May 19, 2020

Last Updated on January 13, 2024

ISO 27701 – A Roadmap

On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701 (ISO 27701), a privacy extension to ISO/IEC 27001 and ISO/IEC 27002, which is designed to help organizations protect and control the personal information they handle or control. 
While ISO 27001 forms the foundation, ISO 27701 builds on that foundation to provide a comprehensive set of controls for information security and the protection of personal information.
The first certifiable extension to ISO 27001, 27701 also includes an entire privacy management system, as well as many privacy controls for a controller and or processor, which we will explore in further detail down the road. 
For now, I’ll share some of the key takeaways from our conversation with Debbie Zaller, principal and co-owner at Schellman & Company.
The main point is, ISO 27701 can greatly reduce the complexity of managing privacy risk and proving compliance with regulations like CCPA, GDPR.
If you are looking for a comprehensive and effective way to manage both security and privacy concerns all in one management system, ISO 27001 + ISO 27701 is the standard for you. 

The Glue Holding ISO 27001 and ISO 27701 Together is Scope

The scope of your ISMS under 27001 will determine the scope of your 27701 extended certification.
This is why we are advising clients who are looking into 27001 certification to do 27701 at the same time. It’s easier to select a scope that you know fits both standards rather than expand your 27001 scope to fit what you need to cover in 27701.
This is what makes your ISPMS (Information Security & Privacy Management System) so valuable. With one scope and one management system you can effectively prove compliance with any security AND privacy regulation… and stay that way forever!

Let’s Wrap Up Over a Goose Island Bourbon Barrel Stout, Shall We? 

So, what are the advantages of 27701? 

“I would say one advantage is that this is one of the few privacy certifications that we have that’s worldwide. There really aren’t that many privacy certifications that we have to date. A lot of them are jurisdiction-specific. So, the main advantage is that it highlights an organization’s privacy program to very strenuous and detailed controls that you normally wouldn’t find anywhere else,” says Debbie.


Managing two disparate programs in a single construct is a real advantage. Pretty sure businesses enjoy the efficiency of the proverbial, “two birds with one stone”.
That said, not to be glossed over is the idea that you’ve got demonstrable proof of your security and privacy. This can not be underappreciated. Proving you are secure is already a “must do” for many organizations and is quickly becoming a “must do” for most organizations. This system allows you to have an engine that keeps your security and privacy needs running smoothly.

This post is based on The Virtual CISO podcast hosted by John Verry and featuring special guest, Debbie Zaller.  
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.