The short version
ISO/IEC 27701 is the international standard for managing personal data specifically — the auditable answer to GDPR's question "how do you prove you protect privacy?". The 2025 revision made it a stand-alone standard you can certify against independently. If GDPR is the law that says you must protect personal data, 27701 is the framework that lets an external auditor verify you actually do.
What is ISO 27701?
ISO/IEC 27701 is a privacy management standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The full title is Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance. Most people shorten it to "ISO 27701" or "27701".
If you've already read our ISO 27001 explainer, think of 27701 as the privacy-specific counterpart. Where 27001 covers information security generally — protecting any kind of confidential data — 27701 zeroes in on personally identifiable information (PII). Where 27001 helps you evidence the security side of GDPR, 27701 helps you evidence the privacy side.
The standard tells you how to run a Privacy Information Management System or PIMS. Same shape as an Information Security Management System, but with privacy controls and obligations layered on top.
The 2025 revision — what changed
ISO/IEC 27701:2025 was published in October 2025, replacing the 2019 edition. The single biggest change: the standard is now stand-alone. The 2019 version was framed as an "extension" to ISO/IEC 27001 — you had to implement 27001 first and then layer 27701 on top. The 2025 revision restructured the standard so it can be implemented and certified entirely on its own, without 27001 as a prerequisite.
Why this matters in practice:
- Smaller organisations that want to focus on privacy without taking on the full weight of an infosec management system can now pursue 27701 directly
- Privacy teams in larger organisations can own their own PIMS without dragging IT through a 27001 programme
- Procurement can ask for 27701 specifically when the privacy posture is what they care about, without the implicit requirement that you also hold 27001
The Annex A controls were also restructured to align with the 2022 revision of ISO/IEC 27002 (the controls catalogue that 27001 references). And a new companion standard, ISO/IEC 27706:2025, was published to govern how certifying bodies audit 27701 specifically.
If you see "ISO 27701:2019" referenced anywhere — in a vendor's marketing, in a tender document, in a consultant's pitch — they're talking about the old edition. Ask for confirmation that they've updated to the 2025 revision.
Who needs ISO 27701?
Two main groups:
- Organisations that process personal data and want to prove it to customers. If you're a UK business handling EU customers' data, or selling B2B into regulated sectors (legal, healthcare, financial advice), procurement will increasingly ask for either 27701 or evidence of equivalent privacy management. Holding the certificate shortcuts a lot of due-diligence conversations.
- Organisations that already hold 27001 and want to demonstrate their privacy posture distinctly. 27001 demonstrates information security generally; 27701 demonstrates privacy management specifically. Some customers care about both, some care about only one.
If you're a small UK business not yet selling into regulated sectors and not yet asked for any specific certification, you probably don't need 27701 today — but alignment with the standard is a sensible discipline that costs little and pays off the moment a customer asks. Trinito's own posture is "aligned with the controls today, certification targeted Q4 2027" — see our Statement of Applicability on request for the worked example.
How does ISO 27701 relate to GDPR?
The two are complementary. GDPR is a legal regime — UK law that requires organisations to handle personal data in certain ways and gives the ICO power to fine you if you don't. ISO 27701 is a management framework — an internationally recognised method for organising your privacy practices in a way that's auditable.
Put simply:
| Asks | Tells you | |
|---|---|---|
| GDPR | Are you legally compliant? | What the law requires |
| ISO 27701 | Can you evidence it? | How to run a privacy management system that produces the evidence |
GDPR Article 25 is a particularly clean example. The Article requires "data protection by design and by default" — but the law doesn't tell you what evidence satisfies it. ISO 27701's controls (specifically Annex A.7.4.5 PII minimisation and A.7.4.7 PII de-identification) are the recognised auditable form of that abstract obligation. When an auditor asks how you implement Article 25, you point at your 27701 controls and the evidence behind them.
This is exactly the relationship Trinito's compliance automation page is built on.
Inside the standard — clauses, Annex A, Annex B
ISO/IEC 27701:2025 has the same structural shape as 27001. Clauses 4-10 describe the management system: context, leadership, planning, support, operation, performance evaluation, improvement. This is the "how do you run a PIMS" half of the standard, and most of it is policy, governance, and process work.
