ISO 27701 privacy audit for organisations that want to be demonstrably compliant
An ISO 27701 privacy audit assesses your Privacy Information Management System (PIMS): the extension to ISO 27001 that makes privacy and GDPR demonstrably manageable. An independent auditor assesses the roles around personal data (controller and processor), the record of processing activities, DPIAs, data processing agreements, retention periods and data subject rights. You receive a clear report with findings and a practical improvement plan, so that privacy does not stay on paper but demonstrably works.
What is ISO 27701?
ISO 27701 is the international standard for a PIMS and extends your ISO 27001 ISMS with privacy-specific controls. It links information security to privacy governance and helps you demonstrably manage GDPR.
For whom is an ISO 27701 audit relevant?
For organisations that process large amounts of personal data — SaaS companies, healthcare, HR, marketing — and that want to demonstrate to customers or the regulator that privacy is under control. Also for those who already have ISO 27001 and see privacy as the logical next step.
Common problems
- A record of processing activities that is not up to date or complete.
- DPIAs that are missing or not followed up.
- Data processing agreements with no check on compliance.
- An unclear division of roles between controller and processor.
Our approach in 5 steps
- Define the scope and privacy roles.
- Document review: register, policy, DPIAs, agreements.
- Interviews & sampling against practice.
- Findings report with privacy risks.
- Improvement plan and follow-up towards compliance.
What you receive
- An independent PIMS assessment.
- A gap overview towards ISO 27701 and the GDPR.
- Priorities and a concrete improvement plan.
- Advice on a combined audit with ISO 27001.
ISO/IEC 27701 — official standard page (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search features alike.
ISO 27701 is the international standard for a Privacy Information Management System (PIMS). It is an extension to ISO 27001 that adds specific requirements and guidelines for managing privacy and the processing of personal data. With ISO 27701 you demonstrably show that you manage privacy risks and you support your GDPR compliance from a structured management system.
ISO 27001 focuses on information security in the broad sense through an ISMS. ISO 27701 builds on this and adds a privacy layer: the PIMS. Where ISO 27001 asks how you secure information, ISO 27701 asks how you manage personal data and privacy risks. You cannot certify ISO 27701 in isolation; it always requires an underlying ISO 27001 ISMS.
Yes. ISO 27701 translates many GDPR obligations into concrete controls: a record of processing activities, data subject rights, DPIAs, data processing agreements and retention periods. It makes compliance demonstrable and repeatable rather than a one-off exercise. It is not an automatic guarantee that you are fully GDPR-compliant, but it provides a strong, verifiable framework that covers most of it.
No. ISO 27701 is an extension to ISO 27001 and cannot be certified without an underlying ISO 27001 ISMS. In practice, organisations implement both standards together, often in one integrated management system and a single combined audit, because information security and privacy overlap strongly.
The auditor assesses whether privacy is demonstrably managed. They look at the division of roles between controller and processor, the record of processing activities, DPIAs, data processing agreements, retention periods, the handling of data subject requests and the data breach procedure. As with ISO 27001, they look for evidence that policy is applied in practice, not just that it exists on paper.
A privacy gap analysis compares your current privacy practice with the requirements of ISO 27701 and the GDPR. You gain insight into which documents, processes and measures are already in order and where the gaps lie. The result is a priority list and roadmap, so you can make targeted improvements before a formal audit or certification takes place.
These include an up-to-date record of processing activities, a privacy policy, DPIAs for high-risk processing, data processing agreements with suppliers, a procedure for data subject rights, a data breach procedure and defined retention periods. The auditor checks not only whether these exist, but also whether they are up to date and actually used.
For SaaS providers that, as a processor, handle large volumes of customers' personal data, ISO 27701 is often a strong selling point. It demonstrably shows business customers that privacy is under control, simplifies due diligence and processor assessments, and ties in seamlessly with an existing ISO 27001 certificate.
Ready to make privacy demonstrable?
Book a privacy audit scan and find out where your PIMS stands towards ISO 27701 and the GDPR.
