It is the question that comes up in almost every initial conversation we have about ISO 27701. An organisation wants to certify its privacy management practices. It understands the value of an independently audited PIMS. It is ready to invest. And then it learns that ISO 27701:2019 is an extension to ISO 27001 — which means you need ISO 27001 certification before you can pursue ISO 27701.

For some organisations, that is fine — they already hold ISO 27001, or they were planning to pursue it anyway. For others, it creates a significant obstacle. A privacy-forward professional services firm or a pure-play data processor may have mature privacy practices and a genuine need for PIMS certification, but limited readiness for a full information security management system implementation.

This post addresses the question directly — what the current requirement is, why it exists, what your options are, and where the standard is likely to go next.

Why ISO 27701:2019 Requires ISO 27001

ISO 27701:2019 was designed as an extension, not a standalone standard. Its structure assumes the existence of an ISO 27001 ISMS — it extends the management system clauses, adds privacy-specific controls on top of the information security control framework, and inherits the risk assessment methodology, internal audit requirements, and management review processes from ISO 27001.

This design reflects a genuine principle: privacy and information security are not separate disciplines. Personal data protection depends on information security controls. Access management, encryption, incident response, data minimisation, and secure disposal are simultaneously security controls and privacy controls. A PIMS without a functioning ISMS beneath it has structural gaps that affect both the rigour of the privacy management and the credibility of the certification.

That is the argument for the current requirement. It is not without merit.

What “Requires ISO 27001” Actually Means in Practice

You have two options if you want ISO 27701:2019 certification but do not currently hold ISO 27001:

Option 1: Implement ISO 27001 first, then implement ISO 27701 as an extension. This is the sequential approach. It typically adds 6–12 months to the timeline before ISO 27701 certification is achievable — the time required to implement, operate, and certify the ISO 27001 ISMS before adding the PIMS extension. For organisations with a clear roadmap and adequate resource, this is a structured path to dual certification.

Option 2: Implement both standards simultaneously as an integrated programme. This is more complex, requires more intensive support, and carries higher execution risk — but compresses the timeline significantly. An integrated implementation treats ISO 27001 and ISO 27701 as a single programme, designing the ISMS and PIMS together with shared policies, risk assessments, and management system infrastructure. Some certification bodies offer combined audits against both standards, which reduces audit overhead. For organisations with strong executive sponsorship and dedicated resource, this can achieve dual certification in 9–15 months from a standing start.

The Partial Path: ISO 27001 Certification Without ISO 27701, For Now

Some organisations in this position make a pragmatic decision: achieve ISO 27001 certification first, use the certification cycle to embed the ISMS, then add ISO 27701 as a planned extension at the first surveillance or recertification audit. This breaks the problem into two manageable steps and avoids the complexity of a simultaneous dual implementation.

The trade-off is timeline — if you need ISO 27701 certification to meet client requirements or regulatory expectations within the next 12 months, this path may not be fast enough.

What Is Coming: The Standalone Standard Debate

The question of whether ISO 27701 should require ISO 27001 as a prerequisite is actively discussed in the ISO technical committees. The next revision of ISO 27701 — which is in development and expected in the coming years — is widely anticipated to address this by making the standard capable of standalone certification.

This would allow organisations to certify their PIMS independently of an ISMS, which would significantly expand the addressable market for ISO 27701 and remove the barrier that currently prevents privacy-focused organisations from certifying without a parallel information security programme.

If your primary motivation for ISO 27701 is privacy accountability rather than information security certification, it is worth monitoring the revision timeline. The standard is evolving, and the next version is likely to change this calculus meaningfully.

What You Should Do Right Now

The right answer depends on your timeline, your current maturity against both standards, and what is driving the ISO 27701 requirement. A client contractual requirement with a 6-month deadline requires a different approach from a strategic decision to build privacy certification as a competitive differentiator over the next two years.

What does not help is waiting for the standards landscape to resolve itself. The next ISO 27701 revision is not here yet, and the October 2025 ISO 27001 transition deadline (from 2013 to 2022) means that any organisation implementing ISO 27001 now should be implementing the 2022 version regardless.

At Bitsecura, we work with organisations navigating exactly this question — whether to pursue ISO 27001 first, implement both together, or build a phased programme. We will give you an honest assessment of what each path requires for your specific context, without pushing you toward a larger engagement than you need.

If you want a straight answer about the right path for your organisation, get in touch here. No commitment, no agenda — just clarity.


Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.