Upcoming Webinar | Navigating Global Privacy Trends in 2026 on December 3rd @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

5 Common Problems in ISO/IEC 27701:2025 Certification and Tips to Avoid Them Blog Feature
Emily Heintz

By: Emily Heintz

Print/Save as PDF

5 Common Problems in ISO/IEC 27701:2025 Certification and Tips to Avoid Them

Privacy Assessments | ISO Certifications

Published: Oct 18, 2022

Last Updated: Dec 1, 2025

If your organization is pursuing ISO 27701 certification, you may face unforeseen challenges that can potentially slow down the entire process. Many times, they just crop up suddenly, derailing your hopes of providing privacy assurances to your customers (at least temporarily). 
 
As an ISO Certification Body, Schellman has performed countless 27701 certification assessments over the years, and our clients have encountered some of the same gaps many times over. Now, we want to help you avoid them. 

In this article, we’ll go over 5 common issues that our ISO team frequently identifies during the ISO 27701 certification process. By addressing these challenges ahead of your organization’s initial certification or scope expansion, you can help your process proceed smoothly and more efficiently.  

5 Common Gaps in ISO 27701 Certifications 

1. PIMS Scoping and Documentation Issues

Scoping is so delicate with all compliance initiatives, it’s no wonder that organizations run into problems scoping their ISO 27701 privacy information management system (PIMS) too. 
 
The PIMS is no longer an extension of your ISO 27001 information security management system (ISMS)so when you go about defining its scope/boundaries in the context of the processing of personal data, remember this: 

  • The PIMS should be scoped to include the privacy concerns focal to your privacy program. 
  • The scope of the PIMS may be narrower than your privacy program as a whole. 
    • The scoping documentation should clearly outline the boundaries of your PIMS – if a process is not intended to be included, it may be worth explicitly noting as such. 

 As you create and define these boundaries, you’ll face a key decision point: Do you fold the PIMS requirements into existing ISMS documentation or create standalone documentation? 

  • The case for folding in: 
    • If your ISMS/PIMS is one combined management system, you should be able to easily incorporate the PIMS scope into the ISMS documentation. 
    • You avoid the efforts of duplicative documentation and can also consolidate updating both sets for relevant changes. 
  • The case for additional documents: 
    • You’d be less likely to miss/exclude areas regarding PIMS/ISO 27701/privacy references.  
    • Separate departments are responsible for oversight of the management systems, and there is no overlap in activities.  

2. Flaws in the ISO 27701 Risk Assessment

Another key item to get right is your ISO 27701 risk assessment. You’re required to do one, and it can either stand alone or be integrated into your security risk assessment process. The 27701 risk assessment requirements include: 

  • Identifying the applicable controls in Annexes A.1, A.2, and A.3 of ISO 27701 that help mitigate personally identifiable information (PII)-related risks; and
  • Addressing the impact of the risk not just for your business but also for PII principals and their data. 

Your 27701 risk assessment must include the following: 

  • Risk Identification: How do you identify risks and potential threats to your processing of PII? 
  • Risk Analysis: How do you identify the likelihood and impact of a risk or threat occurring? 
  • Risk Documentation: How do you track, record, and assign owners to risks? 
  • Risk Treatment: How are risks mitigated? How are controls selected and implemented to lower the risk likelihood or impact? 

3. Incorrectly Documented Statement of Applicability

Once you’ve completed a risk assessment, you’ll move on to the required statement of applicability (SOA). Your SOA should tie back to the risk assessment and document the current control environment, not a future state. It should not capture an anticipated circumstance or state—this is often a big issue in SOAs.  

For example, if you do not currently process data jointly, then the control should be N/A. Even though there could be a situation in the future where that applies, it does not make it applicable now. 

Core components of your SOA—to be documented in a current state—include: 

  • Your implemented controls and their justifications 
  • The reasoning for all excluded controls 
  • The implementation status of controls 

4. Lack of Internal Audit and Management Review

Internal audits are a required component of establishing and maintaining a PIMS, but it’s also a way to double check your team’s work. The internal audit should occur after the risk assessment (mentioned in #2) has been conducted. You should perform this internal audit to verify that: 

  • In-scope controls are appropriate and functioning; and 
  • ISO 27701 requirements and controls are met.

This’ll also help to confirm that no necessary controls have been omitted. As a reminder, once the internal audit has been performed, the PIMS must still go through the established management review process. The management review allows senior leadership to perform an additional appraisal to confirm that the PIMS is reflective of the organization’s current landscape, considering the follow factors:  

  • Have any changes occurred internally or externally that impact the PIMS?  
  • Are the needs and expectations of internal or external interested parties accurate?  
  • Are there trends related to nonconformities, monitoring results, or audits that may reveal pervasive issues?  
  • How can the PIMS align more with best practice?  

