Question 1

Do I need ISO 27001 before pursuing ISO 27701?

Accepted Answer

Yes - ISO 27701 is formally an extension to ISO 27001 (and ISO 27002), not a standalone standard. You must have an ISO 27001 ISMS in place (or implement one concurrently) before you can certify to ISO 27701. However, building them together from the start is the most efficient path: the control overlap is approximately 60%, and a joint audit with a single certification body is typically less expensive than two separate engagements.

Question 2

What is the difference between a PIC and a PIP under ISO 27701?

Accepted Answer

A Personal Information Controller (PIC) is an organization that determines the purposes and means of processing personal information - equivalent to a GDPR Data Controller. A Personal Information Processor (PIP) processes personal information on behalf of and under instruction from a PIC - equivalent to a GDPR Data Processor. ISO 27701 has separate Annex controls for each role. Most organizations act as both (controller for employee data, processor for customer data) and must implement controls for both roles. Dark Rock maps your processing activities to the correct role before scoping your implementation.

Question 3

How does ISO 27701 relate to GDPR compliance?

Accepted Answer

ISO 27701 was explicitly designed to provide a mechanism for demonstrating GDPR compliance. The standard includes a detailed GDPR mapping in its annexes, showing which ISO 27701 controls correspond to specific GDPR Articles. While ISO 27701 certification does not guarantee GDPR compliance (legal questions require legal counsel), it provides independently verified evidence of a systematic approach to privacy governance that data protection authorities recognize. Many EU enterprises now require ISO 27701 certification from their data processors as part of Article 28 vendor due diligence.

Question 4

Can ISO 27701 satisfy GDPR Article 28 (processor agreements)?

Accepted Answer

ISO 27701 certification can serve as evidence of appropriate technical and organizational measures required by GDPR Article 28 and can substitute for individual contract clauses in some contexts under Article 42 (certification mechanisms). However, formal DPAs (Data Processing Agreements) are still required between controllers and processors - ISO 27701 certification strengthens those agreements and may reduce the level of additional audit rights demanded by large enterprise customers.

Question 5

What is a DPIA and when is it required?

Accepted Answer

A Data Protection Impact Assessment (DPIA) is a structured risk assessment process required by GDPR Article 35 when processing is likely to result in a high risk to individuals - including systematic profiling, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. ISO 27701 requires you to have a DPIA process in place. Dark Rock implements your DPIA process, creates a trigger checklist, and completes any mandatory DPIAs for your current processing activities as part of the ISO 27701 implementation.

Question 6

Does ISO 27701 cover CCPA/CPRA compliance?

Accepted Answer

ISO 27701 was designed primarily around GDPR but has strong conceptual alignment with CCPA/CPRA, LGPD (Brazil), PDPA (Thailand, Singapore), and other privacy regulations. The standard's data subject rights framework, consent management controls, and data minimization requirements address obligations across most major privacy regimes. Organizations with multi-jurisdictional obligations can use ISO 27701 as a unifying privacy management framework while layering jurisdiction-specific legal requirements on top.

ISO 27701: Certified Privacy Management Built on Your ISMS

Why ISO 27701 Is the Privacy Standard for Global Operations

Our Approach

Assess

Remediate

Implement

Certify

What You Get

Get ISO 27701 Ready

Related Frameworks

Frequently Asked Questions