Be called back
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
Article Summary: In this guide, you’ll find everything your organization needs to know about ISO 27701: what it is, who it applies to, how to implement it, how much it costs, and why being GDPR means you’re already halfway to certification.
Contents
Introduction
Today, the protection of personal data is a top priority for all organizations, regardless of their size or industry. In this context, ISO 27701 is gradually establishing itself as the leading international standard for structuring and demonstrating sound personal data management.
Yet ISO 27701 remains one of the most misunderstood standards in the regulatory landscape. Often confused with the GDPR, often perceived as something reserved for large corporations, and often relegated to the category of “something to address later,” it deserves far better than that.
Because beyond mere regulatory compliance, obtaining ISO 27701 certification means turning data protection into a powerful driver of trust and competitiveness for your organization.
1. What is the ISO 27701 standard, and how does it work?
1.1 Definition of ISO 27701
ISO 27701 is a ISO 27701 dedicated to data protection and privacy, published by theInternational Organization for Standardization (ISO), an organization comprising the standards bodies of 170 countries, including France (AFNOR), Germany (DIN), the United Kingdom (BSI), and the United States (ANSI). Created in August 2019, its 2025 version strengthens its regulatory requirements and controls to ensure more structured compliance.
It establishes a framework that enables your organization to implement a comprehensive management system, security measures, and enhanced governance of personal data (PIMS). It covers the protection of personal data, security, confidentiality, and transparency in data processing throughout the entire data lifecycle—from collection to deletion, including processing and sharing.
1.2 What is personal data?
Personal data is any information that can be used to directly or indirectly identify a natural person: last name, first name, email address, phone number, IP address, location data, clientID client. Whenever your organization collects, processes, or stores this type of information—whether about your clients, employees, or prospects—data protection rules apply.
That is precisely what the GDPR has legally required since 2018 for all organizations processing the data of European residents. ISO 27701 goes a step further: it allows you to formally demonstrate that this data is managed rigorously, beyond mere legal compliance.
Good news: if your organization is already GDPR, you’ve already laid the groundwork for ISO 27701 certification. Both standards share the same fundamental requirements, including a record of processing activities, risk management, and data subject rights. ISO 27701 certification formalizes and certifies what you’re already doing.
1.3 PIMS: The Key Concept at the Heart of the Data Protection Management System
PIMS is a data protection management system. It formalizes the management, governance, and controls related to data security and compliance with requirements. It is a dynamic framework that enhances trust, protection, and information security within organizations.
1.4 Developments in 2025: Introduction of a standalone version of ISO 27001
Until 2024, ISO 27701 was an extension of ISO 27001. Starting in 2025, it becomes a standalone standard that can be certified independently, meaning your organization can proceed directly with the ISO 27701 certification process without any prerequisites. However, if you are already ISO 27001 certified, transitioning to ISO 27701 remains the fastest and most cost-effective route, as the two standards share much of their documentation and audit logic.
2. ISO 27701 vs GDPR What practical difference does this make for your company’s data protection?
ISO 27701 complements the GDPR strengthening compliance and data protection: while the GDPR legal obligations regarding the processing of personal data, ISO 27701 provides concrete evidence that your organization is complying with them.
| GDPR | ISO 27701 | |
| Nature | European Regulation | International standard |
| Character | Required | Volunteer |
| Data subject | Personal data only | Personal data only |
| Scope | All companies that process the personal data of European residents | Any organization wishing to certify its personal data management |
| Objective | Establishing a legal framework for the processing of personal data | Provide an operational, certifiable, and auditable framework |
| Certification | No certification, internal accountability | Certification issued by an accredited body |
| Penalty | Fines imposed by CNIL (National Commission for Information Technology and Civil Liberties) 4% of global revenue or €20 million | No penalty, but loss of certification in the event of a violation |
| Proof of compliance | Accountability (internal documentation) | ISO 27701 certificate valid for 3 years |
| In the event of a breach | CNIL (National Commission for Information Technology and Civil Liberties) fine CNIL (National Commission for Information Technology and Civil Liberties) 4% of global revenue or €20 million; decision made public | Denial or revocation of certification by the auditing body |
| Authority | CNIL (National Commission for Information Technology and Civil Liberties) national supervisory authorities | Accredited certification body (COFRAC in France) |
Does ISO 27701 replace the GDPR No . One does not supersede the other; rather, they reinforce each other. The standard is explicitly designed to align with the principles of GDPR. By obtaining certification, you are not doing anything “extra”: you are simply structuring and demonstrating what the GDPR already requires GDPR to do in terms of data processing.
3. Who is affected by ISO 27701? Organizations, data, and requirements
ISO 27701 is a voluntary initiative; your organization is not required to seek certification. However, there are certain situations in which certification is particularly relevant—or even strategic.
