ISO/IEC 27701 Audit
for
Privacy Information Management
CertPro audits Privacy Information Management Systems against ISO/IEC 27701:2019 requirements, conducted as an extension to ISO 27001. The assessment evaluates documented privacy controls and supporting evidence across PII processing, governance, access control, transparency, incident handling, and third-party obligations. Any certification decision is made by an independent accredited certification body upon completion of the audit process.
The International Standard for Privacy Information Management
ISO/IEC 27701:2019 is an internationally recognized privacy extension to ISO/IEC 27001:2022, published by the International Organization for Standardization in August 2019. It specifies requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). ISO 27701 certification is independent third-party confirmation that an organization's PIMS meets the requirements of ISO/IEC 27701:2019, assessed through a structured audit and issued by an IAF-accredited certification body.
ISO/IEC 27701:2019 extends the ISMS framework of ISO 27001 to address privacy management, covering the processing of personally identifiable information (PII) by both PII controllers and PII processors. It also provides guidance to support organizations in putting these requirements into practice. The standard is designed for PII controllers and processors who hold responsibility and accountability for PII processing.
ISO/IEC 27701 is relevant for organizations that collect, process, store, or control PII, and ISO states that it can be used alone as an independent management system standard.
Clauses 5–6: PIMS Requirements
Establishes requirements and guidance for a Privacy Information Management System covering accountability, governance, and privacy controls for PII processing.
Clause 7: Controller Privacy Guidance
Provides guidance for privacy controls applicable to PII controllers, including transparency, rights handling, disclosure, and transfer governance.
Clause 8: Processor Privacy Guidance
Provides guidance for organizations acting as PII processors, including processor obligations, third-party management, contractual controls, and processing records.
Privacy Control Framework
Privacy controls are evaluated against the requirements and guidance in the applicable ISO/IEC 27701 audit scope.
Regulatory Mapping
ISO/IEC 27701 supports evidence-based privacy governance that can be aligned with applicable privacy regulations, including GDPR, where relevant.
How ISO 27701 Certification Works: Two Paths, One Audit Standard
ISO 27701 certification cannot be obtained as a standalone certificate. It must be pursued either as an extension to an existing ISO 27001 certification or concurrently with ISO 27001 in a combined audit engagement.
ISO 27701 Extension
Organizations that already hold ISO 27001 certification can extend their existing ISMS scope to include PIMS requirements under ISO/IEC 27701:2019. CertPro conducts an additional audit engagement covering privacy-specific clauses, Annex A and B controls, and applicable GDPR mappings. The extended ISO 27701 certification is issued by the IAF-accredited body and aligned with the existing ISO 27001 certificate validity period.
ISO 27001 + 27701 Combined Certification
Organizations pursuing ISO 27001 for the first time can undertake a combined audit engagement covering both ISMS and PIMS requirements simultaneously. CertPro conducts coordinated Stage 1 and Stage 2 audits across both standards. This path is relevant for organizations that want to establish information security and privacy management in a single structured process.
In both paths, CertPro's role is to conduct the audit. The IAF-accredited certification body, independent of CertPro, makes the certification decision and issues the certificate. ISO 27701 certified organizations receive a certificate valid for three years, subject to annual surveillance audits confirming continued PIMS conformity.
Four Phases. Structured Process. ISO 19011-Aligned.
Every CertPro ISO 27701 certification audit follows a structured four-phase process governed by ISO/IEC 27701:2019 requirements and ISO 19011 audit guidelines.
Kick-off and Audit Scoping
A 30-minute kick-off call confirms the PIMS audit scope, ISMS and PIMS boundaries, applicable ISO/IEC 27701:2019 clauses, and engagement timeline. The organization's role as a PII controller, PII processor, or both is confirmed in writing. A single client-side point of contact is identified to ensure streamlined communication throughout the engagement.
Evidence Access and Stage 1 Audit
The client provides access to the evidence repository, including PIMS documentation, privacy risk assessment records, the Statement of Applicability covering both ISO 27001 and ISO/IEC 27701:2019 controls, and privacy control evidence. CertPro conducts the Stage 1 audit and delivers a structured gap list specifying documentation gaps requiring clarification before Stage 2.
Gap Clarification and Stage 2 Audit
A Zoom session reviews identified gaps collaboratively. Additional evidence is submitted or controls are demonstrated live. CertPro conducts the Stage 2 audit, assessing the implementation and effectiveness of all in-scope PIMS controls through inquiry, observation, inspection, and re-performance. Nonconformities are documented with severity classification, root cause, and management response.
