Privacy Information Management System (PIMS)

ISO/IEC 27701 is an extension to include privacy criteria of an information security management system according to ISO/IEC 27001 and ISO/IEC 27002 (Information Security Controls). The international standard ISO 27701 provides guidelines for the protection of privacy and the handling of personal data. It helps to demonstrate compliance with data protection regulations worldwide.

Regulatory compliance

Convince regulators of your data protection concept

Higher understanding of overall contexts through process orientation

Normative basis for a Privacy Information Management System (PIMS)

Beschreibung Standard/Regelwerk

What is privacy management according to ISO 27701?

In contrast to ISO 27001, the management standard for a privacy management system no longer speaks only of "information security", but of "information security and privacy". In addition, there is more supplementary content to information security alone.

For example, when considering the context of the organization, relevant data protection laws and court decisions must be taken into account, among other things. Likewise, the risk assessment must take into account criteria relating to the processing of personal data.

ISO 27701 can only be certified in conjunction with an information security management system in accordance with ISO 27001. Articles 5 and 32 of the European General Data Protection Regulation (GDPR) set out requirements, compliance with which can be demonstrated by implementing a data protection management system in accordance with the ISO 27701 standard.

Data protection can thus be certified to a certain extent, and possible fines following data protection incidents can be avoided or reduced.


Will my company meet the requirements of the European GDPR if I implement the standard?

No, by implementing the requirements of ISO 27701, only the requirements for a management system are implemented, but not those of the European General Data Protection Regulation (GDPR). This is not required by the international standard. However, it is possible to transfer the GDPR requirements into the requirements management of ISO/IEC 27701.

In this way, ISO 27701 can also be used to integrate and fulfill the requirements of the European GDPR for the protection of personal data in the management system. The annex to ISO 27701 provides valuable assistance in this regard, as it contains a detailed table of measures to be taken in relation to the requirements of the GDPR.

Wie funktioniert

How can the implementation of the European GDPR in the company be proven?

As the person responsible for data protection in the company, you are subject to the obligation to provide evidence. A data protection management system in accordance with ISO 27701 is the secure and stable basis for this. In the event of a data protection incident, possible penalties by the regulators can be avoided or at least reduced. 

According to Article 83 (paragraph 2 letter d) of the GDPR, the extent to which the company actively and in a structured manner deals with data protection also plays a role in the assessment of fines.

Once you have implemented a management system in accordance with ISO 27701, you can then be certified by DQS. In that case, you will have objective proof that data protection is of high importance to you and that you operate a functioning data protection management system.

With a certificate according to ISO 27701, which requires certification according to ISO 27001 (Information Security Management), you have created a solid basis for the integration of the European GDPR's requirements. In some places, the GDPR requires measures that de facto presuppose a management system.


How does ISO 27701 certification work?

In the first step, you discuss your company, your management system and the goals of an ISO/IEC 27701 certification with us. On this basis, you will promptly receive a detailed and transparent offer, tailored to your individual needs.

Especially for larger certification projects, a planning meeting is a valuable opportunity to get to know your auditor, as well as to develop an individual audit program for all involved areas and locations. A pre-audit also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.

The certification audit starts with a system analysis (audit stage 1) and the evaluation of your documentation, objectives, the results of your management review and internal audits. In this process, we determine whether your management system is sufficiently developed and ready for certification.

In the next step (system audit stage 2), your auditor assesses the effectiveness of all management processes on site. In a final meeting, you will receive a detailed presentation of the results from your auditor and indications of potential improvements for your company. If necessary, action plans are agreed upon.

On the basis of the system audit, an evaluation of your management system takes place, which results in a report. If your company has fulfilled all standard requirements, you will receive the ISO 27701 certificate.

To ensure that your company continues to meet all the important requirements of ISO 27701 after the certification audit, we conduct surveillance audits on an annual basis. This provides competent support for the continuous improvement of your data protection management system and your business processes.

The certificate is valid for a maximum of three years. Recertification is carried out in good time before the certificate expires to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.


What does ISO 27701 certification cost?

Since every company has different prerequisites and individual requirements for a management system, the costs for the audit and certification according to ISO 27701 cannot be given as a lump sum. Please contact us: We will make you a customized offer based on an objective assessment and your requirements.


What you can expect from us

  • More than 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors from the worldwide DQS network
  • Value-added insights into data protection in your company
  • Certificates with international acceptance
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms without hidden costs
  • Meaningful audit reports including recommendations for action

Request for quotation

Your local contact person

We would be happy to provide you with a customized offer for ISO 27701 certification.