ISO Digital Solutions Get the ISMS Framework

SGRII Insights  ·  ISO 27001:2022  ·  2026

ISO 27701 Is No Longer an Extension. It Is a Standalone Standard. Most Organisations Implementing Both Have Not Absorbed What That Means Architecturally.

The 2025 revision of ISO 27701 eliminated the extension dependency. Organisations can now certify to 27701 independently. But the integration question — how the ISMS and PIMS connect, share, and diverge — has become more complex, not simpler.

What the 2025 Revision Changed Architecturally

ISO/IEC 27701:2019 was explicitly defined as an extension to ISO 27001. It required an existing ISMS as its foundation. Certification to 27701 was possible only as an extension to an existing 27001 certificate. The standard added privacy-specific requirements on top of the ISMS clauses and extended Annex A with privacy-specific controls.

ISO/IEC 27701:2025 is a standalone, independently certifiable management system standard. An organisation can now implement and certify a Privacy Information Management System without first implementing ISO 27001. The Annex SL clause structure is complete. The privacy controls are self-contained. The dependency is architectural preference, not structural requirement.

This changes the integration question fundamentally. Under the 2019 architecture, integration was mandatory — the PIMS sat on top of the ISMS. Under the 2025 architecture, integration is a design choice. Organisations can implement both standards independently, integrate them fully, or adopt a layered approach where the ISMS provides the foundation and the PIMS extends it. The question is no longer whether to integrate. It is how to integrate — and whether the organisation’s existing ISMS is structurally sound enough to serve as the foundation.

The Shared Foundation

Both standards share the Annex SL high-level structure. Context analysis (Clause 4), leadership (Clause 5), planning (Clause 6), support (Clause 7), operations (Clause 8), performance evaluation (Clause 9), and improvement (Clause 10) are structurally identical. An organisation with a well-built ISO 27001 Clause 4–10 architecture has already built 60–70% of the management system foundation for ISO 27701.

The risk assessment methodology extends but does not replace. ISO 27001 risk assessment considers confidentiality, integrity, and availability of information assets. ISO 27701 adds privacy-specific risk scenarios: unlawful processing, purpose limitation violations, data subject rights failures, cross-border transfer non-compliance, and excessive data retention. These are additional risk scenarios within the same methodology — not a separate risk assessment.

Performance evaluation and management review can operate through a single framework that receives inputs from both the ISMS and the PIMS. Internal audits can cover both scopes in a single programme with standard-specific sampling. The NC & CA Register serves both standards. The integration opportunities at the governance level are substantial — provided the foundation is sound.

Where the Standards Diverge

ISO 27701 introduces requirements that have no equivalent in ISO 27001: PII processing purposes and legal basis determination, data subject rights management (access, rectification, erasure, portability, objection), privacy impact assessment methodology, cross-border transfer controls and adequacy assessment, data processor obligations (when the organisation processes PII on behalf of a controller), and privacy-specific incident notification requirements.

These are not extensions of existing ISMS controls. They are distinct privacy obligations that require dedicated procedures, evidence mechanisms, and competence requirements. An organisation that attempts to address them by adding privacy language to existing ISMS procedures will produce procedures that address neither standard well.

The SoA architecture also diverges. ISO 27001 uses Annex A (93 controls across four themes). ISO 27701 adds privacy-specific controls for PII controllers and PII processors. The SoA for an integrated implementation must address both control sets — with clear mapping of which controls serve which standard and which serve both.

The ICT Governance Suite: 27001 + 27701 + 42001

The SGRII product architecture recognises three standards that form a natural governance suite for organisations in the digital economy: ISO 27001 (information security), ISO 27701 (privacy information management), and ISO 42001 (AI management systems). Together, they address the three dimensions of digital trust: security, privacy, and responsible AI.

The integration architecture follows a layered model: ISO 27001 provides the foundation (security governance, risk methodology, control framework). ISO 27701 extends for privacy (PII lifecycle, data subject rights, processing governance). ISO 42001 extends for AI (AI system lifecycle, responsible development, algorithmic transparency). Each layer shares the foundation. Each adds domain-specific requirements.

For organisations implementing more than one of these standards, the question is always: is the foundation strong enough to support the extension? An ISMS built on generic risk assessments, control-list-driven SoAs, and activity-based metrics will not support a credible PIMS or AIMS extension. The foundation determines the ceiling.

The SGRII Position

The SGRII position on 27001 + 27701 integration is architectural: start with the foundation. If the ISMS has risk-driven SoA construction, CIA-framed risk assessment, operational control evidence, and effectiveness metrics, the PIMS extension is a manageable scope addition. If the ISMS is a document hierarchy that passes certification through auditor familiarity, the PIMS extension will compound the structural weakness.

The SGRII ISO 27701 PIMS Framework is designed to integrate with or operate independently from the ISO 27001 ISMS Framework. Shared components (context, risk methodology, management review, audit programme) use identical architectural patterns. Privacy-specific components (PII processing registers, data subject rights procedures, privacy impact assessments) are additive — they extend the ISMS without duplicating it. The ICT Governance Suite bundles both frameworks with the ISO 42001 AIMS Framework for organisations pursuing the complete digital trust architecture.