Privacy management, certifiable

Build a Privacy Information Management System

ISO 27701 extends your ISO 27001 ISMS into a certifiable Privacy Information Management System. PII controller vs. processor controls, GDPR Article mapping, and one workspace for security + privacy.
Start free trialBook a demo

What is ISO 27701?

ISO/IEC 27701:2019 is an extension to ISO 27001 and ISO 27002 that adds privacy-specific requirements to create a certifiable Privacy Information Management System (PIMS). Published in 2019, it was the first international standard organizations could certify against for privacy management.

The standard provides additional control sets (Annex A for PII controllers, Annex B for PII processors) and extends the ISMS clauses (4–10) of ISO 27001 with privacy considerations. Crucially, ISO 27701 is not standalone — you can only certify to 27701 if you also hold or are pursuing ISO 27001.

Who pursues ISO 27701

Organizations that want a recognized, certifiable demonstration of privacy management — especially those processing personal data of EU/EEA residents, but increasingly relevant for CCPA, LGPD, and similar regimes. SaaS companies acting as data processors for their customers frequently pursue 27701 alongside SOC 2 and 27001 as a comprehensive trust posture.

How episki helps

A PIMS is most efficient when it builds on an existing ISMS. episki keeps your 27001 controls and your 27701 privacy clauses in the same workspace, with the appropriate Annex A or B controls flagged based on your controller/processor role per processing activity.

ISO 27701 outcomes with episki

Quantify the impact security and compliance brings to your business.
PII controller
Annex A privacy controls for organizations acting as PII controllers.
PII processor
Annex B privacy controls for organizations acting as PII processors.
GDPR mapped
Each ISO 27701 clause cross-walked to relevant GDPR Articles for evidence reuse.

Why teams choose episki for ISO 27701

Framework-specific automation, collaboration, and reporting in one workspace.
Extends your ISO 27001 ISMS
ISO 27701 isn't a parallel standalone — it builds on your existing ISMS controls.
  • 27001 controls flagged with privacy applicability
  • 27701 clauses traceable to existing evidence
  • Single audit covering both 27001 and 27701
Controller and processor controls
Annex A and Annex B controls scoped based on how you process PII for each activity.
  • { "Annex A": "controller-only controls" }
  • { "Annex B": "processor-only controls" }
  • Shared controls for organizations with both roles
Mapped to GDPR, CCPA, and beyond
Cross-walks built in so your 27701 work feeds your other privacy program reporting.
  • GDPR Article-level mapping
  • CCPA / CPRA mapping
  • LGPD, PIPEDA, and emerging laws

ISO 27701 readiness inside episki

Build the PIMS without rebuilding the ISMS.

Plug episki into your stack and work directly from this checklist during the free trial.

  • PIMS scope definition (PII processing activities)
  • Controller / processor role determination per activity
  • Annex A and Annex B applicable-controls list
  • Records of Processing (ROPA) integrated with controls
  • Data-subject rights (DSAR) workflow
  • Privacy training and awareness program
ISO 27701 accelerators

PIMS program accelerators

Add a privacy layer to your ISMS without reinventing the wheel.
Role mapper
Determine controller, processor, or joint controller per processing activity.
Annex A / B selector
Pick the right control set based on your role determinations.
GDPR Article crosswalk
See which ISO 27701 clauses satisfy which GDPR Articles.

ISO 27701 frequently asked questions

Other compliance frameworks

CCPA / CPRACMMCFedRAMPGDPRHIPAAHITRUST CSFISO 27001ISO 42001NIST 800-171NIST 800-53NIST CSFPCI DSSSOC 1 Type I/IISOC 2 Type I/IISOX

Build a certifiable PIMS in episki

Extend your existing 27001 program into 27701 in the same workspace.
Start free trialBook a walkthrough