Your privacy, proven on paper with ISO 27701.

ISO 27701 is the international standard for privacy management. It’s a management system that demonstrates your organisation handles personal data in a structured and demonstrable way.

Serious strategizing. Shot of two handsome businessmen having a

What is
ISO27701?

ISO 27701 is the international standard for a Privacy Information Management System, or “PIMS” for short. Where an ordinary privacy policy describes what an organisation should do, a PIMS goes a step further: it proves that you actually do it.

Put simply, a privacy policy is a fairly straightforward document. A PIMS, on the other hand, is a management system with processes, controls and demonstrable follow-up. We often see organisations with mature privacy processes implementing a PIMS. During a certification audit, well-written policy documents alone won’t get you through. You need to be able to prove that those policies are followed in practice and form part of the culture.

ISO 27701 is a framework that can help you get started with this.

New in 2025: ISO 27701 stands on its own.

Until 2025, ISO 27701 was linked to ISO 27001, the standard for information security. This meant privacy and data protection fell under the broader umbrella of security, which didn’t reflect reality. An organisation can score excellently on security and still have serious shortcomings when it comes to data protection. The reverse is equally true.

That’s why the standard was thoroughly revised in October 2025: ISO 27701 is now a fully independent standard. You no longer need an ISO 27001 certificate to achieve ISO 27701.

Who certifies?

ISO 27701 is a certifiable standard, with audits carried out by accredited certification bodies. In Belgium, these bodies are accredited by BELAC, the national accreditation body. The BELAC search tool provides an up-to-date overview of which bodies are authorised to carry out ISO 27701 audits. They independently assess whether your privacy management meets the requirements of the standard.

CRANIUM doesn’t carry out the external audit itself, but we support you from the sidelines. We guide and prepare you at every step, so you walk into the audit room without surprises.

Who is ISO27701 relevant for?

ISO 27701 is relevant for any organisation that handles personal data. In practice, however, there are sectors and contexts where the standard adds particular value.

01 - Software developers and service providers.

Organisations supplying software or services to large clients, such as multinationals or government bodies, increasingly face strict compliance requirements. An ISO 27701 certificate shows that, whatever role you play in processing personal data, you handle it correctly. That builds trust and can make a difference in a tender process.

What does an ISO 27701 journey look like?

An ISO 27701 journey follows a set structure, but looks different for every organisation. The scope, sector and how far along you already are with privacy all influence how intensive the process is.

Broadly speaking, you go through these phases:

Important to know: ISO 27701 works according to the well-known Plan-Do-Check-Act cycle. Certification isn’t an endpoint, but the start of a continuous improvement process.

Why choose ISO 27701?

Achieving a certificate takes time and effort. What does it deliver?

  • Trust you can demonstrate

    For many organisations, privacy is an abstract promise. With an ISO 27701 certificate, you make that promise concrete and visible. You show clients, partners and suppliers that you don't just take personal data seriously, but that this has also been independently verified. That's a strong signal, particularly in sectors where sensitive personal data is central.

  • An advantage in tenders.

    More and more organisations ask for proof of sound privacy management during tender processes. An ISO 27701 certificate gives you an edge over competitors who can't provide that proof. The standard isn't yet a requirement everywhere, but those who get ahead of the curve position themselves strongly for when it becomes one.

  • Structure that pays off internally.

    Building a PIMS forces you to gain a clear view of what personal data you process, how long you retain it, who has access to it, and what the risks are. That exercise has value beyond the certificate itself. Organisations that take the process seriously almost always uncover blind spots they'd previously overlooked.

  • Internationally applicable.

    The GDPR applies within Europe and to organisations offering services or goods to people in Europe. But for organisations also active outside the EU, ISO 27701 offers an internationally recognised framework for applying privacy management consistently. You won't need to explain your approach afresh to every international partner or client. And if you already hold an ISO 27001 certificate, you can build on processes you've already established.

  • Peace of mind during regulatory scrutiny.

    A certificate is no guarantee that the authorities will never come knocking, and it certainly doesn't replace GDPR compliance. But it does show that your privacy management is structurally embedded. You'll be able to demonstrate what you do, and that can make all the difference.

Meet the CRANIUM Specialists.

Marja Lubbers

Marja Lubbers

Business Manager & Principal Privacy Consultant

Female Avatar

Gwenna Chavatte

Principal Privacy & Digital Law Consultant

Simon Geens

SIMON GEENS

Senior Privacy & Digital Law Consultant

Frequently Asked Questions.

What's the difference between ISO 27701 and ISO 27001?

ISO 27001 is about information security: protecting data against unauthorised access, loss or misuse. Our sister organisation Cingulum specialises in this and can guide you towards achieving that certificate.

ISO 27701 is about privacy: how your organisation handles personal data in the broadest sense, including legal grounds, retention periods and the rights of data subjects. ISO 27701 used to be an extension of ISO 27001, but since the 2025 revision it’s a fully independent standard. You don’t need an ISO 27001 certificate to achieve ISO 27701.

That said, there’s overlap between the two standards. Both work with a similar management system structure and require processes such as risk management, internal audits and management reviews. If you already hold an ISO 27001 certificate, you already have that foundation in place: you know how to map risks, develop policies and demonstrate compliance. For ISO 27701, you build on that with privacy-specific requirements, such as tracking legal grounds for processing, retention periods and data subject rights. That’s why ISO 27701 is often an achievable next step for organisations with an ISO 27001 certificate, rather than a completely new undertaking.

Take action today.

Get started on your ISO 27701 certification today. Reach out to our team for guidance and support 

Start the conversation here


We care about your privacy. Unless you sign op to join our community, we will use this data solely to answer your request. For more information on how we process and care for your data, you can read our privacy statement.
  • Solutions
  • Expertise
  • Knowledge
  • Careers
  • About