP Act, Brazil's LGPD, and similar regimes. A certified privacy information management system does not, on its own, make you GDPR-compliant — but it removes most of the ambiguity about the system side of compliance and lets regulators focus on the edges.
Who needs it
Organisations processing personal data at scale, or for regulated purposes.
Multinationals handling EU personal data under GDPR, Indian organisations moving to DPDP Act compliance, healthcare and health-tech businesses, ad-tech and consumer technology firms, BPO and KPO operators processing PII on behalf of enterprise clients, and SaaS providers whose customers routinely include data-processing addendum requirements in contracts. The common thread is that privacy has become a procurement and regulator question, not a legal side-conversation.
Benefits
What a well-built BIFMA system earns you.
02
DPIA discipline.
The standard embeds data protection impact assessment into the operational cycle rather than treating it as an incident-response activity.
03
Clear controller vs processor posture.
The standard differentiates controller and processor obligations with separate control annexes. Organisations that are both get a clean way to handle each role.
04
Subject-rights handling.
Erasure, access, portability, rectification, and objection workflows become part of the management system — not ad-hoc legal workflows.
05
Supply-chain privacy.
Vendor due diligence, data processing agreements, and sub-processor chain management become routine rather than reactive.
06
Unified evidence.
One audit covers both 27001 and 27701 — and that same evidence set supports SOC 2 privacy criteria work where applicable.
Requirements, in outline
What the standard actually asks of you.
ISO 27701 modifies the ISMS requirements in ISO 27001 to address PII protection alongside information security. It requires the risk assessment to consider privacy risks, the Statement of Applicability to reflect privacy-relevant Annex A controls, and interested-party analysis to include PII principals and regulators. The privacy information management system is, formally, the extended ISMS.
Two additional annexes provide control sets. Annex A applies where the organisation acts as a PII controller: consent and choice, legitimate purpose, data minimisation, retention, records of processing activities, DPIAs, privacy-by-design, breach notification, and more. Annex B applies where the organisation acts as a PII processor: obligations under instructions from the controller, sub-processor management, assistance with subject rights, and records of processing on behalf of controllers. Organisations that are both controller and processor must address both annexes.
Our approach
Five stages, from discovery to certificate.
01
Role mapping & gap analysis
Identify controller vs processor roles across the business, map current practice against the extended ISMS requirements, and against the relevant Annex A and B controls.
02
RoPA & DPIA
Build the records of processing activities, establish a DPIA process, and run DPIAs on high-risk activities as a substantive rather than procedural exercise.
03
Controller & processor controls
Implementation of applicable controls — consent mechanisms, retention schedules, data subject rights workflows, breach-response playbooks, contractor DPAs.
04
Internal audit & management review
Audit the ISMS and the additional privacy requirements as a single scope. Management review includes privacy performance and regulatory developments.
05
Certification audit
Combined 27001 + 27701 audit wherever the certification body supports it. Stage 1 and Stage 2 attendance, findings response, and surveillance support.
Timeline & investment
Honest ranges, not placeholder pricing.
Organisations with a mature ISO 27001 ISMS already in place typically add 27701 certification in six to ten weeks. Organisations pursuing 27001 and 27701 in parallel from scratch reach certification in fourteen to twenty weeks — a shorter combined timeline than running the two sequentially.
Fees depend on the maturity of the existing ISMS, the number of controller and processor roles in scope, and the complexity of international data transfer arrangements. Certification body fees are separate; most accredited bodies offer joint 27001 + 27701 audits at marginal cost to the base ISMS audit.
Frequently asked
Questions we answer on most BIFMA calls.
No. ISO 27701 is a formal extension to ISO 27001 and cannot be certified independently. The two are audited together, with the privacy scope explicitly noted on the certificate.
Not automatically. The standard addresses the system side of privacy management; GDPR compliance also depends on lawful basis determinations, data subject communications, territorial scope, and other organisation-specific factors. But a certified 27701 system removes roughly two-thirds of the operational ambiguity.
DPDP introduces obligations on data fiduciaries and processors that map comfortably to 27701 Annex A and B respectively. We build the mapping explicitly as part of the engagement so the system demonstrably serves DPDP compliance.
The standard requires a named individual or function accountable for privacy, aligned to regulator expectations in the jurisdictions where you operate. Whether that is a formal DPO depends on the regime.
SOC 2 is a Trust Services Criteria attestation including optional privacy criteria; ISO 27701 is an international standard. Many organisations hold both, with the 27701 management system generating much of the evidence for SOC 2 privacy testing.
Related services
Often pursued alongside BIFMA.
ISO 27001
Information security management aligned to Annex A controls, ready for customer and regulator scrutiny.
Learn moreSOC 2
Readiness, gap closure, and audit liaison for SOC 2 Type I and Type II engagements.
Learn moreISO 20000-1
Design, deliver, and improve IT services against a standard that enterprise buyers already trust.
Learn moreGet a readiness assessment for ISO 27701.
Half a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.