StandardsInternational (applies globally)In force ISO 27701:2019

ISO 27701

ISO/IEC 27701 — Privacy Information Management System

The privacy extension to ISO 27001 — mapping to PIPEDA and GDPR

Run ISO 27701 assessment ← All frameworks

Overview

ISO 27701 extends ISO 27001 with privacy-specific controls to create a Privacy Information Management System (PIMS). It maps directly to GDPR, PIPEDA, and other privacy frameworks — providing a single certification that satisfies multiple regulatory requirements. For Canadian businesses with European customers, ISO 27701 is increasingly expected.

Authority

International Organization for Standardization (ISO)

Jurisdiction

International (applies globally)

Effective date

ISO 27701:2019

Applicability

Who must comply with ISO 27701?

Any organization that has already implemented ISO 27001 and processes significant volumes of personal information. It's particularly relevant for SaaS companies, healthcare technology providers, HR platforms, and financial services handling EU or Canadian personal data.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if ISO 27701 applies? Run a free assessment →

Requirements

Key obligations under ISO 27701

PII Processor Obligations

Document your role as a PII processor vs. controller for every data flow. Map processor-controller relationships contractually.

Privacy Risk Assessment

Conduct privacy impact assessments for high-risk processing activities using the ISO 27701 PIMS risk framework.

Consent Records Management

Maintain structured records of all PII subject consents including purpose, date, method, and withdrawal status.

PII Transfer Controls

Implement controls for cross-border PII transfers including contractual safeguards and impact assessments.

Individual Rights Response

Define and operationalize processes for access, correction, portability, erasure, and objection requests.

Privacy by Design

Embed privacy considerations into system design, procurement, and product development from the outset.

Enforcement

Penalties & enforcement

Maximum penalty

No regulatory penalties — but loss of certification can trigger contract and regulatory consequences

Enforced by: Accredited certification bodies

How Canuckt keeps you penalty-free:

ISO 27701-PIPEDA control crosswalk showing which privacy controls satisfy both frameworks simultaneously

PIMS scope definition and PII asset inventory builder for ISO 27701 certification preparation

Privacy by design checklist aligned with ISO 27701 Annex controls and Canadian OPC guidance

Consent records management module that meets both ISO 27701 and PIPEDA/Law 25 consent obligations

Frameworks that often overlap with ISO 27701

Standards

ISO 27001

The international gold standard for information security

Privacy

PIPEDA

Canada's federal private-sector privacy law

Standards

GDPR Adequacy

The EU's recognition of Canada as a safe destination for EU personal data

Run a free ISO 27701 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with ISO 27701 — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency