ISO 27701 Privacy Information Management System (PIMS) Audit and Certification

Privacy Information Management System – An extension to ISO 27001

Privacy Information Management System – An extension to ISO 27001

WHAT IS ISO 27701?

ISO/IEC 27701 is a Privacy Information Management System (PIMS) standard that is designed to help organisations comply with privacy laws around the world. In recent years, new data protection laws have been introduced in multiple countries that establish requirements for securing and processing Personally Identifiable Information (PII). However, it is not always clear how organisations should comply with these laws. ISO 27701 was introduced in 2019 and provides actionable guidance to help organisations conform to these varied regulations.

ISO 27701 Privacy Information Management System (PIMS), a privacy extension to ISO 27001 Information Security Management System (ISMS), can support your organisation in meeting the regulatory requirements and manage privacy risks related to Personally Identifiable Information (PII).

ISO/IEC 27701 is the first standard of its type in the world and is applicable to public and private companies, government entities and not-for-profit organisations. It supports compliance with the EU’s GDPR but is also applicable to personal data governance laws in all other geographies.


  • Support compliance to privacy regulations – such as the European Union General Data Protection Regulation (EU GDPR) and local privacy law & regulations such as Personal Data Protection Act (PDPA) in Singapore.
  • Provide confidence to stakeholders and customers – that you are maintaining the highest standards in managing privacy risks related to PII.
  • Clear roles & responsibilities – for PII controllers and PII processors holding responsibility and accountability for PII processing.
  • Minimise risks – of disruptions of critical processes and financial losses associated with a breach.


TÜV SÜD has developed an efficient five-step process to support your ISO/IEC 27701 certification:

1. Readiness Review
We help you understand the standard’s objectives and informational requirements for the audit.

2. Audit on-site
Our experts conduct audits of your PII protection activities, assessing how you store and process customer information.

3. Non-conformance resolution
After the audit, your organisation implements measures to correct any non-conformances that the audit identified.

4. Issuance of audit report and certificate
TÜV SÜD issues you with your ISO 27701 certificate, which you can use to demonstrate your compliance.

5. Annual surveillance
To maintain the certificate, we conduct annual surveillance to ensure ISO data management standards continue to be met.


TÜV SÜD’s experienced auditors possess the accreditation and expertise to conduct ISO 27001 & ISO 27701 audits across industries. Through our worldwide network of professionals, we can provide certification services no matter where you are. Our experts adopt a holistic approach for your information security certification as well as your privacy information certification. Our status as an independent certification body ensures that the TÜV SÜD's ISO 27001 PIMS Certification mark is accepted worldwide, making it a powerful tool for distinguishing your company in the market.

Complying with new privacy regulations such as the EU’s GDPR, California’s Consumer Privacy Act, India’s Personal Data Protection Bill or Brazil’s General Data Protection Law can be very challenging. However, by becoming ISO 27701 PIMS certified, your organisation can indicate compliance with all these (and similar) requirements.

To find out more about the standard or to begin the ISO/IEC 27701 certification process, contact us today.

The ISO 27701 management system certification is covered under the Sustainability-as-a-Service (SaaS) Programme, with 70% of qualified costs supported by Enterprise Singapore, as part of the Enterprise Sustainability Programme. Click here to learn more.

Download Infosheet




  • What is the difference between ISO 27001 and 27701?

    ISO 27001 designed a framework for Information Security Management Systems (ISMS) to provide confidentiality. ISO 27701 is an extension of the ISO/IEC 27001 standard, and it provides the requirements for General Data Protection Regulation (GDPR). ISO 27701 focuses on privacy and defines a framework for Privacy Information Management System (PIMS). It manages privacy with processors and controllers for personally identifiable information.


  • Is ISO 27701 certifiable? Can an organisation get certified for ISO 27701?

    Yes, ISO 27701 can be achieved by any organisation regardless of its size or sector or ownership. Government, private, non-profit sectors can get ISO 27701 certified. It serves as a valuable framework for organisations to comply with privacy legislation.


  • Can an organisation get certified for ISO 27701 without being certified to ISO 27001?

    No. ISO/IEC 27001 is a pre-requisite for ISO 27701 as it serves as an extension of the ISO 27001 standard.


  • How many controls are there in ISO 27701?

    The 114 security controls of ISO 27701 are part of Annex A of ISO 27001. ISO 27701 also defines guidelines to implement these controls. They include mapping to:
    ○ ISO 29100 (Information technology – Security techniques – Privacy framework);
    ○ ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
    ○ ISO 27018 (Information technology – Security techniques – Code of practice to protect personally identifiable information (PII) in public clouds acting as PII processors).


  • What is the ISO standard focus on privacy?

    The ISO 27701 standard focuses on the protection of Personally Identifiable Information (PII). The PIMS definition allows organisations to comply with privacy regulations around the world.


  • How do I get ISO 27701 certified?

    There are 5 simple steps to your ISO 27001 certification with TÜV SÜD. They are:

    Readiness audit: TÜV SÜD evaluates your documentation and company records
    On-site audit: TÜV SÜD reviews the compliance of your actual activities to ISO 27701 requirements and company records.
    Close the gap: Your organisation identifies and implements measures to correct the root cause of any non-conformances identified by the audit.
    Certification issuance: TÜV SÜD issues the ISO 27701 certification and certification mark
    Surveillance audits: Annual audit required to maintain certification validity


Next Steps

Site Selector