Now is a good time to think about it if you meet at least one of these criteria:
- You process significant amounts of personal data (clients, employees, app users)
- You are processor data processor process data on behalf of other companies
- You operate in a sensitive industry where data trust is a major concern: healthcare, finance, HR, insurance, SaaS, and e-commerce
- You are responding to B2B or public sector tenders where compliance is a selection criterion
- You work with international clients partners who require formal assurances regarding data management
4. How to Implement ISO 27701: Key Steps, Requirements, and Controls
Good news: if your organization is already working toward GDPR compliance, you’ve already come a long way. Implementing ISO 27701 follows a logical, structured process. Here’s how to approach it, step by step, without getting lost.
4.1 Step 1 – Define the scope and develop your roadmap
Before you begin, you need to clearly define what you want to certify: your entire organization, or a more limited scope (a specific business activity, a product line, or a type of process)?
- Identify the activities and data processing operations that fall within the scope of the certification.
- Assess the available resources: budget, team, and deadlines
- Create a realistic project plan with clear milestones
- Communicate the selected scope to your internal stakeholders
Dipeeo Tip: Start with a limited scope. This reduces costs, speeds up the initial certification process, and allows you to expand gradually.
4.2 Step 2 – Map Your Personal Data
You need to have a clear and comprehensive overview of all the personal data your organization processes. This mapping is the foundation of the entire process.
- Identify all personal data being processed: its nature, source, and Purpose
- Identify the tools, cross-departmental workflows, and transfers to third parties
- Document who has access to what, and under what conditions
- Check that your record of processing activities complies with the GDPR(required under the GDPR)
Specifically, you need to be able to answer the following questions: What data do we collect? For what purposes? Who has access to it? Where is it stored? How long do we keep it?
Good to know: If you’re already client , this mapping process has already been largely completed as part of your GDPR compliance efforts. You’re starting with a significant head start.
4.3 Step 3 – Assess Your Risks and Implement Your PIMS
This is the core of the certification process. Your organization must establish a comprehensive management system focused on the protection of personal data.
- Conduct a risk assessment of your personal data processing activities
- Draft and formalize your data protection policies
- Establish your internal procedures: handling data breaches, exercising data subject rights, managing data processors
- Clearly define your role: Are you a data controller, processor data processor, or both?
- Make sure that each document is functional, known to the relevant teams, and kept up to date
Good to know: This step is often the most time-consuming and technical part of the process. At Dipeeo, we help you with risk analysis, drafting all your documentation, and implementing your internal procedures, so you don’t have to start from scratch. If you’re already client , much of this work has already been completed as part of your GDPR compliance.
4.4 Step 4 – Train Your Teams and Ensure Compliance
Even the best documentation in the world is useless if your teams aren't familiar with it. The standard requires that your organization be truly committed to data protection at every level.
- Train your employees on data protection issues and their responsibilities
- Clearly define everyone's roles and responsibilities within the PIMS
- Establish regular monitoring and reporting processes
- Make sure management is involved and informed
4.5 Step 5 – Conduct Your Internal Audit
Before undergoing an external audit, an internal audit allows you to verify that your system is indeed operational and to address any discrepancies before they become official non-conformities.
- Make sure that all your procedures are known and actually followed
- Test compliance under real-world conditions for the processes within the scope
- Identify and correct discrepancies before the external audit
- Share the results with management and the relevant teams
Dipeeo Tip: A well-conducted internal audit can save several months in the certification process. This is a step that many people underestimate, and it often makes the difference between passing the initial audit and having to retake it.
4.6 Step 6 – Pass the external certification audit
Your organization is ready. A COFRAC-accredited body (AFNOR Certification, Bureau Veritas, etc.) conducts the audit in two phases:
- Phase 1 – Document review: The auditor verifies that your PIMS is properly documented and complies with the standard’s requirements
- Phase 2 – On-site audit: The auditor verifies that the written procedures are actually being followed within your organization.
In the case of minor nonconformities, a corrective action plan may be accepted. In the case of major nonconformities, the audit must be repeated. If everything is in order, you will receive your ISO 27701 certificate, which is valid for three years.
Important: The organization assisting you with your preparation cannot be the same one that conducts the certification audit. The two roles are incompatible in order to ensure the independence of the audit.
4.7 How long is the certification valid for?
The certification is valid for 3 years. During this period, annual surveillance audits are conducted. At the end of the 3-year period, a full renewal audit is required to maintain the certification.
4.8 Can you get certified on your own?
Technically, yes, but that’s rarely the right approach. Without sufficient expertise, there’s a risk of producing documentation that doesn’t meet the auditor’s expectations and having to start all over again after a failed initial audit. In practice, most organizations rely on external support—such as a specialised consultant, a law firm, or an outsourced DPO outsourced manage the entire project.
4.9 Who issues the certification?
ISO 27701 certification is issued by a certification body accredited by COFRAC. In France, the main accredited bodies are AFNOR Certification and Bureau Veritas. Always verify the accreditation of the body you choose before committing; only a COFRAC-accredited body can issue an internationally recognized certificate.
4.10 What are the prerequisites for obtaining ISO 27701 certification?
As of the 2025 version, there are no mandatory prerequisites. The standard now stands on its own. However, if your organization already holds ISO 27001 certification, existing documentation (security policy, risk management, asset register) can be directly reused and expanded, significantly reducing the amount of work required.
