What are the steps to achieving ISO 27701 certification?
As privacy becomes an increasingly important part of tenders, many organisations want to move beyond ad-hoc privacy management. ISO 27701 offers the perfect solution in the form of certified privacy management.
Many organisations that start an ISO 27701 journey underestimate what it actually involves. The standard itself is not complex, but achieving certification always requires structure, buy-in from the right people, and a system that works both on paper and in practice.
In this article, we walk you step by step through a possible implementation process: from the initial scope definition to the certification audit, including the most common mistakes we see organisations run into. Of course, there are other ways to approach this process, and the right approach largely depends on scope, priorities, and the type of organisation.
What you will learn from this article:
- What steps an ISO 27701 process can consist of
- Where things most commonly go wrong in practice
- How to keep the process manageable
Step 1: Start with your scope.
ISO 27701 has the same structure as all other ISO standards: start with scoping. Before you draft a single document, you need to know which part of the organisation the certification will cover. Certifying the entire organisation is certainly possible (and sometimes desirable), but it is not always the best choice, especially for a first certification.
A more limited scope, for example one department, one service or one product, keeps the process manageable. You can always expand later. What you cannot do is discover halfway through that your scope was too broad to realistically manage and then try to scale it back.
Certifying an HR department of 50 employees is fundamentally different from certifying a full international group with multiple business units. An overly ambitious scope is one of the most common causes of delays in certification processes.
So take the time to properly map out your organisation’s context: who are your stakeholders, what are their expectations, and which part of the organisation do you want to certify? A solid scope is the foundation for everything that follows.
Step 2: Map out your data.
What personal data do you process? Where is it stored? Who has access to it? Are you a controller or a processor of that data? This is often the most time-consuming part of the entire process, and at the same time the most underestimated.
A solid Record of Processing Activities (RoPA) is a good foundation here. Without a clear picture of your personal data, you cannot manage it properly,let alone protect it.
Tip: involve the right people here. HR, finance, legal, marketing and IT each know what personal data flows through their department. Their input is essential to get a complete and accurate overview.
Step 3: Don’t overlook retention periods.
Retention periods are one of the most common challenges in certification audits. It is not always straightforward to determine the correct retention period for every processing activity, let alone to actually enforce it. Take the time to get this right, this is not something to rush through.
Does your policy state that data is deleted after two years? Make sure you also have systems or processes in place to verify that this actually happens and that you can prove it.
In many organisations, retention periods exist on paper only. During audits, it turns out that nobody can demonstrate that data is actually being deleted or archived.
The best approach is to build this into your systems. Automate the deletion or archiving of data after the set retention period. This way you do not have to rely on manual follow-up, and you always have a clear audit trail.
Step 4: Don’t forget your sub-processors.
Do you work with external parties that process personal data on your behalf? As a controller, you are responsible for how they handle that data. This is not just a GDPR obligation, it is also a key focus area within ISO 27701.
Map out your (sub-)processors and make sure you can demonstrate that they comply with your policies. This requires not only a signed data processing agreement, but also a process for actively monitoring this.
A good place to start is a register of your (sub-)processors. Just like your RoPA, this document needs to be regularly and systematically reviewed and updated.
How do you do this? You can for example organise periodic check-ins with your (sub-)processors or send out an annual questionnaire to assess how they handle your data. Also check any contractual obligations beyond the data processing agreement. It is best to actively verify that agreements are being met, such as obtaining or maintaining certain certifications, etc.
Step 5: Document your risk management.
- What are the risks to the personal data you process?
- What is the likelihood of something going wrong?
- What is the potential impact, and how do you address it?
Those are the three questions your risk management should address. This exercise needs to be well-substantiated and documented. An auditor does not only want to know which risks you have identified, but also why you reached that conclusion and what decisions you made based on that. A question that often comes up during an audit is “Show me a processing activity from your register and explain how it is managed in practice.”
Structure and continuity matter more than perfection here. A well-maintained risk register that is regularly updated carries more weight than a perfect analysis that is only reviewed once a year.
Step 6: Put your measures and policies in place.
Your risk analysis tells you which measures to put in place to mitigate those risks. You then document these in policies and procedures. So far, this will sound familiar to anyone already working with GDPR.
The most crucial difference with ISO 27701 is that you also need to be able to prove compliance. Documents alone are not enough, you need to develop a culture where data protection is embedded in every project that involves personal data, for example by working with privacy champions in each department. These are people within the organisation who are not directly involved in data protection, but who help carry the message and its importance to the rest of the organisation. A strong communication strategy is key here. Not sure where to start with communication strategies? Sit down with the people in your organisation who do have that expertise.
Step 7: Plan, do, check, act. (PDCA-cycle)
ISO 27701 works according to the Plan-Do-Check-Act cycle. After implementing your measures (controls), a phase of monitoring and evaluation follows. Are tasks actually being carried out? Are objectives being met? What can be improved?
Make this concrete: plan regular meetings, work with a clear division of responsibilities and make sure someone is in charge of follow-up. A monthly meeting with a fixed agenda, a ticketing system for privacy-related tasks, a calendar with deadlines: it does not matter which system you use, as long as you apply it consistently.
The final step in this phase is an internal audit and a formal management review. These form the bridge to the external certification audit. As an organisation, you can conduct the internal audit yourself, but ISO requires that this is done independently by someone with sufficient knowledge of the standard. This immediately rules out anyone involved in the ISO 27701 implementation, which is why many organisations choose to have this done by a third party. An added benefit is that a third party brings a fresh perspective to the entire Privacy Information Management System (PIMS) and its implementation, often providing useful advice even when everything is technically in order. Furthermore, a third party can present the audit results as a (mandatory) part of the formal management review and help address the other agenda items required by the standard.
Step 8: Time for the external audit.
Have you completed and documented the previous steps? Then you are ready to bring in an accredited certification body. They will conduct an independent audit and assess whether your PIMS meets the requirements of the standard.
Where does it typically go wrong?
Getting through this process takes more than technical knowledge. These are the most common mistakes organisations run into.
Underestimating the scope. Starting without preparation quickly reveals that the process demands more than expected. A thorough assessment upfront, possibly including a gap analysis, saves a lot of time and frustration. Make sure you define your scope as clearly and precisely as possible. This is the foundation for the further rollout of your PIMS.
Treating privacy as a checkbox. The standard requires more than completed templates. Anyone who approaches the process as an administrative exercise will be in for a surprise at the audit. Follow the Plan Do Check Act principle and make sure you continuously improve and adjust your processes.
Neglecting project management. An ISO 27701 process needs a driver: someone who follows up on tasks, keeps track of deadlines and brings the right people together. Subject matter expertise is important, but without proper project management the process can stall. Subject matter expertise and project management do not have to sit with the same person, but both need to be covered and work well together.
Underestimating culture. The most successful processes have one thing in common: management involvement. When management acts as an active sponsor rather than a passive bystander, it becomes much easier to embed the importance of privacy across the organisation. A team that feels privacy is a priority from the top works very differently from one that sees it as an imposed obligation.
The “paper tiger” trap. We regularly see organisations with extensive and well-maintained privacy policies, yet employees do not know how to report a privacy incident or how to handle a data subject access request. During an audit, the gap between documentation and practice is quickly exposed.
Ready to get started?
An ISO 27701 process is achievable for any organisation that is serious about it. The key is not perfection, but structure, continuity and having the right people on board.
Keen to know where your organisation is today? Contact CRANIUM directly for a no-obligation introductory call.
