Certification audits are not random sampling exercises. Experienced lead auditors for ISO 27701 follow a consistent logic: they look for evidence that your Privacy Information Management System is real, operational, and genuinely managing the privacy risks your organisation faces — rather than a set of documents created to satisfy a checklist.
Understanding how auditors think is not about gaming the audit. It is about building a PIMS that can be honestly examined and that holds up to scrutiny — which is also, not coincidentally, a PIMS that actually protects the personal data it is supposed to protect.
The Audit Structure: What to Expect
An ISO 27701 certification audit follows a two-stage process, conducted alongside or as an extension of an ISO 27001 audit where both certifications are being pursued together.
Stage 1 — Documentation review. The auditor examines your PIMS documentation: the scope statement, data flow map, privacy policy, records of processing activities, Statement of Applicability (extended to include ISO 27701 controls), risk assessment documentation, internal audit report, and management review minutes. The purpose is to assess whether your documented PIMS is coherent, complete, and aligned with the standard’s requirements. A Stage 1 audit will identify major gaps that need to be addressed before Stage 2.
Stage 2 — Implementation audit. The auditor tests whether the controls documented in your PIMS are actually implemented and operating. This involves interviews with staff, review of operational records and system evidence, and sampling of processing activities from your data flow map. Stage 2 is where the gap between documentation and reality is exposed.
The Five Areas That Receive the Deepest Scrutiny
1. Records of processing activities. Your Article 30 register / data flow map is the auditor’s starting point. They will use it to select processing activities for sampling and will test whether the rest of your PIMS reflects those activities accurately. Gaps in the map — processing activities that exist but are not documented — undermine the entire PIMS, because controls cannot address risks that have not been identified.
2. Lawful basis documentation. For every processing activity in your register, you should have a documented legal basis. The auditor will test a sample: is the basis recorded? Is it appropriate for the processing described? If consent is relied upon, is there a consent record? If legitimate interests is relied upon, is there a legitimate interests assessment? Missing or inappropriate legal bases are among the most common findings at ISO 27701 audits.
3. Data subject rights. The auditor will ask to see your data subject rights procedure — and then ask for evidence that it has been followed. Show me a data access request you received in the last twelve months. When was it received? When was it responded to? What was provided? What process was followed? If you cannot produce a log of requests handled with dates and actions, your data subject rights control is a policy without an operational process.
4. Third-party processor management. ISO 27701 requires you to ensure that PII processors you engage are subject to appropriate contractual obligations — Data Processing Agreements under GDPR Article 28. The auditor will sample your third-party processor list and ask for evidence of DPAs for each. Missing DPAs, DPAs that reference outdated versions of the standard, or DPAs that do not reflect the current processing relationship are all findings.
5. Incident response and breach notification. The auditor wants to see that your privacy incident response process is operational — not just documented. If you have experienced a personal data breach in the past year, they will review how it was handled: when was it identified, when was it reported internally, was the supervisory authority notified within 72 hours where required, were affected individuals notified where required? If you have not experienced a breach, they may test the process through a tabletop exercise or by reviewing training records.
The Evidence That Most Organisations Lack
After working through multiple ISO 27701 certification audits, the evidence gaps that recur most frequently are:
Privacy training records. Your privacy awareness and training programme needs evidence of completion — not just a training policy. Who was trained? When? On what? Completion records need to be maintained for all staff who process personal data, and updated when significant changes to privacy practices occur.
DPIA documentation. Where Data Protection Impact Assessments are required (for high-risk processing activities), the DPIA must be documented, reviewed, and its outcomes reflected in the processing activity. Many organisations know they should have conducted DPIAs but have not documented them formally enough to present as audit evidence.
Management review outputs. Privacy performance metrics, data breach statistics, data subject request volumes and response times, and privacy audit findings should all be reported to management and documented in management review minutes. If your management review notes say only “no significant privacy issues,” auditors will probe whether management is actually monitoring the PIMS or simply rubber-stamping it.
Preparing for the Audit Without Manufacturing Evidence
The preparation that matters happens months before the audit — not in the weeks immediately preceding it. Evidence that is generated in a pre-audit sprint looks exactly like what it is. Auditors who review a training records spreadsheet where all completions are dated in the two weeks before the audit notice.
Operational evidence accumulates naturally when your PIMS is genuinely running: consent records are captured as consents are given, request logs are updated as requests arrive, vendor assessments are completed as new suppliers are onboarded. The audit preparation that works is confirming that these operational records are accessible and organised — not generating them on demand.
Bitsecura conducts ISO 27701 internal audits using the same methodology and sampling approach that certification auditors apply. We tell you what we find — including the things that need to be addressed before your external audit. That is the purpose of an internal audit that is worth having.
If you want an honest assessment of your PIMS audit readiness before your certification body gets involved, talk to us here. No strings, no obligation.
Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.