4.11 How long does it take to obtain ISO 27701 certification?
If you’re starting from scratch, you should generally allow 6 to 12 months to be ready for the certification audit. This timeframe can be significantly reduced if you’re already well on your way to GDPR compliance, or if you’re working with experts who are well-versed in the standard’s requirements.
5. How much does ISO 27701 certification cost?
The cost varies depending on the size of your organization, the scope you wish to certify, and the level of support you choose. There is no fixed rate, but here are the cost items you should anticipate:
- Phase 1 Audit (Document Review): Review of your PIMS documentation by the external auditor. Duration: 1 to 2 days.
- Phase 2 audit (on-site audit): Verification of actual implementation. Duration: 2 to 8 days, depending on the scope.
- Support & Compliance: This is the area that varies the most depending on your initial level of maturity and the type of support you choose ( outsourced DPO, SaaS platform).
- Tools & documentation: Management platform, policy development, records, procedures.
- Annual maintenance: Annual surveillance audits + ongoing compliance monitoring.
Important note: Cost estimates published online are often very general. A maturity assessment allows you to accurately evaluate the remaining work and obtain a realistic estimate of the project’s cost.
6. Why Get ISO 27701 Certified: The Tangible Benefits
6.1 Competitive Advantage and Market Differentiation
ISO 27701 certification is increasingly required or valued in requests for proposals, particularly by large corporations and the public sector. It enables you to immediately meet clients compliance requirements clients set yourself apart in international markets, where the standard is recognized as a benchmark.
6.2 A Better Approach to Inspections
In the event of an inspection by CNIL (National Commission for Information Technology and Civil Liberties) a security incident, a certified management system sends a strong signal to the authorities that your organization takes these matters seriously. While it does not eliminate your legal obligations, certification demonstrates a structured approach to managing personal data and mitigating risks.
6.3 The trust of your clients partners
Your clients entrust clients with their data—and sometimes that of their own clients. Showing them that you handle this with rigor and a systematic approach is a key factor in building loyalty and setting yourself apart, which directly impacts your long-term business relationship.
6.4 Improving Efficiency and Internal Management
Implementing a PIMS streamlines your internal processes, clarifies responsibilities, and reduces uncertainty. In practical terms: fewer unanswered questions about who has access to what, less time wasted answering your clients questionnaires, and teams that understand their responsibilities.
7. ISO 27701: How can Dipeeo help you?
At Dipeeo, we handle your GDPR compliance GDPR start to finish as an external DPO registered with the CNIL (National Commission for Information Technology and Civil Liberties). Specifically, we work with you to carry out all compliance-related tasks: personal data mapping, processing records, internal policies, risk management and a customized action plan, as well as awareness-raising and training for your teams.
This groundwork is precisely what the ISO 27701 standard requires. By obtaining GDPR compliance certification, you’ve already completed about 80% of the path toward ISO 27701 certification. Your documentation is in place, your processes are structured, and your teams are trained. All that remains is to formalize what has already been done and have it audited by an accredited body.
We take the complexity out of compliance, and even when it comes to choosing a trusted certification partner, we’re here to help you find the right people to work with.
In other words: becoming client means ensuring GDPR compliance GDPR laying the groundwork for future ISO 27701 certification.
FAQ: Your Questions About ISO 27701
Is ISO 27001 certification required before pursuing ISO 27701?
No, not since the 2025 revision. ISO 27701 is now a standalone standard. You can pursue certification directly, without the need for ISO 27001 certification. However, if your organization is already ISO 27001 certified, the process is significantly simplified.
Is ISO 27701 recognized internationally?
Yes. It is a standard published by the International Organization for Standardization (ISO) and recognized in more than 160 countries. A certification issued by an accredited body (COFRAC in France) is valid internationally.
How long is the certification valid for?
The certificate is valid for 3 years. Annual surveillance audits are conducted during this period. At the end of the 3-year period, a renewal audit is required to maintain certification.
Who can conduct the ISO 27701 certification audit?
A certification body accredited by COFRAC (the French Accreditation Committee) in France, such as AFNOR Certification or Bureau Veritas. It is essential to verify the body’s accreditation before committing to it.
Conclusion: Start with GDPR compliance—it lays the groundwork for your ISO 27701 certification.
ISO 27701 certification is rarely required right from the start. But GDPR compliance is a legal requirement —and that’s exactly where it all begins.
Compliance with GDPR involves mapping your personal data, structuring your data processing activities, formalizing your internal policies, and training your teams. In other words, it involves completing 80% of the work required for ISO 27701 certification. The certification simply formalizes and verifies what you are already doing.
At Dipeeo, we take care of all that for you. We handle your GDPR compliance GDPR start to finish— data mapping, processing activity records, internal policies, risk management, and team training—so you can naturally lay the groundwork for your future ISO 27701 certification without any extra effort.
Schedule an appointment with a Dipeeo expert → Would you like to assess your GDPR compliance?Get a free initial assessment.
