ISO 27701 vs ISO 31700: Which Do You Need?
Two privacy standards, different purposes
If your organization handles personal data and you are already working with ISO 27001, you have probably come across both ISO 27701 and ISO 31700. They both deal with privacy, but they solve different problems and work in different ways.
ISO 27701 extends your existing ISMS with privacy-specific controls. ISO 31700 provides a framework for embedding privacy into product and service design from the start. Understanding the difference helps you decide which one - or both - your organization actually needs.
What ISO 27701 does
ISO 27701 is a direct extension of ISO 27001. It adds a Privacy Information Management System (PIMS) layer on top of your information security management system. You cannot implement ISO 27701 without first having ISO 27001 in place.
In practical terms, ISO 27701 gives you:
- Additional controls for personal data - specific requirements for how you collect, process, store, and share personal information
- Roles and responsibilities - distinguishing between your obligations as a data controller versus a data processor
- Privacy-specific risk management - extending your existing risk assessment process to cover privacy risks, not just security risks
- Alignment with GDPR - Annex D of the standard maps its controls directly to GDPR articles, making it easier to demonstrate regulatory compliance
ISO 27701 is certifiable. Organizations that handle personal data - especially those serving EU markets - often pursue it alongside ISO 27001 to show clients and regulators that privacy management is systematic, not ad hoc.
What ISO 31700 does
ISO 31700 takes a different approach. Rather than building on an existing management system, it provides guidance for embedding privacy into the design of products, services, and organizational processes. This is the formalization of Privacy by Design (PbD) - a concept originally developed by Canadian privacy commissioner Ann Cavoukian in 2009 and later incorporated into GDPR’s Article 25.
The standard was officially adopted in February 2023 and applies to organizations of any size that design or develop consumer products and services. Unlike ISO 27701, it does not require ISO 27001 as a prerequisite - any organization can use it as a standalone design framework.
The standard covers 30 requirements across areas including:
- Designing capabilities that let individuals enforce their privacy rights
- Conducting privacy risk assessments during product development
- Establishing privacy controls throughout the data lifecycle
- Preparing for and managing data breaches
- Assigning privacy roles and authorities within the organization
ISO 31700 is a guidance standard, not a conformance standard. You cannot get certified against it the way you can with ISO 27001 or ISO 27701. Instead, it serves as a structured framework your teams can follow when building products or designing processes that touch personal data.
Key differences at a glance
| ISO 27701 | ISO 31700 | |
|---|---|---|
| Type | Management system extension | Design guidance framework |
| Prerequisite | ISO 27001 required | None |
| Certifiable | Yes | No |
| Focus | Managing personal data within your ISMS | Embedding privacy into product and process design |
| Audience | Organizations that process personal data | Product teams, designers, engineers building consumer-facing systems |
| GDPR alignment | Direct mapping (Annex D) | Supports Article 25 (Data Protection by Design) |
When to use which
ISO 27701 makes sense when you already have ISO 27001 and need to demonstrate systematic privacy management to clients, regulators, or partners. This is especially relevant for B2B companies processing personal data on behalf of clients - they want to see that your privacy controls are audited and certified, not just documented.
ISO 31700 makes sense when your organization builds products or services that collect or process consumer data. It helps your product and engineering teams think about privacy from the design phase rather than bolting it on after launch.
Both together provide the most comprehensive approach. ISO 27701 ensures your organization manages personal data properly at the operational level. ISO 31700 ensures privacy is built into what you create. For a SaaS company handling customer data, the combination covers both how you run your business and how you build your product.
That said, for most organizations starting their privacy journey, ISO 27701 is the more practical first step - it builds directly on the ISO 27001 work you have already done and produces a certifiable result.
How 27kay can help
Privacy management is where information security meets regulatory compliance - getting the scope and approach right saves significant time and effort. We help organizations figure out which privacy standards fit their situation, whether that means extending an existing ISO 27001 implementation with ISO 27701 or building privacy-by-design practices into product development.
Not sure which path makes sense for you? Let’s talk - we will give you an honest recommendation based on your actual situation, not a one-size-fits-all answer.