Certification CostsISO guides & calculators
ISO/IEC 27701 · Organisations processing personal data, especially under UK GDPR

Privacy Information certification

Privacy information management systems (PIMS)

An extension standard

ISO/IEC 27701 is certified only as an extension of an existing certification (usually ISO 27001). You cannot certify it on its own, which keeps its incremental cost relatively low — see the cost calculator.

What is ISO/IEC 27701?

ISO/IEC 27701 is a privacy extension to ISO 27001 and ISO 27002. It specifies requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).

Published in 2019, it builds on an existing ISO 27001 ISMS, adding privacy-specific controls for organisations acting as personal-data controllers and/or processors. It cannot be certified on its own — an organisation must hold or pursue ISO 27001 at the same time.

For UK organisations it is a structured way to demonstrate accountability under UK GDPR and to give customers and partners assurance over privacy practices.

How to get ISO/IEC 27701 certified

  1. Establish or hold an ISO 27001 ISMS as the foundation (mandatory prerequisite).
  2. Determine your role(s) as controller and/or processor.
  3. Extend your risk assessment and controls to cover privacy and PII.
  4. Operate the PIMS and gather privacy-governance evidence.
  5. Run internal audits and management review.
  6. Certify ISO 27701 together with ISO 27001 and maintain on the same cycle.

Choosing a certification body

For a certificate to carry weight, choose a body accredited by UKAS, the UK's national accreditation body. Accredited certification is recognised by customers and procurement teams; unaccredited certificates often are not. Get quotes from at least three bodies, as fees vary.

How much does ISO/IEC 27701 certification cost?

There is no single price — total cost depends on your organisation's size, how much you already have in place, the number of sites, and whether you use a consultant. Broadly, the cost splits into three parts: implementation (building the system), the certification audit (paid to the certification body), and ongoing costs (annual surveillance and a three-yearly re-certification).

  • 27701 is always an extension audit on top of ISO 27001, so its incremental cost is modest where 27001 already exists.
  • It cannot be certified independently, so budget for ISO 27001 first.
  • Data-mapping and records of processing are the main internal effort.

To get a tailored figure for your organisation, use our free calculator:

Open the ISO/IEC 27701 cost calculator →

Official & useful resources

Explore related standards

ISO 27001 ISO 42001 ISO/IEC 20000-1 ISO 9001