Our services
ISO 27701 Certification
Let's Connect and Elevate Your Success Together.
Need help with ISO 27701?
We champion for ISO 27701 certification
What is ISO 27701:2025
ISO 27701 is an international standard that specifies the criteria for establishing a Privacy Information Management System (PIMS). It outlines how organizations should manage personal data including processes for collecting, storing and sharing.
Who needs ISO 27701 certification?
Organizations that handle personal data need this certification. These include; healthcare providers, financial institutions, business outsourcing providers, e-commerce companies and technology start ups.
Benefits of certification
- Improves Trust and Reputation - Implementing a Privacy Information Management System (PIMS) demonstrates commitment to protecting personal data building confidence among customers and other stakeholders
- Strengthens Risk Management - ISO 27701 identifies and addresses privacy risks systematically therefore enhancing data security.
- Global Market Access - ISO 27701 facilitates compliance with international privacy standards like the General Data Protection Regulation (GDPR) opening up new markets.
- Streamlines Operations - This standard intergates with information security management systems and can improve efficiency and reduce complexity.
- Stakeholder Accountability - Clarifies roles for data controllers and processors ensuring accountability in data handling.
ISO 27701 Certification Requirements
The latest 2025 update of the standard transformed it from an extension of ISO 27001 to a stand-alone management system. This essentially means that the standard will now follow the high level structure like the other standards (Clauses 1-10). This will make integration with other standards like ISO 27001 and 42001 easier.
The organization should:
- Determine external and internal issues that may affect the privacy information management system.
- Assess whether it is acting as a PII Controller, Processor or both.
- Determine, monitor and review requirements of interested Parties relevant to the Privacy Information Management System (PIMS).
- Document the scope of its privacy information management system.
- Maintain documented information to support the operation of its privacy information management system.
- Senior Management must demonstrate leadership and commitment with respect to the PIMS.
- Top Management must establish and maintain a privacy policy and objectives.
Top Management shall ensure the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organisation.
- The organisation shall identify the privacy risks and opportunities and plan actions to address them.
- The company shall define and apply an risk assessment and treatment process to select appropriate treatment options.
- Determine controls necessary to implement the options.
- Identify and document the information security programme
- Privacy risks must be documented and consistent with the privacy policy.
- The organization should provide resources needed for the establishment, implementation, maintenance and continual improvement of the Privacy Information Management System.
- Determine the necessary competences of persons under the PIMS through education, training and experience.
- Make people aware of the Privacy Policy, Objectives and how they can contribute to the effectiveness of the PIMS and the implications of not conforming.
- Determine communications relevant to the Privacy Information Management System.
- The organization should maintain documented information required by the Standard and organisation’s Privacy Information Management System.
- It should control documented information by ensuring appropriate identification and description.
The organization shall:
- Plan processes to meet requirements and to implement the actions to control the risks.
- Perform privacy risk assessments at planned intervals
- Implement privacy risk treatment plan
The company shall control externally provided services and products relevant to the PIMS.
- Determine what is to be monitored and measured and the methods for monitoring, measurement, analysis and evaluation.
- The Organisation must plan, establish, implement and maintain an internal audit programme and conduct internal audits at planned intervals.
- Top management must review the Privacy Information Management System at planned intervals.
- The organization should identify non conformances and implement corrective actions.
- Organization shall continually improve the suitability, adequacy and effectiveness of the Privacy Information Management System.
Our Pricing
Our prices are tailored to the size of your organization.
- KES 700,000 + VAT for Implementation and Certification
- KES 100,000 + VAT for Surveillance Audits
- KES 250,000 + VAT for Recertification Audits
- KES 850,000 + VAT for Implementation and Ceification
- KES 150,000 + VAT for Surveillance Audits
- KES 300,000 + VAT for Recertification Audits
- KES 1,000,000 + VAT for Implementation and Certification
- KES 200,000 + VAT for Surveillance Audits
- KES 350,000 + VAT for Recertification Audits
- KES 1,200,000 + VAT for Implementation and Certification
- KES 250,000 + VAT for Surveillance Audits
- KES 400,000 + VAT for Recertification Audits.
- KES 1,500,000 + VAT for Implementation and Certification
- KES 300,000 + VAT for Surveillance Audits
- KES 450,000 + VAT for Recertification Audits
A quotation is obtained from office
information
- Nairobi office: Kimathi Street, Nanak House, 3rd floor, Rm 301
- (+254) 722 817 818
- info@valuemax.co.ke
- Accountability
- Accuracy
- Data Minimization
- Integrity and Confidentiality
- Storage Limitation:
- Purpose Limitation:
- Lawfulness, fairness, and transparency
A data controller determines which data will be collected and the purpose for collection and processing while data processor processes data on behalf of the controller.
Example: Company X (Data Controller) collects Tax Information Numbers from clients while Company Y processes this data on their behalf.
- Principle 1: Proactive not reactive.
- Principal 2: Privacy as the default setting.
- Principle 3: Privacy embedded into design.
- Principle 4: Full functionality.
- Principle 5: End-to-end security.
- Principle 6: Visibility and transparency.
- Principle 7: Respect for user privacy.
Got ISO Certification Questions? We’ve Got Answers! Your FAQ Guide.
Frequently asked Questions (FAQ)
ISO standards are internationally recognized guidelines and specifications developed by the International Organization for Standardization (ISO). ISO is an independent, non-governmental international organization composed of national standards bodies from different countries. ISO standards cover various fields and industries and are designed to provide best practices, consistency, and harmonization in processes, products, and services worldwide.
- Enhancing quality
- Facilitating international trade
- Ensuring safety and reliability
- Improving efficiency and productivity
- Mitigating risks
- Enhancing sustainability
- Building trust and credibility
- Enhanced quality and customer satisfaction
- Increased market access and business opportunities
- Risk mitigation and compliance
- Continuous improvement culture
- International recognition and reputation
- Improved efficiency and productivity
- Employee engagement and satisfaction
The time it takes to get ISO Certified can vary depending on several factors, including the size and complexity of your organization, the specific ISO standard(s) being implemented, the level of existing processes and documentation, available resources, and the commitment and readiness of your organization to undergo the implementation and certification process.
The cost of ISO Certification can vary significantly depending on several factors, including the size and complexity of your organization, the specific ISO standard(s) being implemented, the level of existing processes and documentation, available resources, and the approach taken for implementation and certification.
