ISO/IEC 27701:2025 · Privacy Information Management

ISO/IEC 27701 Privacy Information Management Certification

ISO/IEC 27701 is the global benchmark for managing personal information. Certify your Privacy Information Management System — standalone under the new 2025 edition, or integrated with your ISO/IEC 27001 ISMS — and prove, through independent certification, that you handle personal data responsibly. Stage 1 + Stage 2 audit, surveillance, recertification.

Standalone since 2025Controllers & processorsGDPR · NZ · AU aligned
PIMS-aligned
★ ISO/IEC 27701:2025
Privacy Information Management
Standalone PIMS · Controllers & processors · Privacy by design
Annex A
Annex B
GDPR Align
PII Mgmt
Built on ISO/IEC 27001 — privacy & security, certified together
3-year cert · annual surveillance
Trusted by privacy & security teams across ANZ
SparkDatacomInland RevenueVodafoneHumm GroupCCLFidelityIllionPlan BXplore
Overview

What Is ISO/IEC 27701?

A Privacy Information Management System (PIMS) you can certify. ISO/IEC 27701:2025 is the new standalone edition of the standard — a complete, certifiable framework of privacy requirements and controls for managing personal information (PII), no longer just an extension of ISO/IEC 27001.

It applies whether you are a PII controller (you decide how personal data is used) or a PII processor (you handle data for others) — and most organisations are both. The standard maps closely to the EU/UK GDPR, the NZ Privacy Act 2020 and the Australian Privacy Principles.

As an independent certification body, Cianaa assesses and certifies your PIMS — from Stage 1 through Stage 2 and ongoing surveillance — across New Zealand, Australia and beyond.

Benefits

Why ISO/IEC 27701 Certification Matters

ISO/IEC 27701 turns privacy from a liability into a demonstrable, certified strength.

Demonstrate Privacy Trust

Independent assurance to customers, partners and regulators that personal information is handled to a recognised global standard.

Support Legal Compliance

Controls map closely to GDPR, the NZ Privacy Act 2020 and the Australian Privacy Principles — reducing breach and penalty risk.

Win Privacy-Sensitive Work

Stand out in tenders and vendor reviews that demand evidence of strong, certified personal-data governance.

One Integrated System

Already ISO 27001 certified? Integrate privacy into your existing management system — security and privacy, assessed and certified together.

Reduce Breach Risk

A structured approach to identifying and treating privacy risks lowers the likelihood and impact of incidents.

Clear Accountability

Defined roles, records of processing and DPIAs make privacy responsibilities visible and auditable across your organisation.

How It Works

How ISO/IEC 27701 Works

ISO/IEC 27701:2025 is a complete privacy management system in its own right — with its own requirements and role-based privacy controls — and it integrates seamlessly with an existing ISO/IEC 27001 ISMS.

STANDALONE

A Standard in Its Own Right

The 2025 edition has its own management-system requirements (clauses 4–10) — certify your PIMS on its own, or alongside ISO 27001.

ANNEX A

Controller & Processor Controls

One normative control set covering both roles — lawful basis, consent, data-subject rights, privacy by design, documented instructions and sub-processors.

ANNEX B

Implementation Guidance

Practical guidance for putting the Annex A controls into effect — for both PII controllers and PII processors.

SoA

Statement of Applicability

Your SoA is extended to cover the privacy controls you apply, with justification for inclusions and exclusions.

MAPPING

Regulatory Mapping

Controls map to GDPR, the NZ Privacy Act 2020 and the Australian Privacy Principles for cross-jurisdiction evidence.

RIGHTS

PII Principal Rights

Processes for handling data-subject requests, transparency and consent — embedded into day-to-day operations.

Process

The ISO/IEC 27701 Certification Process

Cianaa assesses you from Stage 1 through to recertification — every stage led by certified lead auditors with privacy and security expertise.

1
Optional

Stage 1 Readiness Review

Voluntary readiness review — we assess your PIMS maturity against ISO/IEC 27701 requirements.

