About ISO/IEC 27701

ISO 27701 outlines requirements for establishing, implementing, maintaining, and continually improving an organization’s Privacy Information Management System (PIMS) as an extension of ISO 27001. It is an internationally accepted standard and essential for organizations that process Personally Identifiable Information (PII). 

What to expect when going through our step-by-step approach toward certification:

Pre-certification activities

New application requests for certification services can be sent through our contact us page. As part of pre-certification activities, we will conduct a client evaluation and engagement acceptance review. As part of this process, we will need information over the PIMS scope and boundaries of the system to determine fee arrangements and resourcing needs. This includes information about the approximate number of people, infrastructure, software components, key activities and data, and locations (physical and virtual) of the PIMS. A Statement of Applicability and other PIMS scoping documentation, if available, are helpful.

Pre-assessment (optional)

This is not a required step but a formal readiness assessment against the ISO/IEC 27701 standard can be helpful in assisting organizations prepare for initial certification. The desired outcome is to identify deficiencies in the client PIMS seeking certification to the ISO/IEC 27701 standard prior to the assessment.

Initial certification audit

Initial certification audits include two stages. Stage 1 is an evaluation of the management system and documentation with primary focus on the design of the system. Stage 1 also helps in planning for Stage 2. The Stage 2 audit evaluates the implementation and effectiveness of the management system. This stage is performed at the client location(s). BARR Certifications will then determine if it will issue certification to the client.

Surveillance audit

The initial certificate issued is valid for three years from the issuance date. At least annually, surveillance audits are conducted to help ensure a certified organization is able to maintain its compliance to the standard. These audits include limited testing and an onsite review to determine the impact of any significant changes since the original certification. 


Before the certificate expires, BARR Certifications and the client will plan arrangements for recertification. Recertification activities include a full audit of the PIMS.

Notice of changes

 If during the 3-year certification cycle there are changes in scope of the certification (i.e., reduction or expansion) or changes to requirements, the client will provide notice to the BARR Certifications team.