Skip to Content
Governance and Compliance

What is ISO/IEC 27701?

ISO/IEC 27701 is the international standard that defines how a company should manage the privacy of the personal data it handles, through a privacy information management system (PIMS). It organizes policies, roles, and controls to protect personal data and prove that care to customers and regulators. Since the 2025 edition, it has become a standalone standard: it can be certified on its own, without first requiring the ISO 27001 information security certification.

Zamak TechnologiesUpdated on July 11, 2026

How ISO/IEC 27701 works

ISO/IEC 27701 takes the logic of a management system (plan, do, check, act) and applies it specifically to privacy. It distinguishes whoever decides about the data (the controller) from whoever merely processes it on someone else's behalf (the processor), and defines obligations for each role. It is the bridge between 'we take privacy seriously' and a certification a third party has audited.

1

Map the personal data

The starting point is knowing which personal data the company collects, why, where it lives, and for how long. Without that map, there is no privacy management, only intent.

2

Define your role

The standard treats the controller (who decides how the data is used) differently from the processor (who processes it on a client's behalf). Knowing which you are defines which controls apply.

3

Implement the privacy controls

On top of the information security base, the standard adds specific privacy controls: consent, data-subject rights, minimization, and transparency about how the data is used.

4

Certify with a third party

An independent body audits the system for evidence that it works. Since 2025, that certification can be obtained on its own, with ISO 27001 no longer a prerequisite.

Source: ISO/IEC 27701:2025 (iso.org) and ISO/IEC 27001:2022.

Why privacy needs its own system

  • Protecting the data is not the same as respecting privacy. Security prevents leaks; privacy decides whether that data should even be there, and for how long. They are distinct things.
  • The laws have multiplied. More than 140 countries now have a data protection law (IAPP, 2025), from Brazil's LGPD to Europe's GDPR, and each one asks for proof that the company manages the data with care.
  • The corporate customer has become an auditor. Companies require privacy assurance from their suppliers before sharing data, and a recognized certification shortens that sales conversation.
  • The 2025 edition lowered the barrier to entry. Because the standard is now standalone, a company can certify its privacy management without first building an entire information security system, which opens the door to more organizations.

What the standard organizes, in practice

  • Roles: controller and processor The standard separates who decides how data is used from who only processes it on someone else's behalf. Each role has its own obligations, and many companies are both at once.
  • Data-subject rights Access, correction, deletion, and portability of the data. The standard organizes how the company handles these requests consistently, rather than case by case.
  • Data life cycle From collection to disposal: minimization (collect only what is needed), a clear purpose, and retention with a deadline. The data that should not exist is what creates the most risk.
  • Standalone base since 2025 The new edition is a complete management system in its own right, aligned with the structure of ISO 27001:2022, and no longer an appendix that requires the ISMS first.

What is at stake for the business

Oct 14, 2025
the date the new standalone edition of ISO/IEC 27701 was published
140+
countries now have a data protection law the standard helps address (IAPP, 2025)
$ 4.44M
average global cost of a data breach, IBM 2025

ISO/IEC 27701 has stopped being an item for large corporations and become an accessible competitive advantage. The edition published on October 14, 2025 made the standard standalone: before, to certify privacy management, a company also had to hold and maintain the ISO 27001 information security certification; now it can certify privacy independently, which cuts the cost and time to entry. That matters because the privacy bar only rises: more than 140 countries now have a data protection law (IAPP, 2025), and the corporate customer has come to demand proof of care before sharing data. The standard does not, on its own, guarantee compliance with a specific law such as LGPD or GDPR, but it provides the structure that underpins that compliance and makes it auditable. And the alternative is expensive: a personal-data breach still costs, on average, $ 4.44 million worldwide (IBM, 2025), on top of the damage to trust.

How a company adopts ISO/IEC 27701

Adopting ISO/IEC 27701 means turning a privacy intention into a provable system. The path is shorter now that the standard is standalone:

  1. Inventory the personal data firstBefore any control, map what personal data the company handles, why, and for how long. It is the base everything else rests on.
  2. Define controller and processorFor each data flow, determine whether the company decides the use or only processes it on a client's behalf. That framing defines which obligations apply.
  3. Gather the laws you must meetLGPD, GDPR, or another: the standard is the structure, but the concrete requirements come from the laws of the markets you operate in. Map them so you do not certify in a vacuum.
  4. Implement and documentConsent, data-subject rights, minimization, and retention with a deadline have to exist in practice and leave evidence. The proof is what the auditor looks for.
  5. Certify when it makes senseThird-party certification is what turns good management into a recognized selling point. Since 2025, it can be obtained without ISO 27001 as a prerequisite.

In practice

If a customer asked today which of their personal data your company keeps, why, and for how long, would you have a ready answer? When the answer is 'I'd have to check,' privacy is still an intention, not a system.

How Zamak supports the ISO/IEC 27701 journey

Zamak Technologies supports the journey toward ISO/IEC 27701 alongside your team: it helps inventory the personal data, define the controller and processor roles, implement the privacy controls, and keep the evidence ready for the audit, using a compliance platform as one of the roadmaps. An honest defensibility note: the certification belongs to the audited company and the tools it uses; Zamak supports the journey, it does not issue the certificate. A good starting point is the compliance self-check, within the Governance and Compliance of the Zamak Method.

Frequently asked questions about ISO/IEC 27701

What is the difference between ISO 27701 and ISO 27001?
ISO 27001 manages information security: protecting data against access and loss. ISO 27701 manages privacy: how personal data is collected, used, and disposed of, and how people's rights are respected. Privacy rests on security, but it answers a different question.
Does ISO 27701 replace ISO 27001?
It does not replace it, but since the 2025 edition it no longer requires it as a prerequisite. It used to be an appendix that could only be certified on top of an existing ISO 27001 system; now it is a standalone standard that can be certified on its own. The two still complement each other.
Does ISO 27701 guarantee compliance with LGPD or GDPR?
Not on its own. It provides the management structure that underpins compliance and makes it auditable, and it maps to GDPR principles, but the specific requirements of each law still have to be met. It is strong support, not an automatic stamp.
What is a PIMS?
PIMS is the privacy information management system: the set of policies, roles, processes, and controls a company maintains to manage personal data consistently and provably. ISO 27701 is the standard that defines what that system should be.
What changed in the 2025 edition?
The main change is that the standard became standalone: it is no longer an extension of ISO 27001 and can be certified independently, without requiring the information security system first. The structure was also aligned with the most recent management standards.
Does a company that is not huge need ISO 27701?
Whether it is needed, in the legal sense, depends on the contract and the market. But with the standard now standalone, certification has become accessible to smaller organizations that want to prove data care to customers and partners, without first building an entire information security system.