Amid increasing regulatory pressure and the growing threat of data breaches, organizations are no longer only required to be “secure,” but also “compliant” with personal data protection.
Many companies are already familiar with ISO 27001, but is that enough?
On the other hand, ISO 27701 has emerged with a focus on privacy. Unfortunately, not a few organizations still treat the two as alternative choices rather than complementary frameworks.
Misunderstanding the differences and relationship between ISO 27001 and ISO 27701 can have a direct impact on business. Audits can fail, companies can lose customer trust, and worse, there is a risk of regulatory sanctions such as Indonesia’s Personal Data Protection Law (UU PDP).
Therefore, understanding the differences and relationship between ISO 27001 and ISO 27701 is crucial for strategic decision-making.
What is ISO 27001?
ISO 27001 is an international standard for building and managing an Information Security Management System (ISMS) that focuses on protecting the confidentiality, integrity, and availability of information.
In practice, ISO 27001 focuses on how organizations protect information from risks such as data breaches, unauthorized access, and operational disruptions.
This standard requires organizations to identify risks, implement security controls, and conduct regular audits.
For example, ISO 27001 typically covers:
- Access control: Role-based access restrictions (RBAC), including the implementation of MFA for critical systems
- Risk management: Identification of information assets, risk assessment, and determination of mitigation controls
- Security audits: Regular internal audits to ensure controls are operating effectively
- Incident management: Procedures for handling security incidents, including escalation and reporting
What is ISO 27701?
ISO 27701 is an extension of ISO 27001 that focuses on a Privacy Information Management System (PIMS), specifically in managing personal data.
This means ISO 27701 does not stand alone. It is built on top of the ISO 27001 foundation, with additional controls that specifically regulate how personal data is collected, processed, stored, and deleted.
Unlike ISO 27001, which applies broadly to all information assets, ISO 27701 specifically governs how organizations manage personal data—both as a controller and as a processor.
This standard was published in 2019 in response to the growing need for a structured and auditable privacy framework.
For example, ISO 27701 typically covers:
- Consent management: Systems to record user consent before data is processed
- Data classification: Specific classification for personal data vs. general data
- Data minimization: Collecting only the data that is truly necessary
- Third-party data processing: Governance of vendors that access personal data
Differences Between ISO 27001 and ISO 27701
The main difference lies in their focus: ISO 27001 focuses on information security in general, while ISO 27701 specifically governs personal data protection.
In practice, the differences can be seen in several aspects:
1. Core Focus
- ISO 27001: Security (protecting all types of information)
- ISO 27701: Privacy (protecting personal data)
ISO 27001 covers all organizational information assets, from internal documents and intellectual property to trade secrets and IT infrastructure.
Meanwhile, ISO 27701 focuses only on personal data, whether managed for the organization’s own purposes (as a controller) or on behalf of others (as a processor).
For example: A SaaS company with ISO 27001 may have secured its servers and system access. However, without ISO 27701, it may not have mechanisms for user consent or data deletion.
2. Scope of Controls
- ISO 27001: General controls (access, encryption, backup, etc.)
- ISO 27701: Additional privacy-specific controls (data subject rights, consent, purpose limitation)
For instance, controls related to privacy by design and privacy by default are explicitly required in ISO 27701 but not detailed in ISO 27001.
In audits, it is often found that organizations relying solely on ISO 27001 are not ready to answer questions such as:
- How can users request data deletion?
- Where is personal data stored?
- Which third parties process the data?
3. Implementation Objectives
- ISO 27001: Reduce information security risks
- ISO 27701: Ensure compliance with data privacy regulations
In practice, ISO 27001 demonstrates that an organization can reliably manage cybersecurity risks. It is often a key requirement to become a vendor in sectors such as banking, telecommunications, or government.
On the other hand, ISO 27701 demonstrates that an organization can protect individual privacy rights. This becomes essential when processing personal data at scale or operating in jurisdictions with strict privacy regulations (including Indonesia’s PDP Law).
In other words, ISO 27001 is the baseline for security, while ISO 27701 elevates organizations to privacy compliance.
Relationship Between ISO 27001 and ISO 27701
ISO 27001 and ISO 27701 are not competing standards; rather, they have a hierarchical relationship where ISO 27701 cannot stand alone without ISO 27001 as its foundation.
In real-world implementation, this understanding is critical. ISO 27701 is designed as an extension of ISO 27001.
This means organizations seeking ISO 27701 certification must first have—or simultaneously build—an ISMS based on ISO 27001.
In practice, integration is typically approached as follows:
- Reuse ISO 27001 controls as the baseline
- Add ISO 27701 privacy controls on top
- Integrate policies between security and privacy
Example:
In risk management, an organization implementing only ISO 27001 assesses risks to information assets in general.
