A practical guide to ISO/IEC 27701 — the international privacy extension to ISO 27001. Built for Australian SaaS companies, consultancies, and SMBs that handle personal data and need to demonstrate privacy management to enterprise buyers, EU customers, or regulators.
ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS). It was first published in 2019 as an extension to ISO 27001 — adding privacy-specific requirements and controls on top of the existing ISMS. Published by ISO and IEC. Where ISO 27001 protects information generally, ISO 27701 protects personal information specifically (PII). It introduces controls for lawful basis, consent management, data subject rights, retention and disposal, breach notification, and supplier processing agreements.
The natural follow-on to ISO 27001 for any Australian organisation whose buyers care about privacy. SaaS companies selling into Europe or the UK (GDPR makes privacy assurance the procurement hurdle), healthcare and health-tech, financial services tech (APRA CPS 234 alignment), and government technology suppliers.
For an SMB that already operates an ISO 27001 ISMS, 8–12 weeks of readiness followed by a combined Stage 1 / Stage 2 audit. Joint program (no existing ISMS): 14–18 weeks. Audit bookings need 6–10 weeks lead time — book Stage 2 at the start of readiness.
PECB training through Aegentra Academy: ISO 27701 Foundation $399 AUD, ISO 27701 Lead Implementer $849 AUD, ISO 27701 Lead Auditor $849 AUD. Add-on readiness (existing ISO 27001): $18k–$35k. Joint readiness (greenfield 27001+27701): $45k–$80k. Joint Stage 1+2 audit: $12k–$25k. Joint annual surveillance: $7k–$13k.
Not substitutes — complementary. GDPR and the Australian Privacy Act 1988 are laws that impose obligations directly. ISO 27701 is a voluntary management system standard that gives you the auditable framework to demonstrate compliance. Annex D of ISO 27701 maps every GDPR article to the relevant ISO 27701 clause. The 13 Australian Privacy Principles (APPs) map cleanly onto ISO 27701 controls.