ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS) — it adds controller and processor privacy controls on top of an information security baseline. The 2025 revision (published October 2025, replacing the 2019 edition) made it a standalone standard you can certify against with or without ISO 27001.

How does 27701 relate to GDPR?

27701 was designed to provide an international standard organizations can demonstrate when claiming GDPR readiness. Many of its clauses map directly to GDPR Articles, and supervisory authorities increasingly recognize 27701 as evidence of good-faith compliance effort — though it doesn't substitute for GDPR.

Controller vs. processor controls?

A PIMS addresses two roles — controls for organizations acting as PII controllers and controls for those acting as PII processors. The 2019 edition split these into Annex A and Annex B; ISO 27701:2025 consolidated them into a single control set covering both roles. Organizations acting as both apply the relevant controls per processing activity.

Can we certify to 27701 without 27001?

Yes — as of ISO/IEC 27701:2025 the standard is standalone, so you can certify a PIMS without holding ISO 27001. Many organizations still pursue the two together and run a combined audit, because 27701 reuses the ISO 27001/27002 security baseline.

Privacy management, certifiable

Build a Privacy Information Management System

ISO/IEC 27701:2025 is now a standalone Privacy Information Management System standard — certify with or without ISO 27001. PII controller and processor controls, GDPR Article mapping, and one workspace for security + privacy.

Start free trial Book a demo

What is ISO 27701?

ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS) — it adds privacy-specific requirements and controls to an information security management baseline. First published in 2019 as the first standard organizations could certify against for privacy management, it was substantially revised as ISO/IEC 27701:2025 (published October 2025), which is the current edition. Organizations certified to the 2019 version have until October 2028 to transition.

The standard provides privacy control sets for PII controllers and PII processors (split across Annex A and Annex B in the 2019 edition, and consolidated into a single set in the 2025 edition) and aligns its management clauses (4–10) with the ISO harmonized structure shared by ISO 27001 and ISO 42001. The biggest change in 2025: ISO 27701 is now standalone — you can certify a PIMS without holding ISO 27001, though the two still pair naturally because 27701 builds on the ISO 27002 security controls.

Who pursues ISO 27701

Organizations that want a recognized, certifiable demonstration of privacy management — especially those processing personal data of EU/EEA residents, but increasingly relevant for CCPA, LGPD, and similar regimes. SaaS companies acting as data processors for their customers frequently pursue 27701 alongside SOC 2 and 27001 as a comprehensive trust posture.

How episki helps

A PIMS is most efficient when it builds on an existing ISMS. episki keeps your 27001 controls and your 27701 privacy clauses in the same workspace, with the appropriate Annex A or B controls flagged based on your controller/processor role per processing activity.

ISO 27701 outcomes with episki

Quantify the impact security and compliance brings to your business.

PII controller

Privacy controls for organizations acting as PII controllers.

PII processor

Privacy controls for organizations acting as PII processors.

GDPR mapped

Each ISO 27701 clause cross-walked to relevant GDPR Articles for evidence reuse.

Why teams choose episki for ISO 27701

Framework-specific automation, collaboration, and reporting in one workspace.

Standalone — or paired with ISO 27001

ISO 27701:2025 can be certified on its own, and it still reuses your existing ISMS controls when you have them.

Certify a PIMS with or without ISO 27001
27001 controls flagged with privacy applicability
Single combined audit when run alongside 27001

Controller and processor controls

Privacy controls scoped based on how you process PII for each activity.

Controller-specific privacy controls
Processor-specific privacy controls
Shared controls for organizations with both roles

Mapped to GDPR, CCPA, and beyond

Cross-walks built in so your 27701 work feeds your other privacy program reporting.

GDPR Article-level mapping
CCPA / CPRA mapping
LGPD, PIPEDA, and emerging laws

ISO 27701 readiness inside episki

Build the PIMS without rebuilding the ISMS.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ PIMS scope definition (PII processing activities)
✓ Controller / processor role determination per activity
✓ Annex A and Annex B applicable-controls list
✓ Records of Processing (ROPA) integrated with controls
✓ Data-subject rights (DSAR) workflow
✓ Privacy training and awareness program

ISO 27701 accelerators

PIMS program accelerators

Add a privacy layer to your ISMS without reinventing the wheel.

Role mapper

Determine controller, processor, or joint controller per processing activity.

Annex A / B selector

Pick the right control set based on your role determinations.

GDPR Article crosswalk

See which ISO 27701 clauses satisfy which GDPR Articles.

ISO 27701 frequently asked questions

Build a certifiable PIMS in episki

Stand up ISO 27701 — alongside ISO 27001 or on its own — in the same workspace.

Start free trial Book a walkthrough