You can now earn a standalone PIMS certification. But should you?
The International Organization for Standardization (ISO) recently published new ISO 27701 standards that allow organizations to seek third-party Privacy Information Management System (PIMS) certification as a standalone.
Under new ISO 27701:2025 rules, you can pursue ISO/IEC 27701 PIMS certification without first earning certification to ISO/IEC 27001 standards. This allows you to demonstrate a degree of organizational commitment to data privacy even if you don’t have full ISO 27001 information security controls in place.
But does pursuing a standalone PIMS certification really make sense? The answer depends heavily on your specific organizational needs. Keep reading to learn more.
What’s the difference between ISO 27001, ISO 27701 and PIMS?
ISO 27001 is a general cybersecurity framework that is designed to help your organization strengthen its information security and protect against cyberattacks. ISO 27701 is a narrower data privacy framework for establishing a privacy management (or PIMS) system.
- ISO is a gold-standard cybersecurity framework similar to SOC 2, NIST-CSF or CMMC. It is popular internationally, making it a go-to framework for organizations that operate across borders.
- ISO 27701 was originally created as an add-on module to ISO’s full cybersecurity standard.
- ISO 27701 is an excellent all-around privacy framework that is heavily based on the European Union’s GDPR rules (getting your PIMS certified helps show that you are aligned with GDPR and provides third-party audited evidence of your commitment to privacy), making it especially useful for organizations looking to demonstrate their data privacy standards to international clients or customers.
- The older ISO 2770:2019 PIMS framework was published as an extension of ISO 27001 cybersecurity rules, but the new 2025 edition can be used alone (it does have some security elements implied).
What are the new rules for PIMS certification?
Your organization no longer needs to earn ISO 27001 certification to get certified as PIMS compliant. This means if you want to reassure your clients or customers that you will protect the privacy of their data, you can now earn PIMS certification to do so without going through the larger ISO 27001 compliance process.
- ISO revised its PIMS standard so that it can be implemented as a standalone to reduce barriers for organizations that are primarily concerned with data privacy rather than information security.
- The change is aimed specifically at organizations that may not have the resources to implement full ISO 27001 compliance, but do want to demonstrate their commitment to data privacy.
- Professional services or law firms that operate internationally could benefit from this change, especially if they share data between offices located around the world. It could also be useful for certain healthcare or healthtech businesses.
Should you pursue PIMS as a standalone certification?
If your organization has limited resources to devote to controls and compliance but a client or customer base that prioritizes data privacy, consider standalone PIMS certification as an option. It’s better than doing nothing and will help you show your clients or customers that you take their privacy seriously.
However, unless you already have strong cybersecurity controls in place, your organization would also benefit from implementing ISO’s full 27001 cybersecurity standards. Cyberattacks are essentially an inevitability for organizations of any size larger than a lemonade stand, and the volume of attacks is only increasing as AI tools lower the barriers to entry for would-be hackers.
The bottom line: Think of standalone PIMS as a stopgap measure at best — and aim to pursue ISO 27001 at either the same time or as soon as you have the resources to do so. This will help you protect your organization against cyberattacks that can cause financial, operational and reputational harm.
How do you achieve PIMS certification?
Achieving PIMS certification typically involves assessing your current data privacy controls against PIMS requirements, making necessary changes and passing a pair of audits. CISOs considering pursuing PIMS should be aware that the process includes several key elements:
1. Find a risk and cybersecurity advisor
An advisory firm that specializes in risk management and cybersecurity can help you navigate the PIMS certification process. Look for a firm that understands your specific industry and has experience working with both ISO 27001 and PIMS.
2. Conduct a gap assessment
Assess your existing data privacy controls in light of the PIMS ISO 27701 requirements. This will help you determine what changes you may need to make to pass a certification audit.
3. Update your organizational data privacy controls
Based on your gap assessment, update your existing controls to align with PIMS ISO 27701 standards. This process is known as remediation and may include instituting new controls, training your staff and taking measures to help ensure ongoing compliance.
4. Do an internal audit
To achieve PIMS certification, you’ll have to pass a third-party audit. An internal audit is essentially a dress rehearsal for the third-party audit where you bring in an auditor to assess your controls and create an audit report to demonstrate your compliance with PIMS requirements. Once you pass an internal audit, you’ll be in good shape for the final certification audit.
5. Complete a final third-party certification audit
Your internal auditor will submit their audit report to a certifying body, which is an accredited, third-party certification organization that will then do an audit of their own. If you pass their audit, the certifying body will then issue you a certificate demonstrating that PIMS compliance under ISO 27701 standards.
How Wipfli can help
We advise organizations on implementing cybersecurity and data privacy frameworks like ISO 27001 and 27701 PIMS. Ask us for help deciding which framework makes sense for your needs, instituting new controls, completing an audit and more. Start a conversation.
Let’s talk about protecting your data
