"*" indicates required fields
Linford & Company LLP is not currently accredited to perform third-party certification audits against ISO/IEC 27701:2025. This page describes the certification policies and processes Linford & Company follows and will continue to follow when accredited certification audits for this standard become available; until then, no certificate issued under this scheme is an accredited certificate.
Linford & Company LLP is an ANAB-accredited certification body for ISO/IEC 27001:2022; and that accredited service is delivered separately and is described on our ISO 27001 services page.
The International Organization for Standardization (ISO) is a non-governmental, independent global body. One of ISO’s main objectives is to bring together experts to develop relevant international standards that drive process innovation and address shared challenges across industries worldwide.
ISO/IEC 27701:2025, “Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance,” specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information @rhoManagement System (PIMS). The PIMS extends the discipline of information security to the protection of personally identifiable information (PII) and addresses the obligations of both PII controllers and PII processors.
The 2025 edition is a substantial restructuring of the earlier ISO/IEC 27701:2019 document. The 2019 version was published as an extension to ISO/IEC 27001 — organizations could only be certified to 27701 alongside an existing ISMS. The 2025 edition is now a standalone management system standard, aligned to ISO’s Harmonized Structure (Annex SL). Organizations may still pursue 27701 as a joint audit with ISO/IEC 27001, but the dependency has been removed.
Key ISO 27701 2025 changes include terminology alignment with ISO/IEC 27001:2022 and ISO/IEC 29100, reorganization of controls to track ISO/IEC 27002:2022 Annex A categories with PII-specific augmentations, and refreshed guidance on legal-basis mapping, data subject rights, and breach notification procedures.
ISO 27701 certification provides independent assurance that an organization’s privacy management practices conform to the requirements of the international standard. Certification is issued by a PIMS certification body following a structured, two-stage audit and is maintained through annual surveillance over a three-year cycle.
Certification is increasingly relied on as third-party evidence of accountable PII handling — referenced in vendor due diligence, GDPR processor agreements, and procurement assessments. While certification does not, by itself, establish compliance with any particular privacy law, it provides a recognized framework that organizations can map to the GDPR, US state privacy laws, HIPAA, LGPD, and similar regimes.
The standard’s requirements also support privacy by design certification principles, embedding data protection into organizational processes rather than treating it as an afterthought — a principle that directly supports GDPR ISO 27701 compliance alignment.
The cost of an ISO 27701 certification audit varies based on the scope of the PIMS, the volume and sensitivity of PII processed, the controller/processor role(s) in scope, the number of physical and virtual locations, the number of subservice organizations involved, and whether the engagement is performed standalone or jointly with ISO/IEC 27001. Organizations considering ISO 27701 vs ISO 27001 — or pursuing both together — should note that a joint audit can reduce overall time and cost compared to two separate engagements. Linford & Company is committed to providing an accurate, detailed, and dependable quote before any audit engagement begins.
The ISO/IEC 27701 audit and certification process is structured and consistently repeatable. The activities include the following steps:
The following steps describe the typical certification activities Linford & Company performs, based on the requirements of ISO/IEC 17021-1 and ISO/IEC 27006-1.
The application and pre-certification processes at Linford & Company are streamlined and efficient. Interested applicants enter their organization details into the “Request a Certification Assessment” form at the top of this services page. Applicants are then contacted and provided with an application to gather additional scope information used to determine technology expertise, staffing requirements, level of effort, including auditor hours, and other scoping details. The applicant returns the completed application to is***********@*******co.com or to their primary contact at Linford & Company. Client acceptance and impartiality review activities will be performed; based on the results, the applicant will enter into an executed certification agreement with Linford & Company.
Linford & Company will request the necessary artifacts and confirm with the client that the initial audit is ready to commence. The audit plan will be communicated to the client, and audit dates will be agreed upon in advance. The audit program for the initial certification includes a two-stage initial audit.
Stage 1 Audit
An evaluation of the design of the PIMS is performed in Stage 1. Linford & Company will audit the PIMS documentation supporting the design of the system. As part of this stage, inquiries are made and documents supporting the PIMS scope — including personnel, services/products, sites within scope, and the determination of controller and/or processor roles — are reviewed and evaluated. During the scope evaluation, Linford & Company will confirm that the organization has completed an internal audit, performed regular management reviews, and conducted an acceptable privacy risk and impact assessment that includes risk treatment. With this information evaluated, Linford & Company will assess the organization’s understanding of the standard, whether the scope and resources are appropriate, and whether the client is ready to move to Stage 2.
Stage 2 Audit
The objective of Stage 2 is to assess the implementation and operational effectiveness of the client’s PIMS. Stage 2 is conducted either at the client’s site(s) or through virtual meetings that provide evidence of the client’s desktop and cloud environments. Testing focuses on the determination and operation of controller-specific and processor-specific controls (the 27701 annexes and ISO 27701 controls), records of processing, data subject rights handling, breach response, and the integration of privacy with the broader management system. At the conclusion of Stage 2, Linford & Company will determine whether to issue certification.
When all certification steps are completed satisfactorily, Linford & Company will grant certification in the form of a certificate to the client. The initial three-year certification cycle starting date will be on, or reasonably timed after, the date of the certification decision.
If it is determined that the client does not meet the requirements necessary for certification, a certification refusal will be communicated to the client with sufficient detail regarding the rationale for the decision and the available next steps.
Surveillance Audits: In order to maintain certification, continuing certification activity is required. This is carried out through surveillance audits. Linford & Company conducts surveillance audits at least once annually, except during recertification years. The first surveillance audit after initial certification must occur within 12 months of the documented certification cycle starting date.
Process to Maintain Certification: Along with the continuing surveillance audits, the client is expected to operate its controls and processes in the manner understood during the initial examination procedures. Linford & Company will enable the client to retain certification by demonstrating ongoing compliance with the requirements of the management system standard.
Linford & Company makes additional details publicly available, in accordance with ISO/IEC 17021-1 §8.1, in the companion “ISO/IEC 27701:2025 Certification — Detailed Public Information” PDF. The PDF covers:
Download the full ISO/IEC 27701:2025 Certification — Detailed Public Information PDF.
Our seasoned auditors translate the requirements of ISO/IEC 27701:2025 into a clear, evidence-driven assessment process so your privacy management system can be certified with confidence.
Pursue 27701 on its own under the new standalone 2025 standard, or combine it with ISO/IEC 27001 for an integrated information security and privacy certification — we structure the engagement to fit the way your management system runs.
Our auditors translate 27701 requirements into the language of GDPR, US state privacy laws, HIPAA, and LGPD, so the resulting evidence supports both certification and your ongoing privacy program.
Engagements are led by experienced privacy and security auditors who have run hundreds of compliance assessments. You will not be handed off to an inexperienced reviewer mid-engagement.
Looking to get ISO 27701 certified? Complete the form above, and we will connect you with one of our expert auditors. We keep your contact information private and use it solely to communicate with you regarding your ISO 27701 audit. We do not sell or share your details with third parties.
"*" indicates required fields
"*" indicates required fields
