Understanding ISO 27701: The Privacy Extension You Cannot Ignore
ISO 27701 certification is becoming one of the most talked about topics in the information security and privacy space, and for good reason. As privacy regulations tighten across Australia, Europe, and beyond, businesses that handle personal information are under increasing pressure to prove they have structured, auditable controls in place. ISO 27701 is the international standard that gives you a framework to do exactly that.
On this page
At its core, ISO 27701 is an extension to ISO 27001, the widely adopted information security management system standard. Where ISO 27001 focuses on protecting information assets from a security perspective, ISO 27701 adds a dedicated layer for privacy. Together, they form a Privacy Information Management System, commonly referred to as a PIMS.
This article walks you through what ISO 27701 actually requires, who genuinely needs it, how it connects to privacy laws like the Australian Privacy Act, and what the certification process looks like in practice.
What ISO 27701 Actually Is
ISO 27701 was published in 2019 by the International Organisation for Standardisation. It extends the requirements of ISO 27001 and ISO 27002 to include privacy-specific controls. The standard was designed to help organisations demonstrate compliance with privacy laws and build trust with customers, regulators, and business partners who want assurance that personal data is being handled responsibly.
The standard is structured around two types of organisations:
- Privacy Information Controllers (PICs): Organisations that determine the purposes and means of processing personal information. A business that collects customer data for its own marketing purposes would be a controller.
- Privacy Information Processors (PIPs): Organisations that process personal information on behalf of another organisation. A cloud hosting company or payroll outsourcing provider would typically be a processor.
Some organisations act as both, and the standard accommodates that. The controls you need to implement vary depending on which role applies to your business, so this distinction matters from day one of your implementation.
If you want a deeper technical walkthrough of the standard itself, our ISO 27701 practical implementation guide covers the clause structure and control requirements in detail.
How ISO 27701 Relates to ISO 27001
This is the question most businesses ask first, and it is an important one. ISO 27701 cannot stand alone. You must already hold ISO 27001 certification, or be implementing ISO 27001 at the same time, before you can pursue ISO 27701 certification.
Think of it this way. ISO 27001 builds the foundation, the information security management system. ISO 27701 is a structured addition that sits on top of that foundation and adds privacy-specific requirements. The two standards share the same management system structure, the same risk-based approach, and many of the same documentation requirements.
This means that if your organisation is already certified to ISO 27001, adding ISO 27701 is significantly less work than starting from scratch. Your existing policies, risk assessments, internal audit programme, and management review processes all carry over. You are essentially extending what you already have rather than building something new.
If you are not yet certified to ISO 27001, you would typically pursue both certifications together in a single implementation project. This is usually more efficient than doing them separately, and many certification bodies will audit both at the same time.
For context on what ISO 27001 certification involves on its own, including timelines and costs specific to Australia, see our guide on ISO 27001 certification costs in Australia.
What the Standard Actually Requires
ISO 27701 adds specific requirements across several areas of your management system. Here is what you need to address:
Privacy Policy and Objectives
Your existing information security policy needs to be extended to include privacy commitments. You also need to set measurable privacy objectives that are monitored and reviewed. This is not just about having a public-facing privacy policy on your website. It is about an internal policy that drives how your organisation makes decisions about personal data.
Roles and Responsibilities
You need to define who is responsible for privacy within your organisation. In many businesses this is a Privacy Officer or Data Protection Officer. The standard does not mandate a specific job title, but it does require that someone has clear accountability for the PIMS and that this is documented.
Privacy Risk Assessment
ISO 27701 extends the risk assessment process from ISO 27001 to include privacy-specific risks. This means identifying risks associated with the processing of personal information, assessing the likelihood and impact of those risks, and implementing controls to treat them. A data breach that exposes customer financial information is a different type of risk to a server outage, and the standard requires you to treat them differently.
Annex Controls for Controllers and Processors
The standard includes two annexes of additional controls, one for privacy information controllers and one for processors. These controls cover things like obtaining lawful consent, providing individuals with access to their data, managing data subject requests, contractual requirements with third parties, and data minimisation practices. Which controls apply to you depends on your role, as discussed earlier.
Documented Information
You will need records of processing activities, privacy impact assessments for high-risk processing, data subject request logs, and evidence that your controls are operating effectively. Auditors will look for this documented evidence during your certification audit, so building good record-keeping habits early saves significant stress later.
Who Actually Needs ISO 27701 Certification
The honest answer is that not every business needs formal ISO 27701 certification. But there are specific situations where it becomes genuinely important, and in some cases, commercially necessary.
Businesses That Process Large Volumes of Personal Data
If your business collects, stores, or processes significant amounts of personal information as part of its core operations, ISO 27701 gives you a structured way to manage the associated risks and demonstrate accountability. Health services, financial services, telecommunications companies, and large e-commerce platforms all fall into this category.
Cloud Service Providers and SaaS Businesses
If you provide cloud-based services and your customers store personal data on your platform, your customers will increasingly ask for evidence that you have privacy controls in place. ISO 27701 certification gives you a credible, internationally recognised answer to that question. It is particularly relevant if you are trying to sell into enterprise clients or regulated industries. Our article on what ISO certification cloud service providers need explores this in more detail.
Businesses Subject to GDPR or Handling EU Personal Data
The ISO 27701 standard was specifically designed with GDPR alignment in mind, and ISO has published a mapping document showing how the standard's controls correspond to GDPR requirements. If your business handles personal data from EU residents, ISO 27701 certification does not automatically mean you are GDPR compliant, but it provides strong evidence that your privacy practices are structured and auditable, which matters during regulatory investigations.
