ISO 27001 Certification (ISMS)

ISO 27701 as a supplement to ISO 27001

Processes and communication are increasingly taking place digitally. This is why information security is so important, and many consider a good management system in this area to be essential.

The ISO 27001 provides a good framework for this. It allows you to demonstrate that you are adequately protecting your valuable information.

However, an additional standard to ISO 27001 has recently been published, namely ISO 27701.
This standard not only protects your own information, but also shows that you protect the privacy of others.

TÜV NORD has been accredited as a certification body for ISO 27701 since 2022. This enables us to certify your company for ISO 27701 under accreditation in addition to ISO 27001.

Request an offer

Target groups for ISO 27701 certification

An ISO 27701 certificate is suitable for any organisation that processes personally identifiable information (PII). Regardless of its size, for both public and private companies, government agencies and non-profit organisations that process personal data (PII) as a controller and/or processor within the meaning of the BDSG as part of an ISMS.

Especially if you need to prove that your organisation consciously handles this type of personal data, this certificate offers a structured solution:

Any organisation that processes personal data, regardless of its size and type, can benefit from implementing ISO 27701
Organisations that want to (co-)mitigate financial and regulatory risks associated with data breaches
Private, public organisations and even government agencies that need to take a risk-based approach to the retention and processing of personal data
Organisations with an ISMS that want to further develop and professionalise their role as controller and/or processor

Defined roles in data protection management

The roles defined in the ISO 27701 standard are controller (PII controller) and processor (PII processor). Definition of roles in Article 4 of the GDPR or in the ISO 29100 standard:

CONTROLLER

"Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data".

Collects personal data and determines the purposes for which it is processed, and more than one organisation may act as a PII controller - usually referred to as a joint controller. In this case, data sharing agreements may be required.

PII controller benefits

Provides guidance on preferred ways of working
Creates transparency between PII owners
Ensures effective management of PII processes

PROCESSOR

"Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".

Processes personal data on behalf of the PII Controller and only in accordance with the PII Controller's instructions.

Benefits PII Processor

Contains guidance on preferred ways of working
Gives clients peace of mind that PII is being handled effectively

Advantages of ISO 27701 certification

The possession and use of personal data is naturally associated with risks. However, this data is often essential for business operations and must therefore be used properly to minimise risks.

By systematically addressing this with ISO 27701, you are actively tackling these data protection risks. The measures introduced as a result reduce the risks and also provide better protection against data leaks.

Organisations that (further) process personal data on behalf of their customers must provide sufficient guarantees that this process complies with the requirements of the BDSG. With a privacy information management system (PIMS), you generate documented proof of how personal data is processed. In this way, you can show that you have thought carefully about this and what measures you have taken.

Organisations to which the BDSG applies can prove with an ISO 27701 certification that they have taken appropriate technical and organisational measures to ensure compliance with the requirements of the BDSG (even if the ISO data protection certificate is not a "BDSG certificate").

An ISO 27701 certificate shows that you have taken clear steps to adequately protect personal data. This kind of commitment can have an impact on your competitive position, for example. And while many say they take data protection seriously, you have actually proven that you do.

In addition, implementing ISO 27701 gives you insight and control when it comes to data protection. This gives you control over how personal data is handled within your organisation.

Implementing ISO 27701 can show customers, partners and other stakeholders that your organisation takes data protection very seriously and is truly committed to protecting personal data. In this way, you develop a positive reputation based on transparency.

With a certified PIMS, you can show various stakeholders, especially your customers, that you also take their data protection (obligations) seriously and take security precautions. And because PIMS also enforces control over the rest of the processing chain, you build your customers' trust in you.

When you start with ISO 27701, you are systematically working on data protection that is structurally checked through the certification process. This alone gives you a good overview of the status of compliance with data protection and legislation in compliance projects.

This proof makes internal monitoring by data protection officers very efficient. However, they are also in a position to provide appropriate evidence in the event of an external inspection by an authority for personal data.

