| Outcome | What this means |
|---|---|
| You achieve certification on your target timeline | Scoping, implementation, and audit prep aligned to your deal, investor, or contractual deadline |
| The certificate reflects how you handle data | Controls match how you actually process personal data, not a generic template auditors see through |
| You stay certified year after year | Surveillance and recertification audits pass without last-minute firefighting |
| Category | Activity |
|---|---|
| Kick-off and Context | A lightweight alignment call with founders or leadership to agree scope (which processing activities are in), whether you act as a controller, a processor, or both, your objective (certification with the least overhead), accountability (a named senior contact), and interested parties (customers, data subjects, regulators, investors, staff). |
| Compliance Platform Implementation (optional) | Connect the platform to your existing systems so it can automatically collect evidence. We configure integrations, set owners and review cycles, and set up the privacy module so the dashboard reflects how your business actually runs. |
| Personal Data Inventory and Records of Processing | Map the personal data you hold, where it comes from, why you process it, who you share it with, and how long you keep it, captured in a Record of Processing Activities that doubles as evidence for the PIMS. |
| Privacy Risk Assessment and DPIAs | Assess privacy risk to individuals alongside your information security risk, and set up a data protection impact assessment process and template for anything new that uses personal data. |
| Statement of Applicability | Extend your Statement of Applicability to the ISO 27701 controls that apply to you as a controller (Annex A), a processor (Annex B), or both, with a documented justification for what is in and out. |
| Documentation | Create or refine the privacy policies and procedures you will actually use: a data protection policy, lawful basis register, consent records, privacy notices, a retention schedule, a data subject request procedure, a breach response procedure, privacy by design, international transfer controls, and processor and sub-processor agreements. |
| Control Implementation Support | Guide the technical and organisational privacy controls (for example consent capture, data subject request fulfilment, retention and erasure, and transfer mechanisms) and validate they work. |
| Competence and Training | Set up privacy awareness training for all staff, with records to demonstrate competence, and make sure people in privacy-relevant roles have the right knowledge. |
| Internal Audit and Management Review | Conduct the first-cycle internal audit across the combined security and privacy management system, and facilitate the inaugural management review with leadership. |
| Certification Preparation | Run a readiness check, coordinate corrective actions, and rehearse the auditor Q&A and logistics for the combined ISO 27001 and ISO 27701 assessment. |
| Category | Activity |
|---|---|
| Continuous Monitoring | Operate compliance automation integrations to harvest evidence, track control performance, and surface alerts for privacy or security controls that aren't working as expected |
| Records and Privacy Risk Management | Keep the Record of Processing Activities current, refresh DPIAs as processing changes, and update privacy risk treatment on a quarterly cadence |
| Internal Audit Programme | Plan and execute thematic spot checks and full-scope audits across the privacy and security controls, logging findings and corrective actions |
| Policy and Procedure Maintenance | Schedule reviews, keep privacy notices accurate as the business changes, update documents for changes to standards or operations, and manage version control |
| Management Review | Prepare a summary of key metrics and run semi-annual management review sessions, capturing decisions and action items |
| Audit Liaison | Coordinate with the Certification Body for surveillance and recertification audits; track evidence requests and responses |
| Privacy Awareness and Training | Deliver onboarding modules, annual refresher, and targeted campaigns; monitor completion metrics and maintain competence records |
| Processor and Supplier Oversight | Assess processors and suppliers who handle personal data, keep data processing and sub-processor agreements current, and monitor third-party assurance reports |
| Data Subject Rights and Breach Readiness | Keep the data subject request and breach procedures current and tested so they work when needed. Operating them in real time is the DPO service or your own team |
| International Transfer Watch | Track adequacy decisions and transfer mechanisms (for example SCCs and the UK IDTA), and update controls when they change |
| Standards and Regulatory Watch | Monitor ISO, ICO, EDPB, and sector-specific updates; advise on required control adjustments |
