discovered, explained

ISO 27701

With ISO 27701, you can add relevant data protection-specific requirements to your existing information security management system (ISMS) in accordance with ISO 27001. The international standard ISO 27701 can also serve as a systematic basis for successfully integrating the requirements of the GDPR into data protection management.

What is ISO 27701?

ISO 27701 is an extension of ISO 27001. It contains requirements and guidelines for the protection of privacy and the handling of personal data.

In this way, ISO 27701, building on ISO 27001, forms a framework for a data protection information management system (PIMS) that covers both the security of information and the protection of personal data resulting from processing.

ISO 27701 is not a direct GDPR certification, but can be used as a basis for integrating the GDPR requirements into the management system.

Data protection information management

With ISO 27701, you can add important data protection requirements to your existing information security management system (ISMS).

Personal data optimally protected

As part of ISO 27701 certification, you take effective measures to protect privacy and handle personal data.

Good integration into an existing ISMS

As ISO 27701 follows the so-called High-Level Structure (HLS), it can be easily integrated into an existing (certified) ISMS in accordance with ISO 27001.

Special features of ISO 27701

Describes a data protection management system that can be certified
Extension of the ISO/IEC 27001 & ISO/IEC 27002 to include data protection aspects
Conformity with ISO 27701 always requires fulfilment of the requirements of ISO 27001
Does not constitute certification within the meaning of Art. 42 GDPR

Your benefits of ISO 27701 certification

Independent proof of data protection
With ISO 27701 certification, you can objectively prove that you fulfil specific data protection requirements
Increased trust among customers
ISO 27701 certification demonstrates that data protection is a top priority for you.
Compliance with legal requirements
You demonstrate that you have taken appropriate technical and organisational data protection measures.
Protection against financial & reputational damage
By identifying risks at an early stage, you prevent data protection mishaps - and therefore also damage.
Successful risk minimisation
By systematically identifying potential data protection gaps, you reduce data protection risks.
Improved internal processes
As part of ISO 27701 certification, clear roles and responsibilities are defined within the company.
Sensitisation of employees
Certification goes hand in hand with raising your employees' awareness of data protection.
Internationally recognised
With ISO 27701 certification, you meet internationally recognised data protection requirements.

Certification standards in comparison

ISO 27701 vs. Article 42 GDPR vs. ISO 27001

Eine Frau arbeitet an einem Schreibtisch mit PC.

ISO 27701

ISO 27701 describes a DSMS that can be certified and is an extension of ISO/IEC 27001 & ISO/IEC 27002 to include data protection aspects. Conformity with ISO 27701 always requires fulfilment of the requirements of ISO 27001. ISO 27701 is not a certification within the meaning of Art. 42 GDPR.

Data protection

Zwei Frauen arbeiten an einem Schreibtisch mit einem Laptop vor ihnen.

Art. 42 GDPR

Para. 1: "[...] data protection-specific certification procedures [...] which serve to demonstrate that this Regulation is complied with in processing operations by controllers or processors." Art. 42 GDPR is therefore not a certification for products, companies, persons and management systems.

Learn more

Eine Person hält ein Smarthone mit dem Bild eines geschlossenen Bügelschlosses auf dem Bildschirm.

ISO 27001

ISO 27001 is the necessary prerequisite for certification in accordance with ISO 27701, with the standard focussing on information security. It offers a broader scope with more comprehensive requirements than ISO 27701.

Learn more

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin

To the consulting services Contact us

Goal achieved?

We check that

TÜV Informationstechnik I Essen

To the test offers Contact us

Frequently Asked Questions (FAQ)

What you need to know about ISO 27701

ISO 27701

Describes a data protection management system that can be certified
Extension of the ISO/IEC 27001 & ISO/IEC 27002 to include data protection aspects
Conformity with ISO 27701 always requires fulfilment of the requirements of ISO 27001
Does not constitute certification within the meaning of Art. 42 GDPR

Art. 42 GDPR

Para. 1: "[...] data protection-specific certification procedures [...] which serve to demonstrate that this Regulation is complied with in processing operations by controllers or processors."
Consequently, no certification for:
- Products
- Companies
- Persons
- Management systems
Statements on data protection compliance

ISO 27001

forms the necessary prerequisite for certification in accordance with ISO 27701
Standard focuses on information security
Broader scope with more comprehensive requirements than ISO 27701

In principle, ISO 27701 is aimed at any organisation that processes personal data, regardless of its size and type.

However, the international standard is particularly relevant for organisations that

want to minimise the risk of data breaches and their consequences (for example, high fines and reputational damage),
pursue a risk-based approach to the processing of personal data or
operate an ISMS and wish to develop as a controller and/or processor.

Certification in accordance with ISO 27701 does not constitute direct certification in accordance with Art. 42 GDPR. However, it can be regarded as a systematic framework for successfully integrating the requirements of the GDPR into the existing management system.

The ISO 27701 certificate is valid for a maximum of 3 years.

A surveillance audit must be carried out in the first and second year after successful certification. After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.

As every company has different requirements and the demands placed on a management system vary, the question of the cost of ISO 27701 certification cannot be answered in general terms.

In principle, the number of days required for the two certification audits is decisive. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with a customised quote.

As ISO 27701 is an extension of ISO 27001 to include data protection, it can only be certified together with ISO 27001.

The necessary prerequisite for ISO 27701 certification is therefore an existing ISMS that fulfils the requirements of ISO 27001 or is already certified in accordance with it.

Do you already have an ISO 27001 certificate?
In this case, your data protection management system will be audited separately in accordance with ISO 27701. The resulting certificate then corresponds to the term of your ISO 27001 certificate.

Your ISO 27001 certificate is expiring?
In this case, it makes sense to synchronise the audits for ISO 27001 and ISO 27701.

Are you aiming for joint certification to ISO 27001 & ISO 27701?
If you start with ISO 27001 and ISO 27701 at the same time, the audits for the two standards will be synchronised.