Skip to content

discovered, explained

ISO 27701

With ISO 27701, you can add relevant data protection-specific requirements to your existing information security management system (ISMS) in accordance with ISO 27001. The international standard ISO 27701 can also serve as a systematic basis for successfully integrating the requirements of the GDPR into data protection management.

What is ISO 27701?

ISO 27701 is an extension of ISO 27001. It contains requirements and guidelines for the protection of privacy and the handling of personal data.

In this way, ISO 27701, building on ISO 27001, forms a framework for a data protection information management system (PIMS) that covers both the security of information and the protection of personal data resulting from processing.

ISO 27701 is not a direct GDPR certification, but can be used as a basis for integrating the GDPR requirements into the management system.

Data protection information management

With ISO 27701, you can add important data protection requirements to your existing information security management system (ISMS).

Personal data optimally protected

As part of ISO 27701 certification, you take effective measures to protect privacy and handle personal data.

Good integration into an existing ISMS

As ISO 27701 follows the so-called High-Level Structure (HLS), it can be easily integrated into an existing (certified) ISMS in accordance with ISO 27001.

Special features of ISO 27701

  • Describes a data protection management system that can be certified
  • Extension of the ISO/IEC 27001 & ISO/IEC 27002 to include data protection aspects
  • Conformity with ISO 27701 always requires fulfilment of the requirements of ISO 27001
  • Does not constitute certification within the meaning of Art. 42 GDPR

Your benefits of ISO 27701 certification

  • Independent proof of data protection
    With ISO 27701 certification, you can objectively prove that you fulfil specific data protection requirements
  • Increased trust among customers
    ISO 27701 certification demonstrates that data protection is a top priority for you.
  • Compliance with legal requirements
    You demonstrate that you have taken appropriate technical and organisational data protection measures.
  • Protection against financial & reputational damage
    By identifying risks at an early stage, you prevent data protection mishaps - and therefore also damage.
  • Successful risk minimisation
    By systematically identifying potential data protection gaps, you reduce data protection risks.
  • Improved internal processes
    As part of ISO 27701 certification, clear roles and responsibilities are defined within the company.
  • Sensitisation of employees
    Certification goes hand in hand with raising your employees' awareness of data protection.
  • Internationally recognised
    With ISO 27701 certification, you meet internationally recognised data protection requirements.
Certification standards in comparison

ISO 27701 vs. Article 42 GDPR vs. ISO 27001

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about ISO 27701

ISO 27701

  • Describes a data protection management system that can be certified
  • Extension of the ISO/IEC 27001 & ISO/IEC 27002 to include data protection aspects
  • Conformity with ISO 27701 always requires fulfilment of the requirements of ISO 27001
  • Does not constitute certification within the meaning of Art. 42 GDPR


Art. 42 GDPR

  • Para. 1: "[...] data protection-specific certification procedures [...] which serve to demonstrate that this Regulation is complied with in processing operations by controllers or processors."
  • Consequently, no certification for:
    - Products
    - Companies
    - Persons
    - Management systems
  • Statements on data protection compliance


ISO 27001

  • forms the necessary prerequisite for certification in accordance with ISO 27701
  • Standard focuses on information security
  • Broader scope with more comprehensive requirements than ISO 27701

In principle, ISO 27701 is aimed at any organisation that processes personal data, regardless of its size and type.

However, the international standard is particularly relevant for organisations that

  • want to minimise the risk of data breaches and their consequences (for example, high fines and reputational damage),
  • pursue a risk-based approach to the processing of personal data or
  • operate an ISMS and wish to develop as a controller and/or processor.

Certification in accordance with ISO 27701 does not constitute direct certification in accordance with Art. 42 GDPR. However, it can be regarded as a systematic framework for successfully integrating the requirements of the GDPR into the existing management system.

The ISO 27701 certificate is valid for a maximum of 3 years.

A surveillance audit must be carried out in the first and second year after successful certification. After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.

As every company has different requirements and the demands placed on a management system vary, the question of the cost of ISO 27701 certification cannot be answered in general terms.

In principle, the number of days required for the two certification audits is decisive. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with a customised quote.

As ISO 27701 is an extension of ISO 27001 to include data protection, it can only be certified together with ISO 27001.

The necessary prerequisite for ISO 27701 certification is therefore an existing ISMS that fulfils the requirements of ISO 27001 or is already certified in accordance with it.

Do you already have an ISO 27001 certificate?
In this case, your data protection management system will be audited separately in accordance with ISO 27701. The resulting certificate then corresponds to the term of your ISO 27001 certificate.

Your ISO 27001 certificate is expiring?
In this case, it makes sense to synchronise the audits for ISO 27001 and ISO 27701.

Are you aiming for joint certification to ISO 27001 & ISO 27701?
If you start with ISO 27001 and ISO 27701 at the same time, the audits for the two standards will be synchronised.