Home/Services/Readiness Advisory/ISO 27701 Readiness

Readiness Advisory

ISO 27701 Readiness

Extend your ISMS into a Privacy Information Management System under ISO/IEC 27701 — assurance over how you manage personal data.

Request this service → See our approach

Overview

Privacy management, built on your ISMS.

ISO 27701 extends ISO 27001 with privacy-specific controls for handling personally identifiable information as a controller or processor.

We help you build the PIMS on top of your existing ISMS, mapping privacy obligations to controls and preparing you for certification alongside or after ISO 27001.

What’s covered

What we assess and prepare.

PIMS scoping

Controller and/or processor roles.

Privacy controls

Extensions to Annex A for personal data.

Records of processing

Mapping personal-data flows.

Data subject rights

Processes to fulfil requests.

Privacy-law mapping

Alignment to GDPR and India’s DPDPA.

Who needs this

Is this you?

The kinds of organisations that rely on this work.

Organisations handling personal dataPrivacy assurance.

ISO 27001-certified firmsExtending into privacy.

Data processorsController / processor obligations.

Companies under DPDPA / GDPRDemonstrating privacy governance.

BPOs processing PIIClient privacy requirements.

Any PII-handling orgPIMS certification.

Regulatory drivers

Why this is required

ISO/IEC 27701 extends your ISMS into a privacy information management system and is increasingly expected where you process personal data at scale; readiness establishes the privacy controls the standard requires.

ISO/IEC 27701

The privacy extension to ISO 27001 that you are preparing to certify against.

DPDPA & GDPR

27701 provides a recognised control framework that supports demonstrable privacy compliance.

Client & contractual requirements

Customers increasingly require recognised privacy certification from their processors.

How we work

A proven, methodical approach.

A staged approach built to deliver a defensible outcome.

Scoping & PIMS boundary

Defining the PIMS scope and your roles as controller or processor.

Gap analysis

Assessing current state against ISO 27701 over your ISMS.

Privacy risk & PII mapping

Mapping PII processing and assessing privacy risk.

Controls & documentation build

Implementing the privacy controls and documentation.

Internal audit & review

A full internal audit and management review.

Certification handoff

Preparing for and supporting the certification audit.

What you receive

Documentation built for every audience.

PIMS gap assessment reportYour posture against ISO/IEC 27701.
Privacy remediation roadmapA sequenced plan to close gaps.
PII records & policy templatesRoPA and privacy documentation to build on.
Implementation trackerProgress tracked to readiness.
Mock audit & readiness sign-offA dry-run audit before certification.

Standards & frameworks

The work is mapped to the standards and rules that apply to you.

ISO/IEC 27701ISO 27001GDPRIndia DPDPA

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

ISO 27001 in place or planned

Controller / processor roles defined

PII inventory / RoPA started

Privacy policies planned

DSAR process drafted

Consent / lawful-basis mapping

Vendor / processor agreements

Target certification date set

FAQ

Common questions

Do we need ISO 27001 first?

ISO 27701 is an extension of an information security management system, so you need ISO 27001 either already in place or being implemented in parallel. In practice many organisations run the two together, building the privacy controls of 27701 on top of the ISMS, which we prepare you for as a single integrated programme.

Does it cover GDPR or DPDPA?

ISO 27701 provides a strong, recognised privacy control framework that maps closely to laws like the GDPR and India’s DPDPA, and is an excellent way to operationalise and evidence privacy compliance. Legal compliance with any specific law also needs input from your legal or data-protection advisers, which we complement rather than replace.

Controller or processor?

The standard covers both roles, and the controls that apply differ depending on whether you determine the purposes of processing (controller) or process on someone else’s behalf (processor). We identify your role in each processing activity and tailor the controls and documentation accordingly.