June 2026. ISO 27701 extends ISO 27001 with privacy controls (PII). Enterprise customers and supervisors increasingly ask for integrated security and privacy evidence — not separate folders that contradict each other.
One ISMS, extra SoA section
- use one scope/context with privacy extension where PII is in scope;
- SoA: Annex A + ISO 27701 privacy controls with rationale;
- shared risk assessment — tag privacy and security risks;
- DPO involved in risk, DPIA and incidents with personal data.
GDPR overlap
ISO 27701 does not replace GDPR compliance. It helps with processor agreements, subprocessors, DPIAs and data subject rights — if you link evidence to controls. Link to privacy hub and ISO 27701.
Practical route
- Gap: ISO 27001 controls vs 27701 privacy controls for your processing.
- Prioritise high-impact processing (HR, customer data, healthcare).
- Internal audit sample on DPIA + privacy incident register.
In 2026 due diligence parties explicitly ask for PII scope and DPO mandate alongside ISO 27001 certificate. One management review agenda for both prevents contradictory messages.
Processors and subprocessors
ISO 27701 emphasises PII in the chain: which subprocessors, which countries, which assurance. Update processor agreements when ISO 27701 controls introduce new requirements — not only at contract renewal.
DPIAs and 27701 risk treatment must reference the same processing. Duplicate descriptions with contradictory conclusions are due diligence red flags.
Plan internal audit sample on one HR or customer processing per year — from DPIA to technical measure and retention.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
Chain and contracts
Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.
Continual improvement
Plan a short quarterly review: what worked, which near-miss stood out, which control needs extra attention? Record three improvement actions with owners — that is what ISO 27001, NIS2 and GDPR supervision want to see: PDCA in practice, not paper only.
Knowledge base and readiness
For deeper guidance see our knowledge base on ISMS, ISO 27001, NIS2 and GDPR. Use the readiness overview to compare priorities with your current maturity. This article is educational; engage specialists for legal or audit decisions.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
Chain and contracts
Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.