Tracking the outputs of these questions enables the organization to demonstrate the maintenance and continual improvement of the PIMS.  

5. Commonly Misunderstood Controls in Annexes A.1 and A.2

With ISO standards being as comprehensive as they are, it should be no surprise that some controls are sometimes missed or misunderstood. Let us clear up some common misconceptions so you can avoid issues with these controls: 

Joint Controller
(A.1.2.8)

You should have specific joint-controller agreements established that document the roles and responsibilities for the processing of PII. 

It’s a common pitfall to indicate that Annex A.1.2.8 is applicable based on the potential for a future joint controller relationship, but remember, the SOA’s applicable controls should reflect the management system’s current state. 

Temporary Files (A.1.4.7/A.2.4.2) 

The control does not state that temporary files need to contain PII, but rather that temporary files that are created as a result of the processing of PII are disposed of within a specified, documented period. 

This may be database logs or files specific to the system or application created in the normal course of business (e.g., metadata) - it will be dependent on your organization’s operations. 

A key factor is that temporary files are not needed after an associated task has been completed. ISO 27701 doesn’t define a retention time requirement but does state that you can rely on procedures for “garbage collection” to identify these temporary files. 

Basis for PII Transfer Between Jurisdictions (A.1.5.2/A.2.5.2) 

Recall Schrems II—a July 2020 decision by the Court of Justice of the EU that struck down the Privacy Shield framework, thereby complicating the flow of personal data between the US and EU and calling into question the sufficiency of Standard Contractual Clauses (SCCs). 

That decision has since caused some confusion regarding these requirements. To avoid that: 

  • Do not rely on outdated SCCs 
  • Implement a real mechanism for informing customers of any changes to the basis 
  • Determine if you have a process in place to address transfer considerations (e.g., transfer impact assessments) 

Infringing Instruction (A.2.2.5) 

Oftentimes, there’s an attempt to rely on language in a standard data processing agreement (DPA) here, and that’s not typically sufficient for ISO 27701. 
 
You must have a process to identify and handle a processing request that could be considered “infringing.” 

Records of PII Disclosure to Third Parties (A.1.5.5/A.2.5.4) 

To satisfy this requirement, you must have: 

  • A process to record PII disclosures; and 
  • A process in place to track any disclosures that have occurred (this includes during the normal course of operations but is especially important for legally binding disclosures). 

Disclosure of Subcontractors Used to Process PII (A.2.5.7) 

Change of a Subcontractor to Process PII (A.2.5.9) 

You must clearly disclose subprocessors, as well as any changes to subprocessors used to process PII. 

As evidence, you can use a documented list of subprocessors that includes how PII is provided to them, as well as how previous changes in subprocessors were communicated. 

Next Steps for Your ISO 27701 Certification 

Aside from these, several other, general issues we find during the certification process include: 

  • An overreliance on contractual agreements and the privacy notice
    • While these documents are key to defining privacy obligations and responsibilities, you should record additional policies and procedures to demonstrate how you communicate, support, and implement these privacy obligations requirements.
  • Failure to consider or misunderstanding applicable legislation/regulations
    • Organizations sometimes think ISO 27701 equates to compliance with a particular law or privacy regulation. And while the implementation guidance does reference laws/regulations, don’t make the mistake of failing to consider other applicable regulations—you might meet a control without actually meeting a legal requirement.
    • The opposite is also true—you’ve chosen to go through this certification, so you cannot disregard a control requirement just because it’s not a legal requirement from another regulation that you’re subject to. If your risk assessment process has denoted a control requirement as applicable, you will be held accountable for implementation. 

All of these issues can hinder a smooth ISO 27701 process, but now that you have this list of items to avoid, you should be better positioned than most to avoid these possible causes of derailments or delays. 

But this certification—and privacy as a whole—is very complex, so if you find that you still have some questions about how to make this process easier, please feel free to contact our dedicated privacy team, who would be happy to address any concerns you might have. 

In the meantime, discover additional ISO 27701 certification insights in these helpful resources:  

About Emily Heintz

Emily Heintz is a technical fellow with Schellman based in New Orleans, Louisiana. She currently manages privacy assessments and certifications across the full suite of offerings, including CBPR / PRP, ISO 27701, EU Cloud Code of Conduct, and Microsoft SSPA. Prior to joining Schellman in 2020, Emily worked as a Project Manager on the U.S. Privacy team at a Fortune 50 retailer focusing on designing controls to comply with the CCPA and conducting privacy reviews of emerging technology solutions. She also has experience implementing a privacy impact assessment and artificial intelligence impact assessment process at a Future 50 recognized company. She is an active member of the International Association of Privacy Professionals (IAPP), is a Fellow of Information Privacy (FIP), holding both the CIPP/US and CIPM certifications, and has obtained her CISSP.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.