Your privacy, proven on paper with ISO 27701.
ISO 27701 is the international standard for privacy management. It’s a management system that demonstrates your organisation handles personal data in a structured and demonstrable way.
- International recognition
- Auditable
- Standalone certificate
What is ISO27701?
ISO 27701 is the international standard for a Privacy Information Management System, or “PIMS” for short. Where an ordinary privacy policy describes what an organisation should do, a PIMS goes a step further: it proves that you actually do it.
Put simply, a privacy policy is a fairly straightforward document. A PIMS, on the other hand, is a management system with processes, controls and demonstrable follow-up. We often see organisations with mature privacy processes implementing a PIMS. During a certification audit, well-written policy documents alone won’t get you through. You need to be able to prove that those policies are followed in practice and form part of the culture.
ISO 27701 is a framework that can help you get started with this.
New in 2025: ISO 27701 stands on its own.
Until 2025, ISO 27701 was linked to ISO 27001, the standard for information security. This meant privacy and data protection fell under the broader umbrella of security, which didn’t reflect reality. An organisation can score excellently on security and still have serious shortcomings when it comes to data protection. The reverse is equally true.
That’s why the standard was thoroughly revised in October 2025: ISO 27701 is now a fully independent standard. You no longer need an ISO 27001 certificate to achieve ISO 27701.
Who certifies?
ISO 27701 is a certifiable standard, with audits carried out by accredited certification bodies. In Belgium, these bodies are accredited by BELAC, the national accreditation body. The BELAC search tool provides an up-to-date overview of which bodies are authorised to carry out ISO 27701 audits. They independently assess whether your privacy management meets the requirements of the standard.
CRANIUM doesn’t carry out the external audit itself, but we support you from the sidelines. We guide and prepare you at every step, so you walk into the audit room without surprises.
Who is ISO27701 relevant for?
ISO 27701 is relevant for any organisation that handles personal data. In practice, however, there are sectors and contexts where the standard adds particular value.
01 - Software developers and service providers.
Organisations supplying software or services to large clients, such as multinationals or government bodies, increasingly face strict compliance requirements. An ISO 27701 certificate shows that, whatever role you play in processing personal data, you handle it correctly. That builds trust and can make a difference in a tender process.
02 - Healthcare and healthtech.
Medical data is among the most sensitive categories of personal data. For organisations working with patient data, wearables or health applications, a PIMS is an added mark of trust. It signals to hospitals, insurers and patients that privacy and data protection are structurally embedded in your organisation.
03 - Research agencies and data companies.
Organisations processing personal data at scale for market research or data-driven services can use ISO 27701 to demonstrate they do so responsibly. That’s a strong argument towards clients and partners.
04 - Internationally active organisations.
The GDPR is the gold standard for privacy legislation, but it doesn’t apply everywhere in the world. For organisations active outside Europe, ISO 27701 offers an internationally recognised framework for applying privacy management consistently, without having to refer back to European legislation each time.
05 - What about smaller organisations?
The threshold for ISO 27701 is lower than for ISO 27001. The scope of the certificate can be limited to a specific department, service or product, making the standard achievable for SMEs too.
The real challenge isn’t the standard itself, but properly implementing and complying with the GDPR: those who take their privacy obligations seriously and treat this as an ongoing process already have a solid foundation to build on.
What does an ISO 27701 journey look like?
An ISO 27701 journey follows a set structure, but looks different for every organisation. The scope, sector and how far along you already are with privacy all influence how intensive the process is.
Broadly speaking, you go through these phases:
- Defining the context and scope of your organisation
- Creating an inventory of the personal data you process
- Analysing risks
- Developing measures and policies
- Organising demonstrable compliance
- Internal audit and management review
- External certification audit
Important to know: ISO 27701 works according to the well-known Plan-Do-Check-Act cycle. Certification isn’t an endpoint, but the start of a continuous improvement process.
Why choose ISO 27701?
Achieving a certificate takes time and effort. What does it deliver?
-
Trust you can demonstrate
For many organisations, privacy is an abstract promise. With an ISO 27701 certificate, you make that promise concrete and visible. You show clients, partners and suppliers that you don't just take personal data seriously, but that this has also been independently verified. That's a strong signal, particularly in sectors where sensitive personal data is central.
-
An advantage in tenders.
More and more organisations ask for proof of sound privacy management during tender processes. An ISO 27701 certificate gives you an edge over competitors who can't provide that proof. The standard isn't yet a requirement everywhere, but those who get ahead of the curve position themselves strongly for when it becomes one.
