Skip to main contentChat with us

ISO 27701:2019 · Certification

The ISO 27701
certification process

ISO 27701 is certified as an extension of ISO 27001. Here is the path from gap analysis to the Stage 1 and Stage 2 audits — and what it takes to keep the certificate live afterwards.

Built on an ISO 27001 ISMS — existing or certified at the same time.

Plan your ISO 27701 auditUnderstand the PIMS framework
6Steps to certification
Stage 1+2Audit structure
3-yearCertificate cycle

ISO/IEC 27701:2019 · Accredited certification body audit · Last reviewed June 2026

Direct Answer

How do you get ISO 27701 certified?

ISO 27701 cannot be certified on its own — it is an extension of ISO 27001, so an ISMS must be in scope first. From there the path is the familiar management-system one: gap analysis, documentation, control implementation, internal audit, and then a two-stage audit by an accredited certification body. The certificate runs on a three-year cycle with annual surveillance.

The path

Six steps to certification

  1. Step 1

    ISO 27001 in place

    Because ISO 27701 extends ISO 27001, you need a certified ISMS first — or you run both programmes together. This is the foundation the PIMS builds on.

  2. Step 2

    Privacy gap analysis & scoping

    Map where PII is collected and processed, fix your role as controller or processor (or both), and assess current practice against the Annex A and B controls.

  3. Step 3

    PIMS documentation

    Extend the ISMS with a privacy policy, records of processing, a privacy impact-assessment process, and the Statement of Applicability covering the PIMS controls.

  4. Step 4

    Implement privacy controls

    Operationalise consent, PII principal rights, retention and disposal, and transfer controls — then generate the evidence that they are working.

  5. Step 5

    Training & internal audit

    Train staff on the privacy controls, run an internal PIMS audit, hold a management review, and close any findings with corrective action.

  6. Step 6

    Certification audit

    An accredited certification body runs the Stage 1 documentation review and Stage 2 audit of the PIMS; once non-conformities are closed, it issues the ISO 27701 certificate.

Frequently Asked Questions

Common questions about ISO 27701 certification.

Do I need ISO 27001 before ISO 27701?

Yes. ISO 27701 is an extension to ISO 27001, so the ISMS must be in scope — either already certified or audited at the same time. Many organisations run the two programmes together to save effort.

What is the difference between the Stage 1 and Stage 2 audits?

Stage 1 is a documentation review where the certification body checks that your PIMS is designed correctly and ready. Stage 2 is the deeper, evidence-based audit confirming the privacy controls operate in practice. The certificate follows once any non-conformities are closed.

How long is an ISO 27701 certificate valid?

Like ISO 27001, the certificate runs on a three-year cycle with annual surveillance audits, then a recertification audit at the end. The PIMS has to keep operating between audits — it is an ongoing system, not a one-time project.

How long does it take to get certified?

Added to an existing ISO 27001 ISMS, a PIMS programme often reaches the certification audit in a few months. Building ISO 27001 and ISO 27701 together takes longer. The timeline depends on scope, the volume of PII, and your starting maturity rather than a fixed number.

Continue your ISO 27701 research

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

Privacy

ISO 27701 (PIMS)

The privacy extension to ISO 27001 — one audit, two certificates.

Read more
Privacy

PIMS Framework Explained

How the Privacy Information Management System extends an ISMS.

Read more
Privacy

Controller Controls (Annex A)

PII controller-specific controls mapped to GDPR obligations.

Read more
Privacy

Processor Controls (Annex B)

PII processor-specific controls for data processing agreements.

Read more
ISO 27001

ISO 27001 Certification Guide

The step-by-step path from gap assessment to certificate.

Read more
Trust

Proof & Track Record

Every number we publish — explained, sourced and verifiable.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations