ISO 27701 · Privacy · Brisbane · Melbourne · Sydney · Australia-Wide
ISO 27701 extends ISO 27001 with privacy-specific controls. Same management system, same evidence pipeline, same audit cycle — with DPIAs (privacy impact assessments), ROPAs (records of processing activities), rights handling, and third-party privacy management layered on top. For organisations already ISO 27001 certified, we deliver it in 6–10 weeks.
Privacy used to be a "nice to have" alongside security. The Privacy Act amendments rolling out through 2026 change that. Three specific shifts your board should understand.
The maximum penalty for serious or repeated privacy breaches is now the greater of $50m, three times the benefit derived, or 30% of adjusted turnover. The OAIC has clearly signalled it intends to use these powers. "We didn't know" is no longer a defence.
A new statutory cause of action allows individuals to sue directly for serious invasions of privacy — without proving financial loss. This shifts privacy from a regulatory exposure to a civil litigation exposure, and the ones bringing the claims are plaintiff law firms, not regulators.
Privacy Impact Assessments are becoming mandatory for high-risk processing activities — AI-enabled decision making, biometric processing, large-scale data analytics. Without a structured PIA process you're either non-compliant or relying on ad-hoc judgement that won't survive scrutiny.
ISO 27701 is the most efficient framework for responding to all three pressures at once — and the only one that integrates cleanly with the security work you've already done.
Most consultants treat privacy as a separate engagement from security. That doubles the work, doubles the audit overhead, and creates two parallel management systems your team has to maintain. ISO 27701 was designed to avoid this — we build the way the standard intends.
Common path
Result:
Privacy bolt-on
Our approach
Result:
~40% less total work
Every ISO 27701 engagement covers these six areas, mapped to your existing ISO 27001 management system where one exists.
A complete Record of Processing Activities — every personal data flow mapped with purpose, legal basis, retention, recipients, and Controller/Processor role. Built in SharePoint with automated retention and deletion workflows. The artefact procurement actually asks for.
Privacy Impact Assessment methodology: screening triggers, full DPIA templates, routing and approval workflows, residual risk sign-off. Embedded in your daily processes — not a Word template no one fills out.
Workflows for access, correction, erasure, restriction, objection, and portability requests. Tracked end-to-end with SLA monitoring. Evidence pack ready for OAIC enquiries or customer audits.
Due diligence framework for new vendors, Data Processing Agreements (DPAs), sub-processor approval workflows, ongoing third-party monitoring, and breach notification clauses. Where most privacy programmes fall apart — and where ours holds together.
Role-based privacy training delivered via Viva Learning or your existing platform. Onboarding modules, annual refreshers, evidenced completion. Auditors expect to see this — most organisations don't have it.
Every ISO 27701 control mapped to its evidence artefact in SharePoint. Privacy-specific dashboards in Power BI. Generated on demand for OAIC enquiries, customer privacy questionnaires, and external audits. Same infrastructure as your ISO 27001 evidence.
ISO 27701 separates privacy responsibilities into two roles. Most organisations are both — Controller for their own data, Processor for data they handle on customers' behalf. The obligations are different, and most consultancies get this confused.
Role 1
You decide why and how personal data is collected and used. Examples: your own employee records, customer accounts, marketing databases, supplier contacts.
Your obligations:
Role 2
You handle personal data on behalf of a Controller. Examples: SaaS hosting customer data, payroll services, managed services delivering to a client.
Your obligations:
Part of the engagement is mapping every personal data flow in your ROPA and assigning the correct role. This is the foundation everything else builds on — most privacy programmes fail because this mapping was done sloppily or not at all.
ISO 27701 is the right framework for Australian organisations in one of these situations:
You have an ISMS, you have audit discipline, you have a senior practitioner relationship. Adding ISO 27701 on top is significantly cheaper and faster than starting from scratch — and consolidates your management system rather than fragmenting it.
Healthcare SaaS, fintech, edtech, HR-tech, marketing platforms. Your customers want evidence that personal data is governed properly. ISO 27701 is the credible structured answer that satisfies enterprise and government procurement.
The penalty increases, statutory tort, and mandatory PIA obligations rolling out through 2026 raise the cost of inadequate privacy governance. ISO 27701 is the most defensible framework for showing you took it seriously before something went wrong.
ISO 27701 maps closely to GDPR requirements. For Australian organisations supplying European customers, ISO 27701 is the most efficient way to demonstrate GDPR alignment without separate parallel certification.
Your Privacy Information Management System lives inside Microsoft 365 — not a separate platform. Here's what a Risk Register and PIMS Statement of Applicability look like inside SharePoint, mapped to both ISO 27701 and the Australian Privacy Act.
Risk Register — Privacy & Cybersecurity Controls
Statement of Applicability — ISO 27701 PIMS Controls
For organisations already holding ISO 27001 certification. Combined ISO 27001 + ISO 27701 from scratch typically takes 14–18 weeks.
Privacy scope
Personal data audit across the organisation. Initial ROPA mapping. Controller/Processor analysis. Gap assessment against ISO 27701 clauses.
Build
Full ROPA, DPIA framework, rights handling workflows, third-party privacy management, training rollout. Extend ISO 27001 policies with privacy clauses.
Evidence & audit
Evidence pack mapped to both ISO 27001 and ISO 27701 controls. Internal privacy audit. Dress rehearsal for external audit.
Certify
External certification audit. Single audit cycle covering both standards. Certificate issued on successful completion.
Answered plainly. If you have a question not covered here, the fastest way to get a real answer is a 30-min call.
No — ISO 27701 is an extension of ISO 27001 and requires an underlying ISMS. If you don't have ISO 27001, we deliver both together (14–18 weeks) which is still significantly cheaper than sequential delivery.
6–10 weeks to add ISO 27701 to an existing ISO 27001 certification. 14–18 weeks for combined delivery from scratch.
Fixed-price, $15k–$60k as an extension to existing ISO 27001 (depending on company size). $40k–$160k for combined ISO 27001 + ISO 27701 from scratch. Certification body fees are separate.
ISO 27701 maps directly to the Australian Privacy Principles and provides a structured framework for demonstrating Privacy Act compliance — including the reforms rolling out through 2026. It's not a substitute for legal advice on specific cases, but it's the most credible evidence framework regulators recognise.
No. We build inside your existing M365 environment — SharePoint, Power Automate, Purview, Teams. Privacy platforms have a place at enterprise scale, but mid-market organisations rarely need them. M365-native is faster, cheaper, and avoids ongoing licence costs.
Most organisations are both. We map every personal data flow in your ROPA and assign the correct role — so you apply the right obligations without overreach or gaps. Getting this right is foundational; getting it wrong creates compliance debt that surfaces in audits.
Yes. ISO 27701 implementation produces the documentation the OAIC looks for in a privacy investigation — a ROPA showing every personal data flow, DPIAs for high-risk processing, a data rights handling procedure, and evidence that privacy obligations are being managed actively. It's not a legal shield, but it is the strongest evidence posture you can have before a regulator asks questions.
A DPIA that finds no risks was probably not done properly. When a DPIA identifies a risk that can't be fully mitigated, the response is documented residual risk acceptance — sign-off from appropriate leadership with a rationale. This is exactly what regulators and auditors expect. The goal is not zero risk; it is demonstrable, documented risk management.
ISO 27701 builds on ISO 27001 and integrates with ISO 42001. Most clients deliver these as a single combined management system.
Three questions. Instant estimate including the platform licence costs you'll avoid. No sign-up.
Estimate based on typical engagement patterns. Precise scope confirmed on call after reviewing your environment.
A free 30-minute call will scope your situation — what you have, what you need, what it would cost. If you'd be better off delivering ISO 27001 and ISO 27701 together, we'll tell you. No sales pitch.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
