""

ISO 27701 Certification : Privacy Information Management System

ISO/IEC 27701 certification complements the Information Security Management System (ISMS) defined by ISO/IEC 27001, to structure a Privacy Protection Management System (PIMS).
It enables organizations to demonstrate their ability to manage, protect and govern personal data (DCP) in compliance with the requirements of the RGPD and associated international regulations.
This certification concerns all entities that process personal data as part of their activities: private companies, public bodies, subcontractors, digital service operators, healthcare organizations, financial institutions, critical operators, etc.

What is ISO/IEC 27701?

The ISO/IEC 27701 standard extends the management logic of ISO/IEC 27001 by adding specific requirements related to privacy governance:

  • Clarification of roles and responsibilities (PII Controller / PII Processor).
  • Definition of privacy management processes (collection, retention, storage, disposal).
  • Implementation of organizational and technical measures proportionate to risks.
  • Structured management of PII principals' rights (access, rectification, objection, portability).
  • Traceability, documentation, and the ability to demonstrate compliance (accountability).

The standard builds upon ISO/IEC 27001 and ISO/IEC 27002, introducing additional controls dedicated to PII protection.

In particular, the standard relies on:

  • A privacy policy,
  • A privacy risk assessment evaluating the potential consequences for PII principals,
  • A clear distinction of roles and responsibilities between the PII controller and PII processor,
  • The management of PII principals' rights (access, rectification, erasure),
  • Privacy by design and privacy by default principles,
  • Data minimization, de-identification, and limited data retention measures,
  • A specific PIMS Statement of Applicability (SoA),
  • Control of data transfers outside of jurisdiction,
  • Dedicated internal audits and management reviews,
  • A continual improvement process for privacy protection performance.

 

What are the benefits of ISO/IEC 27701 certification?

Privacy protection in the context of processing PII (Personally Identifiable Information) and personal data has become a major societal necessity, subject to dedicated legal requirements worldwide.

Obtaining ISO/IEC 27701 certification provides clear strategic advantages:

  • Prove your compliance: By complying with the requirements of this standard, an organization can generate formal evidence of how it manages the processing of PII. Utilizing this certification provides independent verification of this evidence.
  • Facilitate GDPR compliance: The framework includes a direct mapping to the European Union's General Data Protection Regulation (GDPR).
  • Strengthen B2B trust: This evidence of compliance can be used to facilitate agreements with business partners, particularly where both parties are involved in processing PII.
  • Better manage risks: The organization implements a rigorous privacy risk assessment process, evaluating potential consequences both for the organization itself and for PII principals.

Ask for a quote

Who is ISO/IEC 27701 certification for?

Universal applicability for any types of organization

The ISO/IEC 27701 framework is designed to be universal. It applies to organizations of all types and sizes, including private enterprises, public bodies, government entities, and non-profit organizations. This certification is relevant to any entity as long as it processes personally identifiable information (PII) / personal data as part of its operations. 

A targeted approach based on your role in data processing

The standard specifically addresses actors holding a responsibility in the data lifecycle. It concerns PII controllers (including joint controllers) as well as PII processors, whether they utilize subcontracted PII processors or act on behalf of another provider themselves.
A fundamental aspect of the standard requires the organization to explicitly determine its role (controller or processor) for each processing activity included in its scope. In scenarios where the organization fulfills both roles, it must implement distinct sets of reference controls for each role to ensure appropriate governance and security for each context.

A strategic lever for compliance and trust

Obtaining ISO/IEC 27701 certification meets specific business and regulatory objectives:

  • For PII controllers: It enables the generation of formal evidence regarding the lawfulness of processing and data management in relation to GDPR requirements and other international regulations.
  • For PII processors and digital service providers: It serves as an independent verification and contractual proof of compliance with client instructions and the expected level of security and confidentiality.
  • For international organizations:  It provides a unique management tool to harmonize privacy protection practices across all their sites and jurisdictions, thereby facilitating cross-border data transfers.

What should you do before seeking ISO 27701 certification?

