If you have been asked for privacy certification, the old answer used to be frustrating: first build or certify an ISO/IEC 27001 Information Security Management System, then add ISO/IEC 27701 on top. That made ISO 27701:2025 without ISO 27001 one of the most important practical questions for privacy, compliance, SaaS, healthcare, HR, and data-processing businesses in 2026.
The 2025 revision changes the buying decision. ISO/IEC 27701 is no longer just a privacy extension bolted onto an ISMS. It is now a standalone Privacy Information Management System standard, which means some organizations can pursue privacy certification without running a full ISO 27001 project first.
Quick Answer
Yes, ISO 27701:2025 can now be implemented as a standalone Privacy Information Management System without ISO 27001 certification as a prerequisite. That means an organization can focus directly on privacy governance, PII processing, controller and processor responsibilities, privacy risk, data subject rights, and evidence of continual improvement.
However, “standalone” does not mean “no security controls.” ISO 27701:2025 still expects a structured management system, risk-based controls, documented information, internal audit, management review, and certification-body audit evidence. Before booking an audit, confirm that your certification body can audit ISO/IEC 27701:2025 as a standalone PIMS under the applicable accreditation scheme.
In This Guide
- ISO 27701:2025 Without ISO 27001: What Changed?
- Can You Get ISO 27701 Certification Without ISO 27001?
- ISO 27701 vs ISO 27001: What Is the Practical Difference?
- Standalone PIMS Certification Steps for ISO 27701:2025
- ISO 27701 Documentation Requirements for a Privacy Information Management System
- Common ISO 27701:2025 Mistakes When Skipping ISO 27001
- When ISO 27001 Still Makes Sense Before ISO 27701 Certification
- Frequently Asked Questions
- Next Steps
ISO 27701:2025 Without ISO 27001: What Changed?
The biggest change is structural. ISO/IEC 27701:2019 was designed as an extension to ISO/IEC 27001 and ISO/IEC 27002. In practice, that meant privacy certification was usually tied to an existing Information Security Management System.
ISO/IEC 27701:2025 is different. It is now positioned as a standalone management system standard for Privacy Information Management Systems, often shortened to PIMS. It follows the familiar ISO management system structure: Clause 4 context, Clause 5 leadership, Clause 6 planning, Clause 7 support, Clause 8 operation, Clause 9 performance evaluation, and Clause 10 improvement.
That matters because it gives privacy teams a direct certification route. If your main customer requirement is privacy governance rather than full information security certification, you may not need to start with ISO 27001:2022. You can build a PIMS around how your organization collects, uses, shares, stores, deletes, and protects personally identifiable information.
What does standalone PIMS mean in ISO 27701:2025?
A standalone PIMS means your privacy management system can have its own scope, governance, objectives, risk assessment, documented information, controls, internal audit, management review, and certification audit. It no longer has to be treated as an add-on to an ISMS.
This is especially useful for organizations where privacy is the main procurement concern. Examples include HR platforms, marketing technology providers, healthcare administrators, payroll processors, cloud software vendors, call centres, legal service providers, and any business processing personal data on behalf of customers.
The official ISO standards catalogue is still the right place to verify the current standard title and purchase the official text. For implementation, the key point is simple: build evidence that your privacy processes are controlled, measured, reviewed, and improved.
Pro tip: Do not describe ISO/IEC 27701:2025 as “GDPR certification.” It can support privacy-law compliance and accountability, but it does not replace legal advice, regulator obligations, contractual requirements, or local data protection law.
Does ISO 27701:2025 replace ISO 27001?
No. ISO/IEC 27701:2025 does not replace ISO/IEC 27001:2022. They answer different questions.
ISO 27001 asks: how does your organization protect information for confidentiality, integrity, and availability? ISO 27701 asks: how does your organization govern privacy and manage personally identifiable information responsibly?
There is overlap because privacy depends on security. You cannot credibly manage personal data if access control, incident response, supplier management, asset management, and risk treatment are weak. But the certification objective is different. ISO 27701 focuses specifically on privacy outcomes, controller and processor responsibilities, PII handling, privacy risk, legal basis, data subject rights, and accountability.
Can You Get ISO 27701 Certification Without ISO 27001?
In principle, yes. ISO/IEC 27701:2025 allows a standalone certification route, so an organization can pursue ISO 27701 certification without already holding ISO 27001 certification.
The practical answer still depends on your certification body, accreditation route, country, audit scope, and timing. Certification bodies such as BSI, Bureau Veritas, DNV, SGS, LRQA, Intertek, and TÜV organizations may offer ISO/IEC 27701 audits, but availability and accreditation status can vary by region.
Will certification bodies audit ISO 27701 separately?
