office@rigcert.org
ISO/IEC 27701 - Privacy information management
ISO/IEC 27701 is the international standard for privacy information management and the protection of personally identifiable information (PII).
As an extension to ISO/IEC 27001, ISO/IEC 27701 builds upon the foundation of information security by introducing additional requirements and controls specific to data privacy. It helps organizations establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS) that supports compliance with privacy laws and best practices in data protection.
ISO/IEC 27701 is not a standalone standard and must be implemented in conjunction with ISO/IEC 27001. Together, they form an integrated framework for managing both information security and data privacy risks.
The standard is relevant to any organization that collects, processes, stores, or controls PII—including public authorities, private companies, and not-for-profit entities. Whether acting as a data controller or processor, organizations can use ISO/IEC 27701 to demonstrate accountability, transparency, and responsible handling of personal data.
By extending the principles of ISO/IEC 27001, ISO/IEC 27701 addresses areas such as lawful processing of personal data, data subject rights, consent management, data protection by design and by default, third-party processing, and privacy risk assessments.
RIGCERT offers accredited certification services for Privacy Information Management Systems (PIMS) in accordance with ISO/IEC 27701. Our certification process is impartial, evidence-based, and carried out by experienced auditors who understand the complexity of data protection requirements across different industries.
Whether your objective is to build customer trust, meet the requirements of regulations like the GDPR, or strengthen internal controls over personal data, certification to ISO/IEC 27701 with RIGCERT can support your commitment to privacy and responsible data governance.
ISO/IEC 27701 is an international standard which sets requirements for a Privacy Information Management System (PIMS).
Such a management system can be implemented by any organization that processes PII (Personally Identifiable Information), regardless of size, sector, or jurisdiction.
A Privacy Information Management System (PIMS) is a structured framework for managing PII responsibly and in line with privacy laws and standards.
ISO/IEC 27701 is an extension for privacy to ISO/IEC 27001 and ISO/IEC 27002. Therefore, it cannot be used alone and must be implemented in conjunction with ISO/IEC 27001.
ISO/IEC 27701 introduces additional requirements and supplements the controls in ISO/IEC 27001. Additionally, the standard introduces privacy controls for both PII controllers and PII processors. These controls refer to aspects such as the obligations of the organization towards PII principals, obtaining and managing consent for data processing, privacy by design and by default, PII sharing and disclosure, or privacy impact assessments.
The requirements in the standard align with the provisions of data protection legislation such as the GDPR, and certification to ISO/IEC 27701 can serve as credible evidence of compliance with legal provisions and best practices.
Because ISO/IEC 27701 and the Privacy Information Management System (PIMS) cannot be implemented in isolation and must be built upon an existing Information Security Management System (ISMS) in accordance with ISO/IEC 27001, certification to ISO/IEC 27701 is always linked to an organization’s ISO/IEC 27001 certification.
Organizations that already hold ISO/IEC 27001 certification can choose to extend it with ISO/IEC 27701. This extension can be assessed during a scheduled surveillance or recertification audit, or it can be conducted through a dedicated extension audit.
Alternatively, organizations may opt to implement both standards — ISO/IEC 27001 and ISO/IEC 27701 — simultaneously and undergo a combined certification process.
The continued validity of the ISO/IEC 27701 certification is confirmed through regular surveillance audits and is directly dependent on the maintenance of the ISO/IEC 27001 certification.
RIGCERT provides accredited certification services for Privacy Information Management Systems (PIMS) in accordance with ISO/IEC 27701, under the accreditation of ESYD, the Greek National Accreditation Body. We are also accredited for ISO/IEC 27001 (ISMS) certification.
Since ESYD is a member of both the European co-operation for Accreditation (EA) and the International Accreditation Forum (IAF), the certification you obtain from RIGCERT is internationally recognized and accepted by relevant stakeholders such as business partners, clients, and regulatory authorities.
Our auditors have in-depth expertise in both privacy and information security requirements and can support your organization in achieving and maintaining legal compliance, while implementing recognized best practices for data protection.
Whether your organization acts as a processor or controller of personally identifiable information (PII), a credible and accredited certification to ISO/IEC 27701 from RIGCERT demonstrates your commitment to privacy, accountability, and responsible data management.