Government Contractors and Public Sector Suppliers
Many government procurement processes in Australia and internationally are beginning to reference privacy management standards as part of supplier requirements. If you supply services to government agencies that involve processing citizen data, ISO 27701 may become a practical requirement rather than just a nice-to-have.
Organisations Responding to Privacy Incidents
If your business has experienced a data breach or a regulatory investigation, pursuing ISO 27701 certification can be part of your remediation response. It demonstrates to regulators and affected individuals that you have taken structured action to address privacy risks, not just patched the immediate problem.
Businesses Building Trust as a Competitive Advantage
In some markets, being able to point to ISO 27701 certification is a genuine differentiator. Clients in financial services, healthcare, and legal sectors are increasingly conducting privacy due diligence on their suppliers. A certificate gives your sales team something concrete to put in front of procurement teams.
ISO 27701 and the Australian Privacy Act
Australia's Privacy Act 1988, including the Australian Privacy Principles, sets out obligations for how organisations must handle personal information. ISO 27701 does not replace compliance with the Privacy Act, but the two work well together.
The standard's controls map reasonably well to the Australian Privacy Principles. For example, the requirement to have a clear privacy policy, to only collect information that is necessary for your stated purpose, to allow individuals to access and correct their information, and to take reasonable steps to protect personal information from misuse all have corresponding controls within ISO 27701.
For businesses that are also subject to the Notifiable Data Breaches scheme under the Privacy Act, having an ISO 27701 certified PIMS gives you a much stronger foundation for detecting, assessing, and notifying breaches within the required timeframes. If you are wondering how ISO 27001 specifically helps with notifiable data breach obligations, we have a dedicated article on ISO 27001 and Australian notifiable data breach obligations that is worth reading alongside this one.
The Certification Process: What to Expect
The ISO 27701 certification process follows the same two-stage audit structure as ISO 27001. Here is a practical overview of what the journey looks like.
Stage 1: Documentation Review
The certification body will review your PIMS documentation to assess whether your system is designed appropriately. They will look at your privacy policy, risk assessment methodology, roles and responsibilities, and documented procedures. This stage typically happens on-site or remotely and usually takes one to two audit days depending on your organisation's size.
Stage 2: Implementation Audit
This is where the auditor verifies that your system is not just documented but actually operating. They will interview staff, review records, and test whether your controls are working as intended. Common focus areas include how you handle data subject access requests, how you manage third-party processors, and how you identify and respond to privacy risks.
Surveillance and Recertification Audits
Once certified, you will have annual surveillance audits to confirm the system is being maintained, and a full recertification audit every three years. This ongoing cycle is important to understand because ISO 27701 certification is not a one-time achievement. It requires sustained effort to maintain.
Combined Audits With ISO 27001
If you are pursuing both ISO 27001 and ISO 27701, most certification bodies will conduct a combined audit, which is more efficient and typically less expensive than two separate audits. This is the approach most businesses take, and it is worth discussing with your certification body from the outset.
How Much Does ISO 27701 Certification Cost?
Cost varies depending on the size of your organisation, the volume of personal data you process, and whether you are pursuing ISO 27701 alongside ISO 27001 or as an extension to an existing certification. For a detailed breakdown of what you can expect to pay in Australia, see our dedicated article on ISO 27701 certification costs.
As a general guide, the consultant fees, gap assessment, implementation support, and audit fees for a small to medium business pursuing ISO 27001 and ISO 27701 together typically range from $20,000 to $60,000 AUD depending on the complexity of your data processing activities and how much work is required to build the system from scratch. Organisations extending an existing ISO 27001 certification to include ISO 27701 will generally pay less, since the management system infrastructure already exists.
Common Mistakes Businesses Make With ISO 27701
Having worked with businesses through privacy management system implementations, a few patterns come up repeatedly when things go wrong.
Treating it as a documentation exercise. Some businesses focus entirely on writing policies and procedures without actually changing how they process personal data. Auditors are experienced at spotting systems that look good on paper but do not reflect operational reality. Your staff need to understand and follow the procedures, not just have them filed somewhere.
Underestimating the scope of processing activities. Before you can implement effective controls, you need a clear picture of every type of personal information your organisation processes, where it comes from, where it goes, and what happens to it. Many businesses are surprised by how many data flows they have not formally mapped. This mapping exercise takes time but is essential.
Ignoring third-party processors. If you use cloud software, outsourced HR, or any service provider that handles personal data on your behalf, those relationships need to be managed under your PIMS. This means reviewing contracts, assessing the privacy practices of your suppliers, and documenting how you oversee them. Many businesses overlook this until an auditor raises it as a nonconformance.
Not involving the right people. Privacy is not just an IT or legal problem. It touches marketing, HR, sales, customer service, and operations. Successful ISO 27701 implementations involve people from across the business, not just the IT team working in isolation.
Is ISO 27701 Certification Right for Your Business?
If your organisation processes personal information as a core part of what you do, if you have clients or regulators asking questions about your privacy practices, or if you are building a cloud-based product that handles sensitive data, then ISO 27701 certification is worth serious consideration.
It is not the right fit for every small business, and it is not a magic solution to privacy compliance. But for organisations that genuinely need to demonstrate structured privacy management, it is one of the most credible ways to do that.
The best starting point is an honest gap assessment. Understand where your current privacy practices sit relative to what the standard requires, and then make a realistic plan to close the gaps before committing to a certification timeline.
If you are not sure where to start, CertBetter connects businesses with verified ISO consultants and accredited certification bodies who specialise in ISO 27001 and ISO 27701. Submit one form and receive up to three competing quotes from vetted providers, completely free. It is a straightforward way to get an honest picture of what certification would involve for your specific situation.