Many certification bodies are preparing or already offering ISO/IEC 27701:2025 services, but you should check before building your project plan around a specific audit date. Ask whether they can provide accredited standalone ISO 27701:2025 certification, what transition rules they are applying, and whether your proposed scope is acceptable.
For new certification projects, this early conversation saves time. There is no benefit in writing a full PIMS around assumptions if the certification body later requires a different scope statement, audit duration, sampling approach, or evidence set.
What should you ask a certification body before booking the ISO 27701 audit?
Ask these questions before you commit budget:
- Can you audit ISO/IEC 27701:2025 as a standalone PIMS without ISO 27001 certification?
- Will the certificate be accredited, and by which accreditation body?
- Do you require ISO 27001 certification for any part of your audit process?
- How will you calculate audit duration for a standalone PIMS?
- Will the audit include Stage 1 and Stage 2 certification audits?
- What documented information do you expect before Stage 1?
- How will you assess controller, processor, and subcontractor responsibilities?
Quick check: If your customer contract says “ISO 27701 certification linked to ISO 27001,” do not assume the 2025 change automatically satisfies it. Ask the customer whether standalone ISO/IEC 27701:2025 certification will meet their procurement requirement.
ISO 27701 vs ISO 27001: What Is the Practical Difference?
ISO 27701 and ISO 27001 work well together, but they are not interchangeable. A privacy manager should not use ISO 27001 as a substitute for privacy governance, and an information security manager should not assume ISO 27701 covers the full security management system.
| Question | ISO/IEC 27701:2025 | ISO/IEC 27001:2022 |
|---|---|---|
| Main purpose | Privacy Information Management System for PII processing and privacy accountability | Information Security Management System for protecting information assets |
| Primary focus | PII controllers, PII processors, privacy risk, data subject rights, privacy governance | Confidentiality, integrity, availability, information security risks, Annex A controls |
| Standalone certification route | Yes, under ISO/IEC 27701:2025 | Yes, ISO 27001 has always been a standalone ISMS certification standard |
| Best fit | Organizations needing formal evidence of privacy management | Organizations needing formal evidence of information security management |
| Typical audit evidence | Privacy notices, PII inventory, consent process, lawful basis, rights handling, processor controls | Risk assessment, Statement of Applicability, security controls, incident response, access control |
| Management system clauses | Clauses 4–10 for PIMS governance and continual improvement | Clauses 4–10 for ISMS governance and continual improvement |
How do ISO 27001 and ISO 27701 overlap?
The overlap is strongest around risk management, leadership, competence, documented information, internal audit, management review, corrective action, supplier control, incident handling, access control, and monitoring. These are management system disciplines, not just technical tasks.
If your organization already has an ISO 27001:2022 ISMS, ISO 27701 can be integrated efficiently. You can reuse governance routines, document control, risk methodology, audit programme, management review, and corrective action processes. If you do not have ISO 27001, you need to create those management system foundations inside the PIMS.
For organizations taking the security route first, the ISO 27001:2022 Documentation Toolkit can help build the ISMS foundation before integrating privacy requirements.
Which standard should a small business choose first?
Choose ISO 27701 first if your main commercial pressure is privacy assurance, personal data processing, GDPR-aligned accountability, or processor due diligence. Choose ISO 27001 first if customers are mainly asking about cybersecurity, SaaS security, infrastructure protection, access control, incident response, and enterprise security due diligence.
Some businesses need both. A SaaS platform handling sensitive customer data may gain more value from an integrated ISO 27001 and ISO 27701 approach than from choosing one standard in isolation.
Standalone PIMS Certification Steps for ISO 27701:2025
A standalone PIMS project should be treated like a real management system implementation, not a paperwork exercise. The fastest way to fail is to write policies that nobody follows.
How do you implement ISO 27701:2025 without an ISMS?
- Confirm the certification route: Speak to at least one certification body and confirm whether they can audit ISO/IEC 27701:2025 as a standalone PIMS for your organization type, location, and scope.
- Define the PIMS scope: Decide which services, departments, locations, systems, personal data types, and processing activities are covered. Keep the scope clear enough that an auditor can test it.
- Identify interested parties and privacy obligations: List customers, employees, regulators, data subjects, suppliers, subcontractors, and contractual privacy requirements that affect the PIMS.
- Map PII processing activities: Build an inventory of what PII you collect, why you collect it, where it is stored, who accesses it, who it is shared with, and how long it is retained.
- Assess privacy risks: Evaluate privacy risks linked to collection, consent, access, sharing, transfer, retention, deletion, breach notification, processor management, and individual rights.
- Select and implement privacy controls: Define controls for controller and processor responsibilities, notices, consent, rights requests, supplier due diligence, cross-border transfer, retention, and deletion.
- Create documented information: Prepare policies, procedures, registers, records, forms, review templates, and evidence logs that show the PIMS is operating.