In more and more cases, we are finding that organisations that are assessed as part of supplier management need to put in less effort if they are certified. For example, some clients accept the ISO 27001 certification of their suppliers instead of the security part of their supplier assessments, and the ISO 27701 certification instead of the data protection part. This means that companies no longer need to hire independent external auditors to prove this.

Both certifications together can fulfil the requirements of your clients.

Because you are demonstrably working to protect personal data, you are also safeguarding your knowledge of data protection. As concern about data protection has increased significantly in recent years, ISO 27701 certification can go a long way towards improving the public perception of your organisation's data protection practices.

Your reputation as an organisation that actually takes data protection seriously will strengthen your position in the market. An ISO 27701 certification is indeed an added advantage based on a guarantee you can give your customers: While you are securing information, you are systematically working to protect personal data.

Contents of ISO 27701

ISO 27001 and ISO 27002 contain requirements and guidelines for an information security management system (ISMS). ISO 27701 adds data protection-specific requirements and guidelines and expands them to include a data protection information management system (PIMS).

Specific additions:

the existing standard chapters of ISO 27001 (chapters 4-10) including
Annex A1 (Controls from ISO 27002 (5-18) with the ISO 27701-specific requirements

ISO 27701 is therefore an extension of the requirements and controls of ISO 27001 and does not function as a stand-alone standard. It therefore necessarily has the same scope as the underlying ISO 27001 management system

Audit process for ISO 27701 certification

1

01

Enquiry, offer preparation & explanation

2

02

Commissioning & individual scheduling

3

03

Audit: Understanding the organisation & determining readiness for certification

4

04

Identifying potential for improvement

5

05

Quick four-eye check & certificate creation

6

06

External TÜV certificate

7

07

Continuous further development of the management system & competitiveness

FAQ about an ISO 27701 certification

PII personally identifiable information
PII controller / pbD-Beauftragter
PII principal / Betroffene Person
PII processor / pbD-Verarbeiter
privacy breach / Datenschutzverletzung
privacy principles / Datenschutzprinzipien
privacy risk / Datenschutzrisiken
privacy risk assessment / Datenschutz-Risikobeurteilung
processing of P / Verarbeitung von personenbezogenen Daten
sensitive PII / Sensitive pbD

An ISO 27701 certificate is suitable for any organisation that processes personally identifiable information (PII). Regardless of its size, for both public and private companies, government agencies and non-profit organisations that process personal data (PII) as a controller and/or processor within the meaning of the BDSG as part of an ISMS.

Especially if you need to prove that your organisation consciously handles this type of personal data, this certificate offers a structured solution:

Any organisation that processes personal data, regardless of its size and type, can benefit from implementing ISO 27701
Organisations that want to (co-)mitigate financial and regulatory risks associated with data breaches
Private, public organisations and even government agencies that need to take a risk-based approach to the retention and processing of personal data
Organisations with an ISMS that want to further develop and professionalise their role as controller and/or processor

Companies that fall under European legislation, e.g. because they are European or operate in the EU, can use ISO 27701 to take a closer look at compliance with GDPR legislation. This applies, for example, to:

Organisations looking for a way to comply with the obligation to demonstrate that they have taken appropriate technical and organisational measures to ensure compliance with the requirements of the GDPR
Organisations that wish to (further) process personal data on behalf of customers, which by law may only outsource this to organisations that sufficiently guarantee that the processing meets the requirements of the GDPR and the protection of the rights of the data subjects

To obtain ISO 27701 certification, you must already have a functioning ISMS that fulfils the requirements of ISO 27001. This means that you already have or are in the process of obtaining ISO 27001 certification. The reason for this is that ISO 27701 complements this standard.

For any organisation that works with privacy-sensitive information, especially if that information can be traced back to an individual, this addition is certainly relevant.

If you already have an ISO 27001 certificate (via TÜV NORD or another certification body), you will first be audited separately for ISO 27701. This certificate then corresponds to your current ISO 27001 certificate in terms of duration. When this expires or if you start with ISO 27001 and ISO 27701 at the same time, the audits for ISO 27001 and ISO 27701 will be synchronised.

The ISMS and PIMS are then integrated and the audits for both systems are combined.