Cybercraft
← Back to Strategic services Strategic

Building a privacy information management system? Start with a privacy programme.

ISO 27701 extends your ISO 27001 ISMS with privacy-specific controls for managing PII. If you do not yet have a structured privacy programme, that is where to begin. If you are already ISO 27001 certified and need to formally address GDPR, the Australian Privacy Act 1988, or the NZ Privacy Act 2020, this is the natural extension.

What's involved

ISO 27701 extends your ISO 27001 ISMS to include privacy-specific controls for the management of personally identifiable information (PII). If you already have or are pursuing ISO 27001, this is the natural next step for demonstrating privacy compliance.

The standard provides a framework for PII controllers and PII processors, mapping to GDPR requirements and aligning with the Australian Privacy Act. It adds privacy-specific controls on top of your existing ISMS rather than building a separate system.

This implementation requires an existing or concurrent ISO 27001 ISMS. We extend your existing management system with the privacy controls, documentation, and processes required by ISO 27701.

Deliverables

  • ISO 27701 gap analysis against your existing ISMS
  • Privacy-specific risk assessment and treatment plan
  • PII inventory and data flow documentation
  • Extended Statement of Applicability covering ISO 27701 controls
  • Privacy-specific policies and procedures
  • Certification audit preparation and support

Business benefits

  • Internationally recognised privacy management certification
  • Demonstrates compliance with GDPR and Privacy Act to international clients
  • Builds on your existing ISO 27001 investment — not a separate system
  • Competitive advantage in sectors handling sensitive personal data

Engagement process

Gap analysisYour existing ISMS assessed against ISO 27701 requirements. Additional controls and documentation identified.
PII mappingComprehensive inventory of PII processing activities, data flows, and third-party arrangements.
Control implementationPrivacy-specific controls implemented and integrated into your existing ISMS processes.
DocumentationPolicies, procedures, and records extended to cover ISO 27701 requirements.
Certification supportAudit preparation, evidence compilation, and support through the certification process.
Talk to us about ISO 27701

No formal privacy programme yet?

ISO 27701 works best when you already have privacy foundations in place. See what an ongoing privacy programme looks like for your organisation.

See the privacy programme

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.