Report Issuance and Certification
The Stage 2 audit report is compiled, independently reviewed by CertPro's QA team, and shared with the client for factual accuracy review. The final audit report is issued after completion of internal quality review procedures. The accredited certification body makes the certification decision and issues the certificate after satisfactory closure of applicable nonconformities.
Is Your PIMS Audit-Ready for ISO 27701 Certification?
The areas below are commonly identified during ISO/IEC 27701 audit engagements. Each aligns with PIMS requirements and privacy control evaluation. Documentation and evidence are reviewed as part of the Stage 1 and Stage 2 audit process.
PIMS Scope Definition and PII Processing Inventory
A defined PIMS scope and a complete PII processing inventory are core requirements. The inventory should cover PII categories, purposes, retention periods, and third parties. Incomplete records are commonly identified during Stage 1 review.
Extended Statement of Applicability
The SoA must include Annex A and B controls under ISO 27701, along with ISO 27001 controls. Applicable controls, exclusions, and implementation status must be documented and traceable to the privacy risk assessment. This is a key Stage 1 review document.
Privacy Risk Assessment Documentation
A documented privacy risk assessment should identify risks across PII processing activities, follow a consistent method, and support risk treatment decisions. Outdated or missing assessments are frequently identified during audit review.
PII Controller and Processor Controls
Controls covering data subject rights, transparency, third parties, and data transfers should be documented and implemented. Stage 2 assesses whether these controls operate in practice, not just in policy.
Internal Audit and Management Review Records
Internal audits and management reviews should include the PIMS. Records should show ongoing monitoring, corrective actions, and leadership accountability for privacy performance.
Readiness Score
Based on a review across ISO/IEC 27701:2019 clause requirements and Annex A and B control domains. Three areas require additional evidence before stage 1 audit commencement.
Independent ISO 27701 Audit. Rigorous Methodology.
Accreditation-Aligned Process.
Six principles govern how CertPro conducts every ISO 27701 certification audit engagement, from scoping through final report issuance. These commitments are structural, documented in every audit file, and governed by the requirements of ISO 19011 and ISO/IEC 27701:2019 at every stage.
Audit Independence and Impartiality
CertPro does not provide PIMS implementation, remediation, or advisory services to audit clients. A pre-engagement impartiality check is documented for every engagement. Audit conclusions are based only on objective evidence reviewed during the current audit, in line with ISO 19011 requirements.
Conducted Under Standard Guidelines
All ISO 27701 audits follow ISO/IEC 27701:2019 and ISO 19011 guidelines. Stage 1 and Stage 2 audits use a structured, evidence-based approach aligned with accreditation expectations. Certification is issued by the accredited body after successful completion.
Evidence-Based Privacy Control Assessment
All conclusions are supported by objective evidence. Annex A and B controls are tested through inquiry, observation, inspection, and reperformance. Auditors verify a risk-based sample using system data, configurations, and documented records.
Credentialed Audit Team
Each engagement is led by a qualified ISO Lead Auditor with expertise in privacy and data protection frameworks. The team includes CISA-certified auditors and specialists across key sectors.
Transparent Communication
Findings are communicated clearly at each stage. Nonconformities include clause reference, severity, evidence, and required action. No findings are deferred to the final report.
Global Audit Capability
CertPro operates across the USA, India, UK, Oman, Lebanon, and Ghana. Audits are delivered remotely in line with ISO standards, with on-site options where required.
ISO 27701 Certification: Questions We Hear Most
ISO/IEC 27701:2019 defines requirements for a Privacy Information Management System, extending ISO 27001. Certification confirms that a PIMS meets these requirements through an accredited audit. It is relevant for organizations processing PII, including SaaS providers, financial institutions, healthcare firms, and data processors under GDPR and similar regulations.
ISO 27701 builds on the ISO 27001 ISMS. It cannot exist independently. Therefore, organizations must either extend an existing ISO 27001 certification or complete a combined audit for both standards.
CertPro's ISO/IEC 27701 audit evaluates conformity across PIMS scope, PII processing inventory, privacy risk assessment, controller and processor obligations, third-party controls, and internal audit records. All conclusions are based on objective evidence.
Key requirements include a defined PIMS scope, a completed privacy risk assessment, documented controller and processor controls, incident management, and audit records. Evidence of corrective actions is also considered during the audit.
Follow-up requirements, including surveillance and recertification where applicable, are determined by the accredited certification body and the certification scheme in scope.
ISO/IEC 27701 supports evidence-based privacy governance and can help organizations demonstrate accountability against privacy obligations, including GDPR-related requirements where applicable. It does not replace legal review or regulatory obligations.
Begin Your Compliance Audit with a Licensed CPA Firm.
Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.