Before requesting a certification audit, the organization must have deployed and operated a Privacy Information Management System (PIMS) compliant with ISO/IEC 27701 requirements. As an independent third-party certification body, LSTI verifies not only the system's compliance with standard requirements but also its practical implementation and operational effectiveness regarding the protection of personal data (PII).

 

Define the PIMS scope

The organization must first formalize its PIMS scope by specifying organizational and technical boundaries, while imperatively including PII processing activities. This step requires determining whether the organization acts as a PII controller, a PII processor, or both, as the applicable requirements and reference controls depend on it. This scoping relies on a clear understanding of the organization's context, privacy regulatory issues, and the expectations of interested parties, most notably PII principals.

Conduct a privacy risk assessment

As the central pillar of this international standard, the risk assessment process identifies threats to privacy within the defined scope. Unlike a traditional security assessment, the organization must evaluate the potential consequences both for itself and for PII principals should a risk materialize. Once the risks are analyzed, the organization defines a risk treatment plan and selects appropriate protection measures, leveraging the reference control objectives and controls provided in Annex A of the standard.

 

Prepare PIMS documentation

Compliance relies on controlled documentation, including the Privacy Policy and associated objectives. A central document is the Statement of Applicability (SoA), which must document all necessary controls, justify their inclusion or exclusion, and state whether they are effectively implemented. To be ready for the audit, the company must also provide operational evidence of the system, such as: management of PII principals' rights (access, rectification, erasure), consent management, PII access logging, and the application of Privacy by Design principles.

 

Validate the system through internal audit and management review

Before LSTI's intervention, two final verification steps are mandatory to ensure that the system is effectively implemented and maintained. An internal audit must be conducted at planned intervals to check compliance with both the organization's requirements and the standard. Finally, a management review allows governance to evaluate the performance of the PIMS, analyze non-conformity trends, and validate necessary continual improvement actions.

Once these elements are in place, LSTI can perform the certification audit to verify the compliance and effectiveness of the privacy information management system.

How does the ISO 27701 certification process work?

The certification process follows a rigorous three-year cycle designed to validate the implementation, effectiveness, and continual improvement of your Information Security Management System (ISMS) and Privacy Information Management System (PIMS). As an independent third party, LSTI ensures an impartial assessment of your compliance with international standards. It is important to emphasize that ISO 27001 and ISO 27701 audits are conducted jointly, allowing for an integrated evaluation of your security and privacy governance.

 

A 3-step 27701 certification cycle

The certificate is issued for a three-year period and relies on the following steps:

  1. The Initial Certification Audit: Conducted in two stages (a documentation review followed by operational verification), it validates the compliance of your system with the standard's requirements.
  2. Annual Surveillance Audits: During the two years following certification, LSTI auditors verify that your security controls are maintained and that your risk management adapts to new cyber threats.
  3. The Recertification Audit: At the end of the third year, a full audit is conducted to initiate a new three-year cycle and ensure the long-term sustainability of your cybersecurity strategy.

Ask for a quote

Your questions about ISO/IEC 27701

  • Do you need to be ISO/IEC 27001 certified to obtain ISO/IEC 27701 certification?

    Yes, obtaining ISO/IEC 27701 certification requires building upon the foundations of the ISO/IEC 27001 standard. The framework allows an organization to align or integrate its privacy information management system (PIMS) with the requirements of the information security management system specified in ISO/IEC 27001. Furthermore, ISO/IEC 27002 provides a list of possible information security controls that should be consulted to ensure no technical measures have been overlooked. An organization must therefore establish this security foundation beforehand or concurrently to integrate specific privacy protection processes.

  • How does ISO/IEC 27701 help with GDPR compliance?

    The ISO/IEC 27701 framework includes a direct mapping to the European Union's General Data Protection Regulation (GDPR). The standard practically assists compliance by requiring the implementation of policies, procedures, or mechanisms that allow PII principals to access, correct, and erase their personal data. It also strictly regulates the process for obtaining and recording consent, fully addressing transparency and traceability requirements.

  • How does ISO/IEC 27701 differentiate between the roles of PII controller and PII processor?

