ISO/IEC 27701
Assessment for Privacy
Information Management Systems
CertPro assesses Privacy Information Management Systems against ISO/IEC 27701:2019 requirements, conducted as an extension to ISO 27001. The assessment evaluates documented privacy controls and supporting evidence across PII processing, governance, access control, transparency, incident handling, and third-party obligations. Certification is issued by an independent certification body upon completion of the audit process.
The International Standard for Privacy Information Management
ISO/IEC 27701:2019 is an internationally recognized privacy extension to ISO/IEC 27001, published by the International Organization for Standardization in August 2019. It specifies requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). ISO 27701 certification is independent third-party confirmation that an organization's PIMS meets the requirements of ISO/IEC 27701:2019, assessed through a structured assessment and issued by an independent certification body.
ISO/IEC 27701:2019 extends the ISMS framework of ISO 27001 to address privacy management, covering the processing of personally identifiable information (PII) by both PII controllers and PII processors. It also provides guidance to support organizations in putting these requirements into practice. The standard is designed for personally identifiable information (PII) controllers and processors who hold responsibility and accountability for PII processing.
ISO/IEC 27701 is relevant for organizations that collect, process, store, or control PII and is designed as an extension to ISO/IEC 27001 and operates within the ISMS framework for privacy management.
Clauses 5–6: PIMS Requirements (Controllers & Processors)
Establishes requirements and guidance for a Privacy Information Management System covering accountability, governance, and privacy controls for PII processing.
Clause 7: Controller Privacy Guidance
Provides guidance for privacy controls applicable to PII controllers, including transparency, rights handling, disclosure, and transfer governance.
Clause 8: Processor Privacy Guidance
Provides guidance for organizations acting as PII processors, including processor obligations, third-party management, contractual controls, and processing records.
Privacy Control Framework
Privacy controls are evaluated against the requirements and guidance in the applicable ISO/IEC 27701 assessment scope.
Regulatory Mapping
ISO/IEC 27701 supports evidence-based privacy governance that can be aligned with applicable privacy regulations, including GDPR, where relevant.
How ISO 27701 Certification Works: Two Paths, One Audit Standard
ISO 27701 certification cannot be obtained as a standalone certificate. It must be pursued either as an extension to an existing ISO 27001 certification or concurrently with ISO 27001 in a combined audit engagement. CertPro assesses PIMS conformity against ISO/IEC 27701 requirements under both paths. The certification decision is made by the independent certification body upon satisfactory completion of the assessment.
ISO 27701 Extension
Organizations that already hold ISO 27001 certification can extend their existing ISMS scope to include PIMS requirements under ISO/IEC 27701:2019. CertPro conducts an additional engagement covering privacy-specific clauses, Annex A and B controls, and applicable GDPR mappings. The extended ISO 27701 certification is issued by the independent certification body and aligned with the existing ISO 27001 certificate validity period.
ISO 27001 + 27701 Certification
Organizations pursuing ISO/IEC 27001 for the first time can undergo a combined assessment covering both ISMS and PIMS requirements. CertPro conducts an integrated evaluation of documentation, control design, and effective control implementation across both standards. This approach supports organizations building information security and privacy programs in parallel.
Four Phases. Structured Process. ISO 19011-Aligned.
Every CertPro ISO/IEC 27701 assessment engagement follows a structured four-phase process aligned with ISO 19011.
Kick-off and Audit Scoping
A 30-minute kick-off call is conducted to discuss the PIMS audit scope, ISMS and PIMS boundaries, applicable ISO/IEC 27701:2019 clauses, and engagement timeline. The organization's role as a PII controller, PII processor, or both is confirmed in writing. A single client-side point of contact is identified to ensure streamlined communication throughout the engagement.
Documentation Review and Evidence Collection
The client provides access to the evidence repository, including PIMS documentation, privacy risk assessment records, the Statement of Applicability covering both ISO 27001 and ISO/IEC 27701:2019 controls, and privacy control evidence. CertPro performs a detailed review to identify documentation gaps and control coverage across in-scope areas.
Control Evaluation and Validation
A Zoom session reviews identified gaps collaboratively. Additional evidence is submitted or controls are demonstrated live. CertPro evaluates control design and implementation across PIMS domains using audit procedures such as interviews, observation, document and record review. Nonconformities are documented with severity classification and supporting evidence.