- Train relevant personnel: Train privacy owners, HR, sales, marketing, customer support, IT, and operations teams on their PIMS responsibilities.
- Run an internal audit: Audit the PIMS against ISO/IEC 27701:2025 requirements before the certification body sees it. Record findings and corrective actions.
- Hold management review: Review PIMS performance, privacy risks, audit results, objectives, incidents, resources, and improvement actions before Stage 2.
Pro tip: Do not wait until the certification audit to test data subject rights handling. Auditors may ask for evidence that requests are logged, assessed, answered within legal timeframes, and closed with documented decisions.
How long does ISO 27701 standalone certification take?
For a small or mid-sized organization with mature privacy practices, a standalone ISO 27701 project may take 8–16 weeks of focused work. If you have no PII inventory, no supplier privacy process, no documented rights procedure, and no internal audit routine, plan for longer.
The certification audit usually follows the standard Stage 1 and Stage 2 pattern. Stage 1 checks readiness, scope, documented information, and whether the system is mature enough for Stage 2. Stage 2 tests implementation evidence, interviews process owners, samples records, and raises any nonconformities that must be corrected.
ISO 27701 Documentation Requirements for a Privacy Information Management System
Documentation is where many ISO 27701 projects slow down. Not because privacy teams do not understand privacy, but because they underestimate how much audit evidence needs to be controlled, versioned, approved, and retrievable.
What documented information should a PIMS include?
A practical ISO/IEC 27701:2025 PIMS should include documented information covering:
- PIMS scope and context of the organization
- Interested parties and privacy obligations register
- PII inventory or records of processing activities
- Privacy policy and internal privacy governance procedure
- Controller and processor responsibility matrix
- Privacy risk assessment and risk treatment records
- Data subject rights request procedure and log
- Consent and lawful basis management procedure where applicable
- Supplier, processor, and subcontractor privacy due diligence records
- Retention and deletion procedure
- Privacy incident and breach escalation process
- Training and competence records
- Internal audit programme, audit report, and corrective action log
- Management review agenda, minutes, decisions, and action tracking
A ready-made ISO 27701 Toolkit can shorten the documentation stage by giving you structured policies, procedures, records, and templates instead of starting from a blank page.
What evidence will an ISO 27701 auditor expect?
An auditor will not only read your policies. They will ask whether your PIMS is operating. That means they will sample records and test whether your organization follows its own process.
Examples include completed privacy risk assessments, approved PII processing records, supplier reviews, data subject request logs, privacy incident records, training attendance, internal audit findings, corrective action evidence, and management review decisions.
Quick check: Pick one customer, one employee record, and one supplier. Can you show what PII is processed, why it is processed, where it is stored, who can access it, how long it is retained, and what happens when it must be deleted?
Common ISO 27701:2025 Mistakes When Skipping ISO 27001
Standalone certification reduces the dependency on ISO 27001, but it does not reduce the need for discipline. In some ways, it increases it, because you cannot rely on an existing ISMS to carry the management system structure.
What are the biggest ISO 27701 standalone implementation mistakes?
- Confusing privacy compliance with privacy management: Legal compliance checks are useful, but ISO 27701 expects a management system with objectives, roles, risks, controls, audits, review, and improvement.
- Leaving IT out of the PIMS: Privacy is not only an IT issue, but IT still controls many of the systems, access rights, backups, logs, integrations, and incident workflows that protect PII.
- Ignoring processor and subcontractor chains: If third parties process PII for you, auditors will expect evidence that you identify, assess, approve, monitor, and control them.
- Writing policies that do not match reality: A polished retention policy is useless if records are never deleted, archives are unmanaged, or system owners do not know the retention rules.
- Skipping internal audit: Internal audit under Clause 9 is not optional. It is your opportunity to find gaps before the certification body does.
- Treating management review as a formality: Management review should examine performance, risks, incidents, audit results, objectives, resources, and improvement opportunities.
Why security controls still matter in ISO 27701:2025?
Even without ISO 27001 certification, your PIMS needs credible security support. Personal data cannot be private if it is poorly protected. Access control, encryption, backup, supplier security, incident management, system change control, and secure deletion may all be relevant depending on your scope.
The difference is that ISO 27701 is assessing these controls through the lens of privacy risk and PII processing, not through a full ISMS certification scope. If your security practices are weak, a standalone PIMS audit can still produce major nonconformities.
When ISO 27001 Still Makes Sense Before ISO 27701 Certification
Standalone ISO 27701 certification is useful, but it is not automatically the best route for every organization. Some businesses should still implement ISO 27001 first or build both standards together.
When should you do ISO 27001 before ISO 27701?
