Privacy Information Management System (PIMS)

ISO/IEC 27701 is an extension to the ISO/IEC 27001 and ISO/IEC 27002 (Information Security Controls) standards to include privacy criteria of an information security management system. The international standard ISO 27701 provides guidelines for the protection of privacy and the handling of personal data. It also demonstrates compliance with data protection regulations in the United States as well as worldwide.

Regulatory compliance

Convince regulators of your data protection concept

Higher understanding of overall contexts through process orientation

Normative basis for a Privacy Information Management System (PIMS)

Beschreibung Standard/Regelwerk

How is privacy management defined according to ISO 27701?

The ISO 27701 standard contrasts with ISO 27001 by focusing on both information security and privacy within a management system. The standard also dives deeper into information security.

One of the biggest considerations when looking at the context of an organization is the relevant data protection laws and court decisions. In addition, it is important to assess the risks associated with the processing of personal data.

ISO 27701 can only be certified in conjunction with an information security management system in accordance with ISO 27001. Articles 5 and 32 of the European General Data Protection Regulation (GDPR) set out requirements where compliance can be demonstrated by implementing a data protection management system in accordance with the ISO 27701 standard.

Data protection can be certified to a certain extent, and possible fines following data protection incidents can be avoided or reduced.

Show more
Show less

Will my company meet the requirements of the European GDPR if I implement the standard?

No, by implementing the requirements of ISO 27701, only the requirements for a management system are implemented, but not those of the European General Data Protection Regulation (GDPR). This is not required by the international standard. However, it is possible to transfer the GDPR requirements into the requirements management of ISO/IEC 27701.

The ISO 27701 certification can act as a steppingstone for your organization to meet the requirements of GDPR. It can also be used to integrate and fulfill the requirements of the European GDPR for the protection of personal data in the management system. The annex to ISO 27701 provides valuable assistance as it contains a detailed table of measures to be taken in relation to the requirements of the GDPR.

Show more
Show less
Wie funktioniert

How can my organization provide evidence of the European GDPR implementation?

As the person responsible for data protection in the company, you are subject to the obligation to provide evidence. A data protection management system in accordance with ISO 27701 is the secure and stable foundation for this. In the event of a data protection incident, possible penalties by the regulators can be avoided or at least reduced.

According to Article 83 (paragraph 2 letter d) of the GDPR, the extent to which the company actively and in a structured manner deals with data protection also plays a role in the assessment of fines.

Once you have implemented a management system in accordance with ISO 27701, you can then be certified by DQS Inc. In that case, you will have objective proof that data protection is of high importance to you and that you operate a functioning data protection management system.

With a certificate according to ISO 27701, which requires certification according to ISO 27001 (Information Security Management), you have created a solid basis for the integration of the European GDPR's requirements. In some places, the GDPR requires measures that assume a management system is in place.

Show more
Show less

What are the steps to achieve an ISO 27701 certification?

In the first step, you discuss your company, your management system and the goals of an ISO/IEC 27701 certification with us. Next, you will promptly receive a detailed and transparent quote, customized to your company's needs.

Especially for larger certification projects, a planning meeting is a valuable opportunity to develop an individual audit program for all involved areas and locations. A gap assessment also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.

First is the audit stage 1 starts with a system analysis and the evaluation of your documentation, objectives, the results of your management review and internal audits. In this process, we determine whether your management system is sufficiently developed and ready to be certified.

In the stage 2 system audit , your auditor assesses the effectiveness of all management processes on site. In the final meeting, you will receive a detailed presentation of the results from your auditor and indications of potential improvements for your company and if necessary, action plans are agreed upon.

Based on of the system audit, an evaluation of your management system takes place, which results in a report. If your company has fulfilled all standard requirements, you will receive the ISO 27701 certificate.

To ensure that your company continues to meet all the requirements of ISO 27701 after the certification audit, DQS Inc. conducts surveillance audits on an annual basis. This provides competent support for the continuous improvement of your data protection management system and your business processes.

The certificate is valid for a maximum of three years. Recertification is carried out by DQS Inc. with ample time before the certificate expires to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.


What does ISO 27701 certification cost?

Since every company has different characteristics and individual requirements for a management system, the costs for the audit and certification according to ISO 27701 cannot be given as a lump sum. We will provide you with a customized quote based on an objective assessment and your requirements with no obligation.


What you can expect from DQS Inc.

  • Over 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors from the worldwide DQS network
  • Value-added insights into data protection in your company
  • Certificates with acceptance in the U.S. and Canada as well as globally
  • Personal, seamless support from our specialists - regionally, nationally, and internationally
  • Customized offers with flexible contract terms without hidden costs
  • Meaningful audit reports including recommendations for action
Show more
Show less

Request for quotation

Your local contact person

We would be happy to provide you with a customized quote for ISO 27701 certification.