Report Issuance and Certification
Assessment findings are compiled into a formal report and undergo internal quality review. The finalized report is shared with the client for factual accuracy confirmation. The certification decision is made by an independent certification body upon closure of applicable nonconformities.
Have you designed the right controls for ISO 27701 Certification?
Gaps in the below areas are commonly identified during ISO/IEC 27701 assessments. Each aligns with PIMS requirements and privacy control evaluation. Documentation and evidence are reviewed as part of the assessment process.
PIMS Scope Definition and PII Processing Inventory
A defined PIMS scope and a complete PII processing inventory are core requirements. The inventory should cover PII categories, purposes, retention periods, and third parties. Incomplete records are commonly identified during documentation review.
Extended Statement of Applicability
The SoA must include Annex A and B controls under ISO 27701, along with ISO 27001 controls. Applicable controls, exclusions, and implementation status must be documented and traceable to the privacy risk assessment. Incomplete or misaligned SoA entries are commonly observed during assessment.
Privacy Risk Assessment Documentation
A documented privacy risk assessment should identify risks across PII processing activities, follow a consistent method, and support risk treatment decisions. Outdated or missing assessments are frequently identified during assessment.
PII Controller and Processor Controls
Controls covering data subject rights, transparency, third parties, and data transfers should be documented and implemented. Assessments evaluate whether these controls are established and applied across operational processes.
Internal Audit and Management Review Records
Internal audits and management reviews should include the PIMS. Records should show ongoing monitoring, corrective actions, and leadership accountability for privacy performance.
Readiness Score
Based on a review across ISO/IEC 27701:2019 clause requirements and Annex A and B control domains. Three areas require remediation prior to the beginning assessment.
Independent ISO 27701 Assessment. Rigorous Methodology
Six principles govern how CertPro conducts ISO/IEC 27701 assessments based on defined audit principles from ISO/IEC 27701:2019 and ISO 19011. Each engagement follows a structured approach from scope review through report issuance, with clear separation from certification authority.
Audit Independence and Impartiality
CertPro does not provide PIMS implementation, remediation, or advisory services to audit clients. A pre-engagement impartiality check is documented for every engagement. Conclusions are based solely on objective evidence obtained during the assessment, in accordance with ISO 19011 principles.
Conducted Under Standard Guidelines
Assessments are conducted in line with ISO/IEC 27701:2019 and ISO 19011 guidelines using a structured, evidence-based methodology. Certification decisions are made by an independent certification body upon completion of the process.
Evidence-Based Privacy Control Assessment
All conclusions are supported by objective evidence. Annex A and B controls are tested through interview, observation, document and record review. Auditors verify a risk-based sample using system data, configurations, and documented records.
Credentialed Audit Team
Each engagement is led by a qualified ISO Lead Auditor with expertise in privacy and data protection frameworks. The team includes CISA-certified auditors with domain expertise across multiple industries.
Transparent Communication
Findings are communicated clearly at each stage. Nonconformities include clause reference, severity, evidence, and required action. No findings are deferred to the final report.
Globally Trusted
CertPro's ISO 27701 assessments show credible privacy information management practices. Adherence to established audit standards drives consistent acceptance of our reports by enterprise customers worldwide.
ISO 27701 Certification: Questions We Hear Most
ISO/IEC 27701:2019 defines requirements for a Privacy Information Management System, extending ISO 27001. Certification confirms that a PIMS meets these requirements through an independent audit. It is relevant for organizations processing PII, including SaaS providers, financial institutions, healthcare firms, and data processors under GDPR and similar regulations.
ISO 27701 builds on the ISO 27001 ISMS. It cannot exist independently. Therefore, organizations must either extend an existing ISO 27001 certification or complete a combined audit for both standards.
CertPro's ISO/IEC 27701 assessment evaluates conformity across PIMS scope, PII processing inventory, privacy risk assessment, controller and processor obligations, third-party controls, and internal audit records. All conclusions are based on objective evidence.
Key requirements include a defined PIMS scope, a completed privacy risk assessment, documented controller and processor controls, incident management, and audit records. Evidence of corrective actions is also considered during the assessment.
Follow-up requirements, including surveillance and recertification where applicable, are determined by the independent certification body and the certification scheme in scope.
ISO/IEC 27701 supports evidence-based privacy governance and can help organizations demonstrate accountability against privacy obligations, including GDPR-related requirements where applicable. It does not replace legal review or regulatory obligations.
Begin Your Compliance Audit with a
Licensed CPA Firm.
Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.