Compliance365 
ISO 27001 vs ISO 27701 in Australia: What’s the difference and which do you need?
10/20/2025 · Compliance365
If you sell to enterprises in Australia, ISO 27001 is often the first ticket to the dance. It proves your Information Security Management System (ISMS) is designed and operating.
ISO 27701 extends that ISMS with a Privacy Information Management System (PIMS)—so you can show how personal data is identified, minimised, governed and handled.
TL;DR
- Start with ISO 27001 to cover security controls, risk, SoA, and internal audit.
- Add ISO 27701 when you process personal data at any scale, handle sensitive categories, or face privacy/regulatory scrutiny (health, gov, large B2B).
- You can layer 27701 onto an existing 27001 in ~4–8 weeks if your ISMS is healthy.
What each standard covers
| Area | ISO 27001 | ISO 27701 |
|---|---|---|
| Scope | Security management (ISMS) | Privacy management (PIMS) extending the ISMS |
| Core outputs | Risk register, controls, SoA, internal audit | DPIA framework, ROPA, rights handling, third-party clauses |
| Auditors look for | Risk→controls linkage, evidence cadence, operating effectiveness | Lawful basis, data lifecycle, privacy roles, records & approvals |
| Common pitfalls | Over-broad scope, thin risk links | ROPA entries too vague, no DPIA thresholds, ad-hoc rights process |
When ISO 27001 is enough
- You store minimal personal data (e.g., business emails only)
- Your customers only ask for security assurance (not privacy)
When to add 27701
- You process customer/end-user personal data or special categories
- You face health/government procurement or vendor privacy reviews
- Buyers ask for DPIAs, ROPA, or rights request workflows
Deliverables that pass audits
- DPIA framework: when to trigger, how to approve, where to store evidence
- ROPA: accurate records with systems, purposes, retention and processors
- Rights handling: standard SLAs and approvals for access/erasure/objection
- Third-party privacy: due diligence + DPA clauses + monitoring cadence
- Evidence: approvals, exports and snapshots filed with retention & versions
Timelines (typical)
- ISO 27001: 8–12 weeks to certification with a tight scope
- Add ISO 27701: 4–8 weeks if your ISMS is already running well
Where to next?
- See our ISO 27001 and ISO 27701 services
- Try the ISO 27701 readiness checklist
- Want both together? Book a roadmap call and we’ll map the shortest path.
Found this useful? Get the ISO/Privacy/AI readiness checklists.
Browse resources