Let's talk
Oxford Infosec

ISO 27701 - Privacy ManagementIs our privacy certified?

When customers probe how you govern personal data, investors scrutinise your privacy practices, or you already hold ISO 27001 and want to extend it to privacy, a published policy is no longer enough. Increasingly, taking privacy seriously means showing a system, not a statement.

ISO 27701 is the international standard for a Privacy Information Management System. We take small, fast-moving companies from initial scoping through to certification, then maintain the controls and evidence that keep you certified year after year.

In short

  • 01A certifiable privacy management system, built proportionately on ISO 27001 and aligned to how you actually handle data.
  • 02Evidence ready for questionnaires and due diligence, so privacy stops slowing your deals down.
  • 03A privacy programme that stays current through surveillance and recertification audits, not just the first one.

What problems we solve

Proving you take privacy seriously increasingly means showing how it's governed, with records and evidence behind it. You're in the right place if any of these sound familiar:

01

We've no systematic privacy governance

Privacy is handled ad hoc, and you can't show an auditor or customer how it's controlled.

02

We've a policy, but little behind it

What you publish doesn't match what you do, which is exactly what a regulator or buyer looks for.

03

We process personal data for customers

Their due diligence stalls because you can't evidence your privacy controls as a processor.

04

We've ISO 27001, but privacy's a gap

Your security is certified, but privacy questions in questionnaires still slow deals down.

05

Our privacy work never stays current

Records, notices, and assessments drift out of date until the next audit or incident exposes them.

06

We start from scratch every time

Each questionnaire and audit begins again, because nothing is captured as a reusable system.

How ISO 27701 certification works

01Typical duration
3 to 6 months

Implementation

We agree scope, confirm whether you act as a controller or processor, map the gap against ISO 27701 and your ISO 27001, then put the privacy controls, records, and documentation in place.

02Milestone
External audit

Certification

We run the internal audit and management review, clear the readiness findings, and take you through the combined ISO 27001 and ISO 27701 assessment.

03Minimum term
12-month minimum

Maintenance

We keep the controls and evidence current and coordinate surveillance and recertification audits, so certification doesn't lapse.

These are the headlines. The full service description sets out every activity, assumption, and exclusion.

Read the full service description

Companies we've worked with.

AmpereBeamBiographicaChalfenGeneral IndexHarbr DataJudge.meLightsonicResponsible MarketingSyntassoThe Key GroupZaptic

What we put in place

Each item is scoped to the personal data you actually process. If a control genuinely doesn't apply, we mark it out of scope rather than inventing work.

01Personal data inventory and Records of Processing
02Privacy risk assessment and DPIAs
03Statement of Applicability (Annex A and B controls)
04Data protection policies and procedures
05Lawful basis and consent records
06Privacy notices and retention schedule
07Data subject request and breach procedures
08International transfer controls
09Processor and sub-processor agreements
10Staff privacy awareness and training
11Internal audit and management review
12Certification readiness and audit prep

Who it's for

20 to 200 employees: facing privacy scrutiny, but without an enterprise privacy function

Controller, processor, or both: customer records, employee data, or data you handle for others

UK or Europe: subject to UK GDPR, EU GDPR, or both

Under external pressure: privacy due diligence, processor assurance, or buyers wanting certified privacy

Already pursuing ISO 27001: or ready to implement both together as one programme

What's not included

  • Acting as your Data Protection Officer
  • Running data subject requests and breaches day to day
  • Implementing technical controls (your IT team)
  • Legal and contract drafting
  • Penetration testing
  • Certification body and platform fees
Read the full service description

You work with a named Lead Consultant who holds recognised ISO 27001 implementation and audit qualifications, along with data protection credentials (CIPP/E, CIPM). They're your single point of contact and accountable for delivery. If you later add the DPO service, the same person can continue, so the context carries across both.

Term and pricing

Phase 1: Implementation

3–6 months

Fixed fee

Phase 2: Maintenance

12-month minimum

Recurring fee, renewable annually

With ISO 27001

Combined programme

Scoped and priced together

Exact figures depend on your size, your starting point, and whether ISO 27001 is already in place. Use the calculator for an indicative estimate.

Estimate the cost

Common questions

ISO 27701 FAQs

See whether ISO 27701 is the right step.

A short conversation is usually enough to tell whether certification is the right move, and whether ISO 27001 needs to go in alongside it. If something else suits you better, we'll say so.

Estimate the costGet in contact