After integrating ISO 27701, the assessment is expanded to include privacy-specific risks, such as personal data breaches that could lead to regulatory fines, legal claims, or loss of public trust.
The documentation structure remains the same—policies, procedures, and records—only expanded in scope, not rebuilt from scratch.
Relevance of ISO 27001 and ISO 27701 to the PDP Law
ISO 27001 and ISO 27701 are highly relevant in helping organizations meet obligations under Indonesia’s Personal Data Protection Law (UU PDP), particularly in data protection and governance.
The PDP Law requires organizations not only to secure data but also to ensure transparency and uphold data subject rights. This is where ISO 27701 becomes critical.
1. Consent Management
The PDP Law requires explicit consent. ISO 27701 provides specific controls on how consent should be recorded, how it can be withdrawn, and how to prove that consent was obtained lawfully.
For example, in a retail company, customer consent for marketing must be stored in a system that cannot be arbitrarily modified by administrators.
In this context, consent aligns with ISO 27701, while immutability reflects strong data security practices.
2. Data Subject Rights
The PDP Law grants individuals the right to access, correct, and delete their personal data. ISO 27701 requires organizations to have documented procedures and response timelines (usually within days) to handle such requests.
Without ISO 27701, many organizations lack clear SOPs, leading to operational confusion when requests are made.
3. Data Breach Notification
The PDP Law requires organizations to report personal data breaches to regulators and affected individuals within a specific timeframe (3 x 24 hours).
ISO 27001 governs incident management, while ISO 27701 adds the privacy context. This means organizations must not only handle incidents but also notify regulators and data subjects when personal data is involved.
Many organizations fail here because they do not distinguish between a “security incident” and a “personal data breach.”
By adopting both ISO 27001 and ISO 27701, organizations gain a practical framework to meet PDP Law requirements, not just administratively, but operationally.
Learn about the PDP Law
The Personal Data Protection Law (UU PDP) regulates how personal data must be managed and protected, while also defining the rights of data subjects and the responsibilities of parties that process such data.
UU PDP
Deepen your understanding and explore the provisions in detail by downloading this PDF. Your data is safe with us!
Which One is Better for You?
There is no universal answer. The choice between ISO 27001 and ISO 27701 depends on your business model, the type of data processed, and your exposure to privacy risks.
However, consider the following:
Start with ISO 27001 if:
- Your organization does not process significant amounts of personal data (e.g., only limited employee data)
- Your primary focus is meeting information security requirements from corporate clients or partners
- Your industry does not yet impose strict data privacy regulations, and you operate domestically
Example scenario:
A manufacturing company running automated factory systems and storing production data for industrial clients. Personal data is minimal, so ISO 27001 is sufficient to build trust in information security.
Add ISO 27701 if:
- Personal data is central to your business model (e.g., SaaS, fintech, e-commerce, health tech)
- You are exposed to PDP Law compliance and potential regulatory audits
- Clients or partners require privacy certification as part of vendor due diligence
- You plan to expand into jurisdictions with mature privacy regulations (e.g., GDPR, CCPA)
Example scenario:
A SaaS company providing CRM platforms for banking and insurance sectors, managing sensitive customer data.
Such a company needs ISO 27001 to demonstrate platform security and ISO 27701 to prove privacy accountability, often a non-negotiable requirement in financial services.
Ready to Manage Privacy Compliance as a Business Risk?
See how GRC helps map personal data risks, monitor compliance with the PDP Law, and prepare companies for audits without complicated manual processes.
Conclusion
ISO 27001 is the essential foundation for information security, while ISO 27701 is the privacy layer that has become a necessity in today’s data protection landscape.
Choosing only one may not be sufficient. For decision-makers such as CEOs, CTOs, and Heads of Compliance, the strategic question is no longer “which is better,” but “how quickly can we integrate both?”
A common audit finding is organizations that hold ISO 27001 certification but fail in privacy compliance due to neglecting consent and data subject rights—or the opposite: organizations with strong privacy policies but weak access security.
By integrating ISO 27001 and ISO 27701, organizations not only meet audit and regulatory requirements but also build customer trust.
In a competitive market, being able to say “we are not only secure, but we also respect your privacy” is a powerful non-financial asset.
FAQ: ISO 27001 vs ISO 27701
ISO 27001 focuses on information security in general, while ISO 27701 focuses on personal data protection (privacy). ISO 27701 is an extension of ISO 27001.
No. ISO 27701 must be built on ISO 27001 as it uses ISMS as its foundation.
Not entirely. ISO 27001 helps from a security perspective, but privacy aspects like consent and data subject rights require additional controls provided by ISO 27701.
When it processes personal data at scale, faces compliance requirements, or must meet regulations such as the PDP Law.
Yes. In practice, they are designed to be integrated, with ISO 27001 as the foundation and ISO 27701 as the additional privacy layer.
