ISO 27001 vs ISO 27701: Key Differences and Similarities Explained

  • February 23, 2023

Emily Bonnie

Senior Content Marketing Manager at Secureframe


Cavan Leung

Senior Compliance Manager at Secureframe

The ISO 27000 series is one of the most well-known and highly respected sets of security standards. But it’s also highly comprehensive, with 46 individual standards in the ISO 27000 family. In this article, we’ll outline one of the most popular certifications, ISO 27001, as well as its companion standard ISO 27701. You’ll learn: 

  • The essentials of ISO 27001 and ISO 27701
  • Key similarities and differences between the two standards
  • How ISO 27701 relates to data privacy laws such as GDPR

What is ISO/IEC 27001?

The ISO 27001 security standard, created by the International Organization for Standardization, provides guidance on building, maintaining, and continuously improving an Information Security Management System (ISMS).

An ISMS helps companies prioritize information security across the entire organization. And because ISO 27001 places a heavy emphasis on continuous improvement, the standard ensures that company stakeholders dedicate resources to maintaining and improving the ISMS over time. Supporting standards like ISO/IEC 27002 provide specific guidance on controls and control objectives.

ISO 27001 certification can offer customers, prospects, and partners absolute assurance that your organization has effective cybersecurity measures in place to protect sensitive data.

ISO 27001 requirements: Clauses 4-10

ISO 27001 includes six clauses that detail requirements for establishing and maintaining an effective ISMS. 

Clause 4: Context of the organization

This clause lays out the context for the ISMS, including the information assets that need to be protected and the goals for the ISMS. 

Clause 5: Leadership

Senior management must be committed to the success of the ISMS for it to be effective. Processes should be in place to monitor, test, and improve security processes over time and to ensure adequate resources are dedicated to maintaining the ISMS. 

Clause 6: Planning

This clause addresses how organizations approach both risks and opportunities. Documentation must be established that outlines how the organization identifies and treats information security risks, as well as defined goals for the ISMS. 

Clause 7: Support

This clause ensures that adequate resources will always be available to support the ISMS. In particular, subject matter experts that understand how the organization handles customer data and how the ISMS functions. 

Clause 8: Operations

A risk management strategy must be defined and documented, including how risk assessments should be carried out. 

Clauses 9-10: Performance evaluations & continuous improvement

These two clauses work together to document a plan for monitoring and improving ISMS performance over time. Periodic penetration testing and internal audits are included here, as well as plans for addressing any nonconformities that are discovered.  

What is ISO/IEC 27701?

Designed for data controllers and data processors, ISO 27701 is an extension of ISO 27001 certification that helps service providers build a Privacy Information Management System (PIMS) to protect personal data and comply with global data privacy frameworks. ISO 27701 addresses the EU’s General Data Protection Regulation (GDPR) requirements while allowing organizations to incorporate and satisfy other data privacy laws and regulatory requirements.

ISO 27701 offers guidance for organizations building compliance programs that align with a range of data privacy legislation, including GDPR, CCPA, and HIPAA. Supporting standards like ISO 27018 and ISO 29151 help organizations protect personally identifiable information (PII), providing specific guidance on security controls and control objectives. 

ISO 27701 requirements: Clauses 5-8

ISO 27701 includes four clauses that detail the requirements for establishing an effective PIMS. 

Clause 5: Data protection

This clause goes through ISO 27001’s Clauses 4-10 and defines where additional privacy controls may be required. For example, the organization context should include data protection. In addition, the risk assessment needs to account for the organization’s role in regard to PII. Specifically, whether the organization is a data controller and/or a data processor and how that might affect any privacy risks posed to PII. 

Clause 6: PIMS guidance 

This clause expands on ISO 27002 control guidelines to ensure that any and all information security measures also include data privacy. 

Clause 7: PII controller guidance

This clause is an extension of ISO 27001 Annex A controls specific to PII controllers. These controls are designed to close any gaps in data privacy not covered by ISO 27001. 

Clause 8: PII processor guidance

Annex B controls are specific to PII controllers, and address the data privacy measures not covered by ISO 27001. 

The key differences between ISO 27001 and ISO 27701

Both ISO 27001 and ISO 27701 are certifiable ISO standards, and both will give your organization valuable credibility with customers, prospects, and partners. 

The major difference between ISO/IEC 27001:2013 and ISO/IEC 27701 is the emphasis on privacy. While ISO 27001 is concerned with building an information security management system (ISMS) to protect sensitive data, the ISO 27701 standard is focused on developing and managing a privacy information management system (PIMS). 

Another key difference is that ISO 27701 is not a standalone certification. You can think of ISO 27701 as a privacy add-on for ISO 27001. While ISO 27001 addresses data privacy, legislation like GDPR and CCPA require organizations to protect data subject rights. These rights aren’t guaranteed through the information security measures outlined in the ISO 27001 standard. ISO 27701 takes the foundational information security measures established in the ISO 27001 ISMS and adds a more detailed set of data privacy and processing requirements on top of them. 

Like ISO 27001, the ISO 27701 certification process requires an external audit by an accredited third party. Organizations that are interested in achieving ISO 27701 certification can either add ISO 27701 onto an existing ISO 27001 certification or complete both audits at the same time. If you already have ISO 27001 certification, you can incorporate ISO 27701 into your existing ISO 27001 audit schedule. 

Does ISO 27701 compliance satisfy GDPR requirements?

Most organizations want to know the answer to one important question: does ISO 27701 compliance satisfy requirements laid out in the GDPR, CCPA, and other data privacy legislation?

Strictly speaking, ISO 27701 certification does not satisfy GDPR requirements. While ISO 27701 compliance will help you demonstrate GDPR compliance, the two are not interchangeable. ISO 27701 is a security standard; GDPR is a legal framework — and it’s important to note that ISO 27701 does not cover every aspect of the GDPR. 

However, ISO 27001 and ISO 27701 compliance offer organizations a solid foundation for fulfilling GDPR requirements. By combining the two standards, organizations can build trust, demonstrate efforts to comply with current data privacy legislation, and better prepare for future privacy regulations. 

Build a world-class security and privacy program with Secureframe

Achieving and maintaining compliance with rigorous standards like ISO 27001 and ISO 27701 can be stressful and time-consuming — especially if you’re navigating compliance on your own. Secureframe’s all-in-one security and privacy compliance automation platform simplifies and streamlines audit prep.

With automated evidence collection, built-in security awareness and data privacy training, and continuous monitoring, you can get audit-ready in weeks — not months. Our team of compliance experts is always available to answer questions, help you understand control requirements and auditor requests, and keep you notified of any updates to legislation or framework requirements.

Learn more about Secureframe by scheduling a personalized demo today.