ISO 27701 implementation is a privacy extension to an existing ISO 27001 program, not a parallel project. Organizations that treat it as a separate compliance engagement spend time and money rebuilding documentation that already exists in a different form. The ones that move efficiently start by mapping what they have against what ISO 27701 requires, close only the gaps that are genuinely new, and carry the rest of their existing program forward.
This post explains how the two standards relate, where your ISO 27001 work carries over, and what your team will need to build from scratch.
How ISO 27701 Relates to ISO 27001
ISO 27001 establishes requirements for an Information Security Management System. It covers risk management, access control, incident response, business continuity, and a range of operational controls that protect information assets. ISO 27701 takes that management system and adds a privacy layer: controls for managing personal data, responding to data subject rights requests, governing data processors, and documenting the purposes and legal bases for processing activities.
The relationship is additive. ISO 27701 does not replace or modify the security controls in ISO 27001. It adds to them. Your existing risk management process, your supplier assessment procedures, and your access control documentation all remain in scope and carry forward into the ISO 27701 assessment. The auditor reviewing your ISO 27701 implementation will assess both sets of controls, but the security controls from ISO 27001 do not need to be rebuilt because ISO 27701 is in scope.
What Carries Forward from ISO 27001
Several categories of ISO 27001 work map directly to ISO 27701 requirements without modification. Your information security policy framework provides the governance structure that the privacy management system builds on. Your supplier assessment procedures cover vendor management requirements that ISO 27701 extends for data processors. Your incident response plan addresses the security incident requirements that ISO 27701 supplements with breach notification and regulatory reporting obligations.
Annex B of ISO 27701 provides the specific mapping between ISO 27001 and ISO 27002 controls and the privacy extension controls. Working through that mapping with an advisor before implementation begins is how you identify which existing controls satisfy privacy requirements without additional evidence, and which require supplementary documentation or process changes.
What ISO 27701 Requires That ISO 27001 Does Not
The net-new work in ISO 27701 falls into several categories that have no direct equivalent in ISO 27001.
Data subject rights procedures. ISO 27701 requires documented processes for handling access requests, erasure requests, data portability, and objections to processing. These must describe how your team receives requests, validates identities, fulfills obligations within required timeframes, and records what was done. Most ISO 27001 programs do not include these at the operational level.
Records of processing activities. ISO 27701 requires a documented inventory of processing activities, including the purposes of processing, the categories of personal data involved, the legal bases relied on, and the retention periods applied. This is the foundational document for demonstrating accountability under GDPR and similar regulations. It is distinct from the asset register that ISO 27001 requires.
Privacy-by-design controls. ISO 27701 requires that privacy considerations are built into new systems and processes from the start, with documented evidence that privacy impact assessments were conducted where required. For many organizations, this means adding privacy review steps to existing development and procurement workflows.
Controller and processor obligations. Depending on your role, ISO 27701 requires either controller-specific controls (covering how you determine the purposes of processing and manage data subject rights) or processor-specific controls (covering how you handle personal data under contract, manage sub-processors, and support your customers’ compliance obligations). Companies that act in both roles must implement both sets.
The Most Common Implementation Mistake
The most common mistake in ISO 27701 implementation is treating the privacy controls as a documentation exercise. Teams produce records of processing activities, draft data subject rights procedures, and update their privacy notices without confirming that the underlying processes exist and are running as documented.
The same problem that affects any compliance program built primarily on documentation applies here. An auditor reviewing ISO 27701 evidence will ask whether your data subject rights procedure has been tested, whether your privacy impact assessment process was followed for a recent product change, and whether your records of processing activities reflect how your organization actually handles data today. Documentation that outpaces the underlying activity creates the same audit risk as a gap.
How Carbide Handles ISO 27701 Implementation
Carbide advisors begin every ISO 27701 engagement by mapping the customer’s existing ISO 27001 program against the ISO 27701 control requirements. That mapping identifies what carries forward, what requires supplementary evidence, and what requires net-new processes and documentation. Implementation work focuses on the genuine gaps rather than rebuilding controls that already satisfy the requirements in their current form.
The Carbide platform tracks evidence for both ISO 27001 and ISO 27701 controls in the same place, so the work done for one framework does not need to be replicated for the other. Your advisor reviews documentation before it goes to the certification body and coordinates directly with the auditor throughout the assessment process.
If you hold ISO 27001 and are ready to scope an ISO 27701 implementation, talk to our team about what your existing program covers and what your path to certification looks like.
Share