    Within its scope, the organization must explicitly determine whether it acts as a PII controller or a PII processor. The standard differentiates between these two operational positions by offering distinct reference control objectives and requirements. When the organization acts in both capacities, the different roles must be determined, with each role subject to a separate set of controls to guarantee a level of security tailored to each context.

  • What is a Privacy Information Management System (PIMS) according to ISO/IEC 27701?

    A Privacy Information Management System (PIMS) is defined by ISO/IEC 27701 as a management system that manages privacy protection as potentially affected by the processing of PII. More technically, it is a set of interrelated or interacting elements of an organization used to establish policies and objectives, as well as processes to achieve those data protection objectives.

  • What is the role of the Statement of Applicability (SoA) in ISO/IEC 27701?

    The Statement of Applicability is a central document in the certification process. Its primary role is to provide documentation of all necessary controls and the justification for the inclusion or exclusion of such controls. Following its risk assessment and treatment, the organization produces a Statement of Applicability that transparently and formally establishes its strategic and operational choices regarding security and privacy protection.

  • How does ISO/IEC 27701 address privacy by design and by default?

    The concept of privacy by design requires ensuring that processes and systems are engineered so that the collection and processing of data are limited to what is necessary for the identified purpose. Privacy by default technically means that when options exist within data collection and processing, each option should be disabled by default and only activated through an explicit choice by the PII principal.

  • What are the ISO/IEC 27701 requirements regarding privacy risk assessment?

    The organization is required to define and apply a structured and repeatable privacy risk assessment process. These requirements notably dictate a rigorous analysis that assesses the potential consequences, both for the organization and for PII principals, in the event that risks related to information security and privacy materialize.

  • How does ISO/IEC 27701 define data minimization and de-identification objectives?

    To meet the challenges of data minimization, the organization must define and document data minimization objectives and identify which mechanisms, such as de-identification, are used to achieve these objectives. More specifically, the standard requires the organization to delete data or transform it to the point where the identification or re-identification of PII principals becomes impossible, as soon as the original data is no longer necessary for the identified purpose.

Find out more about our

other certifications

""
ISO 27001 certification: Certify your Information Security Management System (ISMS)
In the face of ever-increasing cyber threats and regulatory requirements, information security has become a strategic priority for organisations. The ISO/IEC 27001 standard has established itself as the leading international framework for structuring information security governance and managing the risks associated with information systems.
ISO 27001 certification is based on the implementation of an Information Security Management System (ISMS) that guarantees the confidentiality, integrity and availability of data. As an independent third-party body, LSTI validates the compliance of your approach, transforming this security requirement into a genuine factor of trust and a competitive advantage for your digital, cloud or healthcare services.
See more
""
ISO 22301 certification

ISO 22301 certification enables organizations to establish, maintain, and improve a Business Continuity Management System (BCMS).
It ensures that an organization can anticipate, manage, and recover from major incidents (such as cyberattacks, critical outages, vendor unavailability, natural disasters, or organizational crises) while maintaining the continuity of essential activities.
This certification is intended for public or private organizations facing operational availability challenges: critical infrastructure operators, digital infrastructure providers, financial institutions, healthcare actors, operators of essential services, service providers, government agencies, etc.

See more
""
HDS Certification: Certification for Health Data Hosts
The Health Data Host (HDS) certification is the cornerstone of digital trust in France. It certifies that an IT service provider has implemented a robust cybersecurity strategy to ensure the protection of personal data. This certification audit process, overseen by the French Digital Health Agency (ANS), guarantees the integrity and availability of sensitive information.
See more

Why choose LSTI?

1

Recognized expertise

With over twenty years' experience, LSTI supports more than 300 organizations in France and Europe as a leading certification body and assessment center, operating in the fields of cybersecurity, digital trust and information security.

2

Specialized auditors

Our teams of auditors are made up of experienced professionals who are fully conversant with ANSSI cybersecurity guidelines, information security management practices and European digital trust frameworks. Their approach guarantees assessments that are demanding, balanced and adapted to the operational contexts of each organization.

3

Independent third party and dedicated support

LSTI guarantees impartiality, transparency and consistency throughout the entire cycle: preparation, audits, surveillance and renewals. A dedicated contact ensures continuity and clarity throughout the certification process.


Discover our news