Start with ISO 27001 if your customers are mainly asking for information security assurance, if your contracts require ISO 27001 specifically, or if your biggest risk is security failure rather than privacy governance failure. This is common for SaaS platforms, cloud service providers, managed service providers, fintech firms, and organizations handling sensitive customer systems.
ISO 27001 also makes sense first if your security controls are immature. Privacy management depends on security basics. If access rights are unmanaged, supplier security is informal, or incident response is untested, building an ISMS first may give your PIMS a stronger foundation.
When should you build ISO 27701 and ISO 27001 together?
Build both together when customers ask for security and privacy assurance, when your organization processes sensitive PII at scale, or when procurement questionnaires regularly ask for both data protection and information security evidence.
An integrated project can reduce duplication. You can share the same document control process, internal audit programme, management review, corrective action system, risk methodology, and improvement cycle. Browse the full ISO documentation toolkits collection if you are comparing documentation routes across multiple standards.
Pro tip: If your leadership team wants certification mainly to win enterprise contracts, review the exact wording in customer requirements before choosing the route. “ISO 27701 certified” and “ISO 27001 certified with ISO 27701 extension” may be treated differently by procurement teams.
Do you need a consultant for ISO 27701:2025?
You do not always need a consultant. A documentation toolkit can be enough if your team understands your processing activities, has time to customize templates properly, and can run a disciplined internal audit before certification.
A consultant is more useful when your scope is complex, you operate in several jurisdictions, you act as both controller and processor, you handle sensitive categories of data, or your customer deadline is tight. If you need hands-on support rather than templates, UCS ISO Certification Services can support implementation planning, gap analysis, and certification preparation.
Frequently Asked Questions
What is ISO 27701:2025 and what does it include?
ISO/IEC 27701:2025 is an international standard for establishing, implementing, maintaining, and continually improving a Privacy Information Management System. It includes requirements and guidance for managing personally identifiable information, including privacy governance, PII controller and processor responsibilities, privacy risk assessment, operational controls, internal audit, management review, and continual improvement.
Can you get ISO 27701:2025 certified without ISO 27001?
Yes, ISO/IEC 27701:2025 can be implemented as a standalone Privacy Information Management System without ISO 27001 certification as a prerequisite. You still need to confirm that your chosen certification body can provide the audit under the relevant accreditation arrangements. Standalone certification also still requires a complete management system, documented information, implemented controls, internal audit, and management review.
How long does ISO 27701:2025 certification take without ISO 27001?
For a small or mid-sized organization with mature privacy practices, ISO 27701:2025 certification preparation may take around 8–16 weeks. The timeline is longer if you need to build a PII inventory, privacy risk assessment, supplier privacy controls, rights request procedure, internal audit process, and management review from scratch. Certification body availability can also affect the final audit schedule.
What is the difference between ISO 27701:2025 and ISO 27001:2022?
ISO 27701:2025 focuses on privacy information management and personally identifiable information. ISO 27001:2022 focuses on information security management, including confidentiality, integrity, and availability of information assets. ISO 27701 is best suited to privacy governance and PII processing assurance, while ISO 27001 is best suited to broader information security assurance.
Do you need ISO 27001 controls for ISO 27701:2025 certification?
You do not need ISO 27001 certification as a prerequisite for ISO 27701:2025, but you still need appropriate security controls where they affect privacy risk. Auditors will expect personal data to be protected through suitable access control, supplier control, incident handling, retention, deletion, and operational safeguards based on your PIMS scope and risk assessment.
What documents are required for ISO 27701:2025 certification?
ISO 27701:2025 documentation usually includes a PIMS scope, privacy policy, PII inventory, interested parties register, privacy obligations register, controller and processor responsibility matrix, privacy risk assessment, risk treatment records, rights request procedure, supplier privacy controls, retention and deletion procedure, incident process, internal audit records, corrective action records, and management review minutes.
Can a small business use ISO 27701:2025 without a consultant?
Yes, a small business can implement ISO 27701:2025 without a consultant if it has enough internal knowledge, time, and discipline to customize the documentation and operate the PIMS properly. A toolkit can reduce the writing burden, but the business must still define its scope, map PII processing, assess privacy risks, implement controls, run internal audit, and prepare evidence for certification.
Next Steps
ISO 27701:2025 without ISO 27001 is now a realistic route for organizations that need privacy certification without building a full ISMS first. The opportunity is lower complexity, clearer privacy focus, and a direct route to demonstrating accountability for PII processing.
The risk is assuming standalone means lightweight. It does not. You still need a controlled Privacy Information Management System with scope, risks, controls, records, internal audit, management review, and evidence that your processes work.
Ready to reduce the documentation workload? Our ISO 27701 Toolkit gives you structured templates for building privacy management documentation faster, so your team can spend less time writing from scratch and more time preparing for audit evidence.