Docy Child

ISO 27701 FAQ

Estimated reading: 3 minutes 766 views

The standard requires an Internal Audit to be carried out before an external audit can be performed.

The Internal Audit must be carried out by a competent and objective auditor.

The auditor can be in-house (from the organization’s own staff) or an external consultant. If in house, it is important that the auditor is independent and has no prior or current involvement in the development and implementation of the PIMS.

The Internal Audit review include:

  • A documentation review of policies and procedures to confirm they adhere to the standards requirements
  • An evidence review through sampling and analysis to determine that the policies are being adhered to

Any findings from the Internal Audit must be tracked to resolution.

The Internal Audit is meant to be continuous throughout the certification period (3 years).

An external audit is essentially the same as for the internal audit, expect that the outcome is the obtention of a certification! 

The external audit starts with a stage 1 and a stage 2.

Stage 1: Consists of an extensive documentation review of your PIMS program. This typically can lasts couple hours to a day.

The outcome of the stage 1 is a list of findings (non-conformities) that would need to be remediated before moving to the Stage 2.

Stage 2: Consists of an extensive review of evidence that supports the documentation provided during the Stage 1 to confirm that the controls operate according to the ISO 27701 requirements. This takes a bit more time than the Stage 1 and can last couple days to a week.

The outcome of the stage 2 is a list of findings (non-conformities) that would need to be remediated before being recommended for a certification.

An ISO 27701 certification is valid for three years.

Doesn’t mean you do nothing for 3 years, no!

ISO requires surveillance audits to be performed each year to ensure the PIMS program and  controls continue to operate effectively.


ISO 27701 defines the requirements for PIMS and can be certified against.

ISO 27702 provides guidance on how to implement the ISO 27701 requirements. It cannot be certified against.

Organizations are required to secure and maintain the integrity of all sensitive data that they process under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). However, while these regulations provide a framework for data protection, they do not provide specific guidance on the actions that companies should take to ensure data privacy. This is where ISO 27701 can be beneficial.

ISO 27701 provides a comprehensive set of requirements and guidelines for implementing a best-practice process for managing a Privacy Information Management System (PIMS) that includes effective data security and privacy capabilities. By following the guidelines set out in ISO 27701, organizations can establish a systematic approach to identifying and mitigating privacy risks, handling personal data, and complying with applicable regulations. This can help improve data protection and privacy, enhance stakeholder trust, and promote operational efficiency.

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.