Then come two annexes of controls — the "what specifically must your PIMS do" half:
| Annex | Applies to | Examples |
|---|---|---|
| Annex A | PII controllers (organisations that decide why personal data is processed) | Identify lawful basis; document purpose; honour subject rights; minimise PII; de-identify when possible; record transfers |
| Annex B | PII processors (organisations that handle personal data on a controller's behalf) | Process only for documented purposes; notify the controller of breaches; manage subcontractors; transmission controls; secure return or disposal |
Most organisations are controllers for their own customer and employee data and processors for any data their own customers ask them to handle. So both annexes typically apply, to different bits of your operation.
A few specific controls worth knowing about because they show up often in audits:
- A.7.4.5 — PII minimisation. Process only the personal data necessary for the specified purpose. This is the control behind the principle of "if you don't need it, don't collect it"
- A.7.4.7 — PII de-identification and deletion. Apply de-identification when PII can be removed without compromising purpose. This is the control redaction tools (like ours) directly implement
- A.7.5.3 — Records of PII transfers. Maintain records of every transfer of personal data, including to processors
- B.10.3 — PII transmission controls. Implement appropriate controls on the transmission of personal data to third parties. This is the control that's almost impossible to evidence if your staff use ChatGPT/Claude/Copilot without thought
What does implementation look like?
A typical 27701 programme for a small UK business runs in three phases:
| Phase | Time | What happens |
|---|---|---|
| 1 — Set up the management system | 1-3 months | Privacy policy, roles, training plan, risk assessment, scope definition, Statement of Applicability |
| 2 — Implement the controls | 3-6 months | Technical privacy controls (minimisation, de-identification, transmission controls, records); operational privacy practices (subject rights handling, breach response, sub-processor management) |
| 3 — Evidence and audit | 3-6 months | Internal audit, gap remediation, external certification audit |
Total time from standing start to certification: 6-12 months for a small organisation. Total cost including consultancy, tooling, and audit fees: £15,000-£40,000 in the first year, with maintenance audits at perhaps £4,000-£8,000 per year afterwards.
If 27001 is already in place, much of phase 1 is reused and phase 2 is roughly halved in scope. Some organisations target both certifications in adjacent windows for this reason.
The role of automation
A meaningful share of phase 2 — the implementation phase — is technical work that historically had to be built or bought separately:
- PII minimisation at the moment of processing requires runtime detection and redaction
- Records of processing transfers requires a logging system that captures every disclosure
- Transmission controls to third parties requires something that sits between your users and external services
- Subject rights support requires data inventory and erasure tooling
This is the gap compliance automation tools fill. The recognised regtech category (Drata, Vanta, Secureframe and others have built it out for SaaS-shaped problems) brings the implementation phase from 3-6 months down to weeks for the technical-control side, leaving you with the management-system work (which is genuinely organisational and can't be automated).
Trinito's specific contribution: we automate the technical privacy controls for businesses that use AI / LLMs. The runtime detection, the audit trail, the transmission controls and the records of processing all run from minute one when you plug the appliance in. See compliance automation for the control-by-control mapping.
The rest — the management system, the policies, the training, the role assignments — stays your responsibility. There is no product that can substitute for those, and any vendor claiming "compliance in a box" is overclaiming.
Should you certify?
For most UK SMBs in 2026, the realistic answer is aligned now, certify when business reasons demand it. Alignment costs you the time to read the standard, document your controls, and operate against them. Certification adds an external audit, a certificate, ongoing surveillance audits, and meaningful annual cost. Certify when:
- A specific customer or regulator requires it
- You're selling into a regulated sector where it's table stakes
- You've reached a scale where the certificate accelerates sales conversations enough to pay for itself
Until one of those triggers, the alignment posture — with a published Statement of Applicability on request that maps your controls to the standard — gives you most of the procurement-conversation value without the audit cost.
Further reading
| Resource | What it covers |
|---|---|
| ISO official page for 27701:2025 | The standard itself |
| BSI key changes guide for the 2025 revision | Plain-English summary of what's different from the 2019 edition |
| Our GDPR explainer | The legal regime 27701 helps you evidence |
| Our ISO 27001 explainer | The parent standard, still useful context even though 27701 is now stand-alone |
| Statement of Applicability on request | Worked example of an SoA — the document a 27701 auditor will spend most time reviewing |
The one-sentence summary
ISO/IEC 27701:2025 is the auditable framework for managing personal data — the privacy-specific framework that lets you evidence what GDPR requires you to do, now stand-alone since the 2025 revision and increasingly the certification UK procurement officers ask for first.