-
Structure that pays off internally.
Building a PIMS forces you to gain a clear view of what personal data you process, how long you retain it, who has access to it, and what the risks are. That exercise has value beyond the certificate itself. Organisations that take the process seriously almost always uncover blind spots they'd previously overlooked.
-
Internationally applicable.
The GDPR applies within Europe and to organisations offering services or goods to people in Europe. But for organisations also active outside the EU, ISO 27701 offers an internationally recognised framework for applying privacy management consistently. You won't need to explain your approach afresh to every international partner or client. And if you already hold an ISO 27001 certificate, you can build on processes you've already established.
-
Peace of mind during regulatory scrutiny.
A certificate is no guarantee that the authorities will never come knocking, and it certainly doesn't replace GDPR compliance. But it does show that your privacy management is structurally embedded. You'll be able to demonstrate what you do, and that can make all the difference.
Meet the CRANIUM Specialists.
Marja Lubbers
Business Manager & Principal Privacy Consultant
Gwenna Chavatte
Principal Privacy & Digital Law Consultant
SIMON GEENS
Senior Privacy & Digital Law Consultant
Frequently Asked Questions.
What's the difference between ISO 27701 and ISO 27001?
ISO 27001 is about information security: protecting data against unauthorised access, loss or misuse. Our sister organisation Cingulum specialises in this and can guide you towards achieving that certificate.
ISO 27701 is about privacy: how your organisation handles personal data in the broadest sense, including legal grounds, retention periods and the rights of data subjects. ISO 27701 used to be an extension of ISO 27001, but since the 2025 revision it’s a fully independent standard. You don’t need an ISO 27001 certificate to achieve ISO 27701.
That said, there’s overlap between the two standards. Both work with a similar management system structure and require processes such as risk management, internal audits and management reviews. If you already hold an ISO 27001 certificate, you already have that foundation in place: you know how to map risks, develop policies and demonstrate compliance. For ISO 27701, you build on that with privacy-specific requirements, such as tracking legal grounds for processing, retention periods and data subject rights. That’s why ISO 27701 is often an achievable next step for organisations with an ISO 27001 certificate, rather than a completely new undertaking.
Is the ISO 27701 certificate the same as GDPR compliance?
No. ISO 27701 supports your GDPR compliance and helps you demonstrate that your privacy management is structurally in order, but the certificate isn’t legal proof of GDPR compliance. Declaring an organisation fully GDPR compliant doesn’t really exist: compliance is a continuous process. The certificate does show that you’re taking it seriously, and that can be a USP for your organisation.
Do I need to be ISO 27001 certified already to achieve ISO 27701?
No, not any more. Since the October 2025 update, ISO 27701 stands entirely on its own. You can achieve the certificate without first going through ISO 27001.
Is ISO 27701 worthwhile for smaller organisations too?
Yes. The scope of the certificate can be limited to a specific department, service or product, keeping the process manageable. The real threshold isn’t the standard itself, but the GDPR: those who already take their privacy obligations seriously have a solid basis to build on.
Which roles are typically involved in an ISO 27701 journey?
A successful journey requires involvement from various people within the organisation. The core team usually consists of a data protection officer (DPO), a privacy officer, someone from IT and someone from information security. Departments such as HR, finance and legal are also important, as a great deal of personal data circulates there. A representative from management is crucial too: the standard requires you to demonstrate that privacy is championed at the highest level.
How long does an implementation journey take?
This depends heavily on the size of your organisation, the chosen scope and how far along you already are with your privacy management. Those with a solid GDPR foundation can move faster. Those starting from scratch will need more time. A realistic timeline allows for roughly three to six months for the preparatory phase, followed by around three to nine months for implementation and follow-up, before you’re ready for the external audit.
Does ISO 27701 help with international activities?
Yes. The GDPR applies within and towards Europe, but isn’t in force everywhere, though it is the gold standard. ISO 27701 is grounded in the GDPR and offers an internationally recognised framework for privacy management that you can apply consistently, even outside the EU. That makes the standard particularly useful for organisations active across multiple regions or working with international clients and partners.
Is ISO 27701 already being requested in tenders?
Not yet on a structural basis, but it does happen. The standard is less established than ISO 27001, though that’s gradually changing. Organisations that certify now are positioning themselves strongly for when the expectation becomes more widespread. What’s more, a certificate can already make a difference today with clients who value privacy.
Take action today.
Get started on your ISO 27701 certification today. Reach out to our team for guidance and support