Standards

ISO 27701 — the International Privacy Standard

Q: Do you perform the certification itself?

No. Conflict of interest. We build the framework (Privacy controls, documentation, procedures, risk assessments) and accompany the external auditor (BSI, SGS, Standards Institute of Israel, etc.). The auditor is the one issuing the certificate.

ISO/IEC 27701:2019 is the international standard for personal data management (Privacy Information Management System, PIMS). It builds on top of ISO 27001 and adds 49 specific privacy controls. For Israeli organizations after Amendment 13 — ISO 27701 is a compliance proof increasingly demanded by global Enterprise customers, and it improves the ability to win complex public tenders.

What ISO 27701 is

ISO/IEC 27701:2019 is an international standard extending ISO 27001 (information security) into privacy. It builds a Privacy Information Management System (PIMS) on top of an existing ISMS, adding 49 specific privacy controls. In short: if you have ISO 27001, adding 27701 is an extension — not a standard from scratch.

Who needs it

Three main groups: (1) SaaS companies targeting Enterprise in the US or Europe — large customers increasingly require this standard as a substitute for or complement to SOC 2; (2) Healthcare entities handling special-sensitive data at scale; (3) Public-sector vendors demonstrating to municipal procurement that they have a structured privacy framework.

Difference from ISO 27001

ISO 27001 = information security (CIA — Confidentiality, Integrity, Availability). ISO 27701 = personal data management (Privacy controls). They are complementary — not substitutes. ISO 27701 requires an active ISO 27001. You cannot certify 27701 without 27001.

Difference from GDPR / Amendment 13

GDPR and Amendment 13 are laws — mandatory compliance. ISO 27701 is a voluntary standard — not required, but serves as compliance evidence to the laws. An organization with ISO 27701 essentially tells customers and the regulator: "We have a documented privacy management framework, verified by an external body."

What the standard requires

ISO 27701 adds 49 privacy controls to ISO 27001, divided into 4 groups: (1) Context and roles — DPO appointment, data category definition, purpose specification; (2) Data subject rights — access, correction, deletion procedures, consent flow; (3) Sharing and retention — sub-processors, cross-border transfer, retention periods, secure deletion; (4) Privacy principles — Privacy by Design, minimization, informed consent, accountability.

How long it takes

Starting from ISO 27001 (if not already): 9-12 months to initial certification. Adding PIMS for 27701 on top of existing 27001: 3-5 additional months. An organization starting from scratch can achieve both standards together within 12-18 months, depending on size, internal engagement, and resources invested. Certification requires an external auditor (BSI, SGS, etc.) — a company I am not party to (that is a conflict of interest).

What it brings to your customers

When selling to Enterprise — shortens vendor onboarding time (instead of an 80-question survey, the Enterprise receives a certificate and spec). In public tenders — gives a strong signal of a managed framework. During an incident — reduces the expected scope of investigation; the Authority and enforcement bodies tend to trust a certified organization.

Difference from SOC 2

SOC 2 is an American standard mainly serving the US market. ISO 27701 is international. Most SaaS companies targeting EU + US — do both. Many EU customers accept ISO 27701 even without SOC 2; US customers often accept SOC 2 even without ISO.

Frequent questions about ISO 27701

We are not ISO 27001 certified — can we start with 27701?

No. ISO 27701 builds on top of 27001 — you cannot certify one without the other. A path starting with ISO 27001 and then 27701 is required (or both in parallel, as resources allow).

How much does it cost?

The certification costs themselves (external auditor) — roughly 30,000-80,000 ILS for both standards together, depending on organization size and number of sites. Professional engagement costs for building the framework — 80,000-300,000 ILS for a full project, or 15,000-28,000 ILS per month on a GRC Lite retainer. See GRC + Privacy package.

Difference from PCI DSS?

PCI DSS = dedicated standard for credit card processing. ISO 27701 = broad standard for general privacy management. An organization processing credit cards must have PCI DSS (no choice). ISO 27701 is voluntary. A financial organization dealing with both — implements both standards, sometimes also ISO 27001.

We are a nonprofit — is it worth it?

Usually not, unless there is international funding requiring it. A mid-size Israeli nonprofit is typically exempt from ISO 27701 — it is significant overhead that does not affect your market. Large nonprofits with American/European funding — sometimes obligated to meet such standards.

Do you perform the certification itself?

No. Conflict of interest. We build the framework (Privacy controls, documentation, procedures, risk assessments) and accompany the external auditor (BSI, SGS, Standards Institute of Israel, etc.). The auditor is the one issuing the certificate.

Relationship between DPO and ISO 27701?

ISO 27701 explicitly requires a DPO appointment (or role-holder with DPO duties). An organization maintaining our DPO as a Service — already meets this requirement. The DPO is a built-in part of PIMS, not an external addition.

Do you have ISO 27701 experience?

Yes. In GRC + Privacy package we build the ISO 27001/27701 framework for SaaS clients, healthcare entities, and public-sector vendors. The CISO on our bench leads 27001, and I as DPO lead 27701.

Aiming for ISO 27701?

The GRC + Privacy package supports the entire path — ISO 27001 + 27701 + DPO.

GRC + Privacy package