ISO 27701 · Standard Guides
ISO 27701 Privacy Certification in Australia
ISO 27701 is now a standalone privacy standard. How Australian organisations use it to govern personal data, meet the Privacy Act and prove privacy accountability.
See the ISO 27701 standardPersonal data has become one of the most sensitive things an organisation holds, and proving you manage it responsibly is now a real commercial and legal requirement, not a nice gesture. ISO 27701 is the international standard for privacy information management, and it was significantly overhauled in 2025. The new edition changes how Australian organisations should think about it. This guide explains what ISO 27701 is, what the 2025 update changed, how it relates to the Privacy Act, and how to get certified.
Important 2025 change: ISO/IEC 27701:2025, published in October 2025, transformed the standard from an extension of ISO 27001 into a fully standalone Privacy Information Management System, or PIMS. You can now certify to ISO 27701 on its own, without first holding ISO 27001, although the two still integrate cleanly. Organisations on the older 2019 edition will transition to the 2025 version over the coming years.
What is ISO 27701?
ISO 27701 specifies the requirements for a privacy information management system: a structured framework for managing personally identifiable information, or PII, responsibly and in line with privacy laws. It applies to organisations acting as PII controllers, who decide how and why personal data is used, and as PII processors, who handle personal data on behalf of others. In practice that covers almost any modern organisation that holds customer, patient, employee or member data.
The standard gives privacy the same disciplined management treatment that ISO 27001 gives information security and ISO 9001 gives quality. It asks you to understand your privacy context and obligations, govern personal data with clear accountability, implement appropriate privacy controls, respect the rights of the people whose data you hold, and continually improve. The result is an auditable demonstration that privacy is genuinely managed rather than merely promised.
What the 2025 edition changed
The 2025 revision is the most significant in the standard's history. Most importantly, ISO 27701 is now a standalone standard. Previously it could only be implemented as an extension on top of an existing ISO 27001 information security management system. Now an organisation can pursue privacy certification in its own right, which lowers the barrier for privacy driven organisations that do not need or want full ISO 27001. The 2025 edition also adopts the harmonised high level structure shared by ISO 27001, ISO 9001 and ISO 42001, so it integrates smoothly in multi standard environments, and it expands guidance to address modern realities such as cloud services, AI related processing, biometrics and health data.
For organisations, the practical message is twofold. If you already hold ISO 27001, you can extend into privacy efficiently. If you do not, you can now pursue privacy certification on its own. Either way, the 2025 edition aligns the standard with global privacy regulation, including the GDPR, and with the direction of Australian privacy reform.
ISO 27701 and the Australian Privacy Act
ISO 27701 is not a law, but it interlocks tightly with Australian privacy obligations, which is much of its value here. Under the Privacy Act and the Australian Privacy Principles, organisations must manage personal information responsibly, take reasonable steps to protect it, and handle access, correction and breach matters appropriately. The Notifiable Data Breaches scheme adds reporting obligations. A certified privacy information management system is one of the clearest ways to demonstrate that these obligations are managed deliberately and evidenced, rather than left to ad hoc judgement.
With Australian privacy law under active reform and penalties for serious breaches having increased substantially, the ability to show structured, independently audited privacy governance is becoming a genuine asset, both in defending against regulatory scrutiny and in reassuring customers and partners who increasingly ask how their data is handled.
Who needs ISO 27701 in Australia?
- Organisations processing large volumes of personal data, from customer to employee to member information.
- Health, allied health and care providers holding sensitive personal and health information.
- Technology and SaaS companies whose customers demand privacy assurance, not just security.
- Financial services, insurance and fintech with significant personal data obligations.
- Service providers acting as data processors for larger clients who require privacy evidence.
- Any organisation operating across jurisdictions with overlapping privacy laws to reconcile.
What ISO 27701 requires
Following the harmonised structure, the requirements sit in clauses 4 to 10, with privacy specific controls in the annexes covering both PII controllers and processors.
Context, leadership and privacy governance
You define your privacy context and obligations, and leadership establishes accountability and a privacy policy, elevating privacy from a set of controls to a governance discipline.
Privacy risk assessment and planning
You assess privacy risks in the context of your legal, regulatory and operational environment, and plan how to address them.
Controls for controllers and processors
You implement the privacy controls relevant to your role, whether you decide how personal data is used as a controller, handle it for others as a processor, or both. The controls cover the full lifecycle of personal data.
Rights, transparency and privacy by design
You respect the rights of the people whose data you hold, provide appropriate transparency, and build privacy into your processes by design rather than as an afterthought.
Performance evaluation and improvement
You monitor and evaluate your privacy management, audit it, conduct management review and improve, including learning from any privacy incidents.
How to get ISO 27701 certified in Australia
- Decide your approach, standalone privacy certification or integrated with an existing ISO 27001 system.
- Gap analysis against the 2025 standard and your current privacy practices.
- Privacy risk assessment, then build the system, controls and governance.
- Implement and embed, generating real privacy management records.
- Internal audit and management review, both mandatory.
- Stage 1 and Stage 2 audits by an accredited certification body.
- Surveillance and recertification across the cycle, transitioning from the 2019 edition if you hold it.
Common mistakes to avoid
- Assuming you still need ISO 27001 first, when the 2025 edition lets you certify to privacy on its own.
- Treating privacy as a legal box tick rather than a governed, operational discipline.
- Confusing privacy with security, when ISO 27701 addresses how personal data is used, not just protected.
- Ignoring data subject rights and transparency, which the standard specifically requires.
- Building to the 2019 edition when new certifications should target the 2025 standalone version.
How ISO Accreditation can help
We help Australian organisations build ISO 27701 privacy information management systems to the current 2025 standalone edition, whether on their own or integrated with ISO 27001 and ISO 42001. We align your privacy governance with the Privacy Act and global expectations, and build something you genuinely operate. Book a free consultation to discuss the personal data you hold and your privacy obligations.
Book a free consultation → isoaccreditation.com.au/contact-us
Call 1800 577 060 · info@isoaccreditation.com.au
Frequently asked questions
Do I need ISO 27001 before ISO 27701?
No longer. The 2025 edition of ISO 27701 is a standalone standard, so you can pursue privacy certification on its own. It still integrates cleanly with ISO 27001 if you hold both.
What is the current version of ISO 27701?
ISO/IEC 27701:2025, published in October 2025, is the current edition. It replaced the 2019 version and transformed the standard from an extension of ISO 27001 into a standalone privacy management standard.
Does ISO 27701 satisfy the Australian Privacy Act?
It does not replace the Privacy Act, but a certified privacy management system is one of the clearest ways to demonstrate that your obligations under the Australian Privacy Principles are managed and evidenced rather than ad hoc.
What is the difference between ISO 27001 and ISO 27701?
ISO 27001 secures information generally. ISO 27701 governs how personal data is used and protected, covering privacy specific obligations and the rights of the people whose data you hold.
How long is ISO 27701 certification valid?
Three years, subject to passing surveillance audits, followed by recertification.