| Category | Activity | Frequency |
|---|---|---|
| Monthly Check-in | Track open actions, new privacy risks, control performance issues, and alerts. | Monthly |
| Privacy Risk and Records Review | Refresh the Record of Processing Activities, re-score top privacy risks, verify treatment progress, and review any new processing. | Quarterly |
| Management Review | Present a summary of objectives, incidents, audit results, and corrective actions. Record decisions and assignments for continual improvement. | Semi-annual (minimum) |
| Internal Audit Governance | Approve the annual internal audit plan; track execution and close-out of findings; adjust scope based on risk review outcomes. | Annual plan; progress check at each leadership meeting |
| Policy and Procedure Governance | Systematic review of the privacy and security policy suite; confirm privacy notices remain accurate; publish updated versions. | Quarterly |
| Processor and Supplier Oversight | Reassess processors and suppliers handling personal data; review their assurance reports and agreements; update the supplier risk register. | Quarterly |
| External Audit Liaison | Prepare auditor access, evidence sampling, and logistics for surveillance or recertification audits; debrief outcomes and action plans. | Annually (surveillance) / every 3 years (recertification) |
| Training and Awareness Governance | Track privacy and security awareness completion, role-based training needs, and plan the next campaign. | Quarterly |
| Category | What's not included |
|---|---|
| Acting as your Data Protection Officer | Operating as your named, independent DPO and formal ICO contact point. That is our DPO as a Service |
| Operating data subject requests and breaches | We build, maintain, and test the procedures and keep the PIMS current. Running requests and breaches in real time, within the legal deadline, is the DPO service or your own team |
| ISO 27001 certification (where not held) | The security management system underneath ISO 27701. We can implement it alongside as a combined programme. See our ISO 27001 service description |
| Other compliance frameworks | SOC 2, PCI-DSS, NIST CSF, and similar. See our separate service descriptions |
| Legal and contract drafting | Negotiating or red-lining DPAs, MSAs, or supplier clauses. We supply privacy language; final legal vetting sits with your counsel |
| EU Representative | If you are UK-based but processing EU residents' data and need an EU Representative, that is a separate appointment. We can advise on whether you need one |
| Implementing technical controls | If the project finds you need better encryption, access controls, or tooling, we tell you what is needed. Your IT team implements it |
| Penetration testing | External or internal penetration tests and social-engineering simulations |
| Procurement and licensing | Compliance platform subscriptions and certification body fees |
| Travel and on-site expenses | Consultant travel, accommodation, per diem |
| Audit costs | The certification audit itself is procured directly from the auditing company. We can advise on selecting and procuring an auditor |
| Assumption | Why this matters |
|---|---|
| ISO 27001 is in place or implemented in parallel | ISO 27701 is certified as an extension to ISO 27001. Without the security management system underneath, the privacy certificate cannot be issued. |
| Executive sponsorship is active and visible | A named senior leader approves scope, risk appetite, and resource allocation; without this, key decisions stall. |
| You provide timely access to people, systems, and records | Interviews, evidence collection, and control validation depend on access to the right people, systems, and documentation. |
| You implement remediation actions you own by agreed due dates | Oxford Infosec guides and validates; hands-on changes (for example configuring retention or consent capture) remain your responsibility. |
| Processors and suppliers cooperate with assurance requests | ISO 27701 requires oversight of those who process personal data on your behalf; delays caused by non-responsive vendors are outside our control. |
| Legal review of policies and contracts is provided by your own counsel | Oxford Infosec supplies privacy language, but final legal vetting sits with you. |
| Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved | Travel costs are excluded unless explicitly agreed. |
| All communications are in English and within your standard working hours (UK/Europe time zone) | Ensures availability for workshops, meetings, and advisory calls. |
| Privacy incidents and breaches are disclosed promptly | Timely awareness is required to keep the risk register, improvement log, and evidence current. |
| Certification body fees and scheduling are your responsibility | Oxford Infosec assists with liaison and readiness but does not contract directly with the auditor. |