ISO 27701 certification: Certified data protection management in accordance with ISO 27701

Contact us now

ISO 27701: Extending ISO 27001 to include data protection

Wherever (personal) data flows in the corporate context, data protection is of crucial importance. This is due to stricter legal requirements, but also an increasing threat situation.

With ISO 27701 certification, you can add relevant data protection-specific requirements to your existing information security management system (ISMS) in accordance with ISO 27001. The international standard ISO 27701 can also serve as a systematic basis for successfully integrating the requirements of the GDPR into data protection management.
 

  Successful data protection management

With ISO 27701, you can add important privacy requirements to your existing information security management system (ISMS). 
  

  Personal data protected in the best possible way

As part of ISO 27701 certification, you take effective measures to protect privacy and handle personal data. 
  

  Good integration into an existing ISMS

As ISO 27701 follows the so-called High-Level Structure (HLS), it can be easily integrated into an existing (certified) ISMS in accordance with ISO 27001. 
  

What is ISO 27701?

ISO 27701 is an extension to ISO 27001 on the topic of data protection.  It contains requirements and guidelines for the protection of privacy and the handling of personal data.

In this way, ISO 27701, building on ISO 27001, forms a framework for a data protection information management system (PIMS) that covers both the security of information and the protection of personal data through processing.

ISO 27701 is not a direct GDPR certification, but can be used as a basis for integrating the GDPR requirements into the management system.

 

Benefits of ISO 27701 certification

Independent proof of privacy
With ISO 27701 certification, you can objectively prove that you meet specific data protection requirements.
 

Increased trust among customers
ISO 27701 certification shows that data protection is a top priority for you. 
 

Regulatory compliance
Demonstrate that you have appropriate technical and organisational data protection measures in place.
 

Protection against financial & reputational damage
By identifying risks at an early stage, you prevent data protection breaches - and therefore also damage.
 

Successfully mitigate risk
Reduce data protection risks by systematically identifying potential data protection gaps.
 

Improved internal processes
As part of ISO 27701 certification, clear roles & responsibilities are defined within the company.
 

Raising employee awareness
Certification goes hand in hand with raising your employees' awareness of data protection.
 

Internationally recognized
With ISO 27701 certification, you meet internationally recognized data protection requirements.
 

CERTIFICATION STANDARDS COMPARED 

ISO 27701 vs. Art. 42 DSGVO vs. ISO 27001

ISO 27701

 Describes a data protection management system that can be certified

 Adds data protection aspects to ISO/IEC 27001 & ISO/IEC 27002

 Compliance with ISO 27701 always requires compliance with the requirements of ISO 27001

 Does not constitute certification within the meaning of Art. 42 GDPR

Art. 42 GDPR

 Paragraph 1: “[…]data protection certification mechanisms […], for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”

 Consequently, no certification for: 
- products
- companies
- persons
- management systems

 Statements on data protection compliance

ISO 27001

■ Forms the necessary precondition for certification according to ISO 27701

Focus of the standard is on information security

■ Broader scope of application with more comprehensive requirements than ISO 27701

ISO 27701 certification process

1. 

Initial meeting & scope determination

During an initial appointment, we determine the scope of the certification together with you. 

2. 

Pre-audit (optional)

Through a pre-audit, we determine the current certification readiness (fulfillment of requirements, detection of non-conformities & ambiguities).

3. 

Certification audit (stage 1)

The stage 1 audit includes the document review, the site assessment and the determination of readiness for the stage 2 audit.

4. 

Certification audit (stage 2)

In the stage 2 audit, we take a closer look at the effectiveness of your mea­sures, conformity with the standard & check existing documents in more detail.

5. 

Successful certification

If the requirements are met, the certificate is issued by our certification partner TÜV NORD Nederland.

6. 

Surveillance audit

A surveillance audit must be carried out in the first and second year after successful certification in order to maintain certification.

7.

Re-certification

Re-certification takes place every 3 years after certification in order to extend the validity of the certificate.

Interested in an ISO 27701 certification?

Contact us now

Frequently Asked Questions (FAQ):

Who does ISO 27701 address?

In principle, ISO 27701 is aimed at any organization that processes personal data, regardless of its size and type.

However, the international standard is particularly relevant for organizations that:

  • want to minimize the risk of data breaches and their consequences (for example, heavy fines and reputational damage),
  • pursue a risk-based approach to the processing of personal data or
  • operate an ISMS and wish to develop as a controller and/or processor.
Is ISO 27701 certification equivalent to GDPR compliance?

ISO 27701 certification is not a direct certification in accordance with Art. 42 GDPR. However, it can be seen as a systematic framework for successfully integrating the requirements of the GDPR into the existing management system.

What is the validity of ISO 27701 certification?

The ISO 27701 certificate is valid for a maximum of 3 years.

A surveillance audit must be carried out in the first and second year after successful certification. After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.

What does an ISO 27701 certification cost?

As every company has different requirements and the requirements for a management system vary, the question of the cost of ISO 27701 certification cannot be answered in general terms.

Basically, the number of days required for the two certification audits is decisive. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with an individual quote.

What are the requirements for an ISO 27001 certification?

As ISO 27701 is an extension of ISO 27001 to include data protection, it can only be certified together with ISO 27001.

The necessary precondition for ISO 27701 certification is therefore an existing ISMS that meets the requirements of ISO 27001 or is already certified in accordance with it.

How does an ISO 27701 audit work?

Do you already have an ISO 27001 certificate?
In this case, your data protection management system will be audited separately in accordance with ISO 27701. The resulting certificate then corresponds to the term of your ISO 27001 certificate.

Is your ISO 27001 certificate expiring?
In this case, it makes sense to synchronize the audits for ISO 27001 and ISO 27701.

Are you aiming for joint certification according to ISO 27001 & ISO 27701?
If you start with ISO 27001 and ISO 27701 at the same time, the audits for the two standards will be synchronized.

Why we are a strong partner for you

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

Expertise

Our IT security experts are certified by the German Federal Office of Information Security (BSI) as Audit Team Leaders for ISO 27001 on the basis of “BSI IT-Grundschutz” or as IS auditors, respectively.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

 

You have questions? We are pleased to help!

  

Samantha Murmann

Product Manager Data Protection & E-Health 

+49 201 8999 699
s.murmann@tuvit.de

Tobias Mielke

Lead Expert Information Security & Privacy  

+49 201 8999 553
t.mielke@tuvit.de