What is ISO/IEC 27701?
ISO/IEC 27701 is the international standard that defines how a company should manage the privacy of the personal data it handles, through a privacy information management system (PIMS). It organizes policies, roles, and controls to protect personal data and prove that care to customers and regulators. Since the 2025 edition, it has become a standalone standard: it can be certified on its own, without first requiring the ISO 27001 information security certification.
How ISO/IEC 27701 works
ISO/IEC 27701 takes the logic of a management system (plan, do, check, act) and applies it specifically to privacy. It distinguishes whoever decides about the data (the controller) from whoever merely processes it on someone else's behalf (the processor), and defines obligations for each role. It is the bridge between 'we take privacy seriously' and a certification a third party has audited.
Map the personal data
The starting point is knowing which personal data the company collects, why, where it lives, and for how long. Without that map, there is no privacy management, only intent.
Define your role
The standard treats the controller (who decides how the data is used) differently from the processor (who processes it on a client's behalf). Knowing which you are defines which controls apply.
Implement the privacy controls
On top of the information security base, the standard adds specific privacy controls: consent, data-subject rights, minimization, and transparency about how the data is used.
Certify with a third party
An independent body audits the system for evidence that it works. Since 2025, that certification can be obtained on its own, with ISO 27001 no longer a prerequisite.
Source: ISO/IEC 27701:2025 (iso.org) and ISO/IEC 27001:2022.
Why privacy needs its own system
- Protecting the data is not the same as respecting privacy. Security prevents leaks; privacy decides whether that data should even be there, and for how long. They are distinct things.
- The laws have multiplied. More than 140 countries now have a data protection law (IAPP, 2025), from Brazil's LGPD to Europe's GDPR, and each one asks for proof that the company manages the data with care.
- The corporate customer has become an auditor. Companies require privacy assurance from their suppliers before sharing data, and a recognized certification shortens that sales conversation.
- The 2025 edition lowered the barrier to entry. Because the standard is now standalone, a company can certify its privacy management without first building an entire information security system, which opens the door to more organizations.
What the standard organizes, in practice
- Roles: controller and processor The standard separates who decides how data is used from who only processes it on someone else's behalf. Each role has its own obligations, and many companies are both at once.
- Data-subject rights Access, correction, deletion, and portability of the data. The standard organizes how the company handles these requests consistently, rather than case by case.
- Data life cycle From collection to disposal: minimization (collect only what is needed), a clear purpose, and retention with a deadline. The data that should not exist is what creates the most risk.
- Standalone base since 2025 The new edition is a complete management system in its own right, aligned with the structure of ISO 27001:2022, and no longer an appendix that requires the ISMS first.
What is at stake for the business
ISO/IEC 27701 has stopped being an item for large corporations and become an accessible competitive advantage. The edition published on October 14, 2025 made the standard standalone: before, to certify privacy management, a company also had to hold and maintain the ISO 27001 information security certification; now it can certify privacy independently, which cuts the cost and time to entry. That matters because the privacy bar only rises: more than 140 countries now have a data protection law (IAPP, 2025), and the corporate customer has come to demand proof of care before sharing data. The standard does not, on its own, guarantee compliance with a specific law such as LGPD or GDPR, but it provides the structure that underpins that compliance and makes it auditable. And the alternative is expensive: a personal-data breach still costs, on average, $ 4.44 million worldwide (IBM, 2025), on top of the damage to trust.
How a company adopts ISO/IEC 27701
Adopting ISO/IEC 27701 means turning a privacy intention into a provable system. The path is shorter now that the standard is standalone:
- Inventory the personal data firstBefore any control, map what personal data the company handles, why, and for how long. It is the base everything else rests on.
- Define controller and processorFor each data flow, determine whether the company decides the use or only processes it on a client's behalf. That framing defines which obligations apply.
- Gather the laws you must meetLGPD, GDPR, or another: the standard is the structure, but the concrete requirements come from the laws of the markets you operate in. Map them so you do not certify in a vacuum.
- Implement and documentConsent, data-subject rights, minimization, and retention with a deadline have to exist in practice and leave evidence. The proof is what the auditor looks for.
- Certify when it makes senseThird-party certification is what turns good management into a recognized selling point. Since 2025, it can be obtained without ISO 27001 as a prerequisite.
In practice
If a customer asked today which of their personal data your company keeps, why, and for how long, would you have a ready answer? When the answer is 'I'd have to check,' privacy is still an intention, not a system.
How Zamak supports the ISO/IEC 27701 journey
Zamak Technologies supports the journey toward ISO/IEC 27701 alongside your team: it helps inventory the personal data, define the controller and processor roles, implement the privacy controls, and keep the evidence ready for the audit, using a compliance platform as one of the roadmaps. An honest defensibility note: the certification belongs to the audited company and the tools it uses; Zamak supports the journey, it does not issue the certificate. A good starting point is the compliance self-check, within the Governance and Compliance of the Zamak Method.