2
Year 1

Stage 1 Audit

Documentation review against ISO 27701 — PIMS scope, controller/processor roles, SoA and privacy risk treatment.

3
Year 1

Stage 2 Audit

Assessment of how effectively your privacy controls operate in practice, with interviews and evidence sampling.

4
Year 1

Certificate Issued

On a successful audit you receive your ISO/IEC 27701 certificate from an accredited body — valid for a 3-year cycle.

5
Year 2–3

Surveillance Audits

Annual surveillance audits confirm ongoing conformity, PIMS effectiveness and continual improvement.

6
Year 4

Recertification

Full recertification audit renews your ISO/IEC 27701 certificate for another 3-year cycle.

Why Cianaa

Why Choose Cianaa Certification Partner

Independent, conflict-free certification — we assess and certify, we never consult on the systems we audit.

Multi-audit efficiency

Certify 27701 alongside 27001 (and 9001/42001) in a combined audit — less disruption, unified evidence.

Privacy & security expertise

Certified lead auditors who understand both information security and privacy management.

Transparent pricing

No hidden costs — transparent pricing and clear deliverables based on the standard’s requirements.

Crystal-clear reports

Audit reports with prioritised nonconformities and improvement opportunities — actionable, not buzzword-heavy.

Predictable timelines

Clear, realistic timelines that keep your team focused from Stage 1 to Stage 2.

Internationally accepted

Our process mirrors internationally accepted certification practice (Stage 1/Stage 2 → surveillance → recertification).

Complimentary · No Obligation

Book a Free ISO 27701 Scoping Call

Talk to a Cianaa specialist for a complimentary scoping call — we’ll confirm your PIMS scope and outline a clear, realistic certification pathway. No consulting, no sales pitch.

Scope clarificationYour controller / processor roles and PIMS boundary.
Realistic timelineIndicative effort and calendar to Stage 2 readiness.
How certification worksStage 1, Stage 2, surveillance and recertification explained.
IMS opportunityWhere ISO 27001 + 27701 certify together for less effort.
Book Your Free Scoping Call →
30-minute callPrivacy specialistNo obligation
Ready to Certify

Certify Your Privacy Management with ISO 27701

Speak with our independent assessors to scope your ISO/IEC 27701 certification — conflict-free, across New Zealand & Australia.

Get in Touch →
FAQ

Frequently Asked Questions

What is ISO/IEC 27701?
ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS). The 2025 edition is a standalone, certifiable standard with privacy-specific requirements and controls for PII controllers and processors.
Is ISO 27701 a standalone certification?
Yes — since the 2025 edition, ISO/IEC 27701 is a standalone standard: you no longer need ISO 27001 first. Organisations that do hold ISO 27001 often have the two assessed and certified together.
We are certified to ISO/IEC 27701:2019 — what happens now?
Certificates issued against the 2019 edition remain valid during the transition period, but organisations must transition to ISO/IEC 27701:2025 by 31 October 2028. Talk to us about scheduling your transition assessment alongside your next surveillance or recertification audit — and read our ISO 27701:2025 transition guide for the full plan.
Does ISO 27701 make us GDPR compliant?
It provides a strong, auditable framework that maps closely to GDPR, the NZ Privacy Act 2020 and the Australian Privacy Principles — but certification is not a legal determination of compliance.
What’s the difference between a PII controller and processor?
A controller decides why and how personal information is processed; a processor handles it on a controller’s behalf. ISO 27701 has Annex A controls for controllers and Annex B for processors — many organisations are both.
Do you offer ISO 27701 training?
Yes — we provide ISO/IEC 27701 training to build your team’s privacy-management capability. See our ISO 27701 training page.
How long is the certificate valid?
Certification runs on a 3-year cycle with annual surveillance audits, followed by recertification.
How is the fee determined?
Fees depend on scope, headcount, your controller/processor role and number of sites. Request a quote for a fixed Stage 1 & Stage 2 fee, surveillance estimates and a proposed timeline.