A privacy certificate you can actually hand to a buyer
Most privacy work leaves no artifact a customer can verify. You write a policy, you configure a banner, you sign a DPA, and the buyer still has to take your word for it. ISO/IEC 27701 exists to close that gap. It's an auditable, third-party certification for how you manage personal data, and it sits alongside SOC 2 as one of the two credentials enterprise procurement teams recognize on sight.
The standard changed in a big way last year. On 14 October 2025, ISO and IEC published a revised ISO/IEC 27701 as a standalone Privacy Information Management System (PIMS) standard. Before that, you couldn't certify to 27701 without first holding an ISO/IEC 27001 information security certificate, because 27701 was written as an add-on to it. Now you can certify the privacy system on its own. That opens the door for smaller teams and privacy-led companies that never wanted the full security-management overhead.
What a PIMS is, in plain terms
A management system is a documented, repeatable way of running one part of your business, with defined roles, controls, records, and a review cycle that proves it keeps working. ISO 27701 applies that machinery to personal data. It asks you to identify what personal information you hold, why you process it, on what legal basis, who you share it with, how long you keep it, and how you respond when a person exercises their rights.
The 2025 edition follows the same clause structure (4 through 10) as other modern ISO management standards, covering context, leadership, planning, support, operation, performance evaluation, and improvement. It aligns with the current ISO/IEC 27001:2022 and 27002:2022 wording, and it pulls in privacy controls for both sides of a data relationship: organizations that decide why data gets processed, and organizations that process it on someone else's instructions.
Controller or processor: the standard covers both
ISO 27701 splits its controls between two roles that map directly onto GDPR language. A PII controller decides the purposes and means of processing. A PII processor handles data on a controller's behalf. If you run a SaaS product, you're usually a processor for your customers' data and a controller for your own (your marketing site, your own analytics, your employees).
That distinction matters when you scope an audit. A processor certifying to 27701 is signaling to every customer at once: we've built controls for handling your data, and an accredited body checked them. That's exactly the assurance a buyer's security team is trying to extract when they send you a 200-question spreadsheet. If you want a refresher on which hat you wear for third-party trackers, see our guide on controller vs processor for analytics vendors.
How it maps to GDPR
ISO 27701 was built with regulation in mind. The standard includes mappings between its controls and the frameworks in ISO/IEC 29100, ISO/IEC 27018 (personal data in public clouds), ISO/IEC 29151, and the EU GDPR. A single 27701 control often satisfies several GDPR articles at once, which is why teams use the standard as a scaffold for their compliance program rather than reinventing one.
Be clear on the limit, though. A 27701 certificate is not a statement that you comply with GDPR. No supervisory authority issues it, and holding it doesn't reduce your legal responsibility. GDPR has its own certification route under Article 42, which is a separate thing (we cover it in GDPR certification mechanisms and Europrivacy). What 27701 gives you is strong, independent evidence that you run a disciplined privacy operation. Auditors and buyers read it as that, not as a compliance guarantee.
Where cookie consent fits
Consent is one of the lawful bases a PIMS has to account for, and cookies are where most companies actually collect it. To pass the parts of a 27701 audit that deal with choice and consent, you need to show three things: that you tell people what you collect before you collect it, that you capture their decision, and that you can produce the record later. A banner alone covers the first point. The second and third depend on logging.
This is the practical link to a consent platform. CookieBeam records each consent decision with a timestamp, the banner version shown, and the specific purposes a visitor accepted or rejected. When an auditor sampling your privacy controls asks "show me proof that this user consented to marketing cookies on this date," that log is the answer. It won't write your PIMS documentation for you, and it won't make you certified. It produces the machine-generated evidence the certification depends on. See consent logging and audit requirements for what a defensible record contains.
Getting certified, and the transition clock
Certification works the same way as ISO 27001. You build the system, run it long enough to generate records, then bring in an accredited certification body that audits you in stages and issues a certificate valid for three years with annual surveillance checks. Expect a few months of preparation if you already have security controls in place, longer if you're starting from a blank page.
If you certified against the old 2019 version, you're on a clock. Organizations holding a 2019 certificate need to transition to the 2025 edition within a three-year window, which puts the deadline around 2028. The biggest practical change is the one worth planning around: you can now scope the privacy system independently of an ISMS, so revisit whether you still want to bundle it with 27001 or certify it on its own.
Is it worth it for you?
If you sell to enterprises in Europe, or to anyone whose procurement team runs a privacy review, 27701 pays for itself by shortening deals. It answers a whole category of questionnaire items with a single PDF and lets you skip the back-and-forth. If you're a small site that isn't selling B2B, the certificate is probably overkill, and you're better off spending the effort on solid consent records and a clear privacy policy. Either way, the underlying discipline (know your data, capture consent, keep the evidence) is the same work. The certificate just gets it audited. For the buyer-facing view of all this, read how to answer vendor security and privacy questionnaires.