ISO/IEC 27701 Information Management System for Privacy

ISO/IEC 27701 Information Management System for Privacy

THE ISO/IEC 27000 Standard family has a focus on information security and helps build Information Security Management System (ISMS). Company’s can be certified with the ISO27001 Information security management.

The ISO27701 is an extension to the ISO27001. Organizations that are certified for ISO27001 may extend the scope and their certification to include ISO27701 Security techniques.

ISO 27701 defines the appropriate technical and organizational measures an organization should apply as required by Art.5 in the GDPR.

A management system is a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives. It may include quality management system, an information security management system and, as from now, the privacy information management system (PIMS).

“PIMS: Information Security Management System which addresses the protection of privacy as potentially affected by the processing of Personally Identifiable Information (PII)”.

The PIMS makes it easier for organizations to control and manage people’s personal data and their online identity by permitting them to: allow, deny, or withdraw consent to third parties.

As it is the case with the ISO/IEC 27001 standard, the extension ISO/IEC 27701 standard can bring several advantages to your company:

  1. Improve the privacy of your organization;
  2. Protect you from data breaches;
  3. Increase your international recognition;
  4. Improve customer satisfaction;
  5. Gain competitive advantage in the market.


What will ISO27701 certification add to organizations that are already GDPR compliant?

The ISO concept brings a certifiable implementation for the GDPR. You already could implement GDPR using the ISO27001, but the ISO27701 makes the link between ISO27001 and GDPR very explicitly. Annex D of the ISO27701 standard maps controls in ISO27701 to GDPR articles.  

ISO27701 Security techniques transforms the ISO27001 Information Security to include PII (as known as personal data), not only company data. The ISO27701 has additional requirements you need to fulfil for certification.


ISO 27701



Personal data

PII controller

Data controller

PII processor

Data processor

PII processor

Data subject

 PII processor

Data protection by design

Privacy by default

Data protection by default



What is the difference between PII and Personal Data?

 Personally, identifiable information is defined by the US Office of Privacy and Open Government as:

 “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

 When that information is linked with health information or other sensitive information, we talk about protected health information (PHI). GDPR based the definition of personal data on the concept of PII but it has a broader definition than PII.

 Article 4.1 of GDPR states:

 “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The ISO/IEC 27701 as an extension to ISO27001 standard brings more elements to GDPR compliance.

 How to Get Certified in ISO 27701?

Regardless of whether you are looking to implement ISO/IEC 27701 as an extension to your current ISO/IEC 27001 or simply beginning, At Ataya Partners Academy you can bolster with:

 Deep examination to check your preparedness for certification

  • Classes for ISO/IEC 27001 and ISO/IEC 27701
  • Certification of your management system to ISO/IEC 27001 and ISO/IEC 27701
  • Help your organization for trainings related to the standards and GDPR (European Union General Data Protection Regulation).

Get Your ISO 27701 Individual Certification with Ataya & Partners Academy

 If you are interested in this new topic, become ISO27701 Security Techniques certified and boost your career thanks to Ataya & Partners that ensures a certain comfort: 

  • Exclusive and productive training environment;
  • Limited number of participants;
  • Senior lecturer sharing years of experience and a wealth of knowledge;
  • Comfortable class;
  • Lunch and drinks included.



To sum up, ISO/IEC 27701 enhances the ISO/IEC 27001 Standard regarding the data privacy and information security standard required by the General Data Protection Regulation (GDPR). The standard explains you how to efficiently manage privacy and contains the structure for PII processors and controllers. At the end, you will be able to implement your Privacy Information Management System (PIMS).


Using this standard will prove to your customers and other stakeholders that your organization is supporting GDPR compliance and privacy legislation.

ISO/IEC 27701 is a real extension to the ISO27001 standard to give you the assurance that your organization will be GDPR compliant.


To know more about our professionals courses visit the Ataya Partners Academy website here.

Join our community in Linkedin for all the news here.