Frequently asked questions
- What is ISO 27701 for SaaS?
- ISO 27701 is a privacy extension to ISO 27001 that helps SaaS teams manage personal data through defined roles, controls, and evidence.
- Do I need ISO 27001 before ISO 27701?
- In practice, ISO 27701 is typically implemented on top of an ISO 27001-based information security management system, because it extends that framework with privacy controls.
- Is ISO 27701 enough for Indonesia privacy compliance?
- No. It can support your privacy program, but you still need to assess applicable Indonesian laws, contracts, and customer requirements with qualified legal or audit support.
- What evidence should a SaaS company keep?
- Keep records such as data maps, privacy notices, DPIAs or risk assessments, vendor reviews, retention rules, incident logs, and access control evidence.
- Can APLINDO help with ISO 27701?
- Yes. APLINDO supports SaaS and enterprise teams with compliance consulting, applied AI, and engineering help, including privacy program design and evidence automation.
Why ISO 27701 matters for SaaS
SaaS companies handle personal data every day: user profiles, billing details, support tickets, logs, analytics, and sometimes sensitive business information. As the product grows, privacy obligations also grow. ISO 27701 gives teams a structured way to manage those obligations inside an information security program rather than as scattered tasks across legal, security, and engineering.
For funded startups and enterprises in Jakarta, Indonesia, and global markets, this matters because customers increasingly ask how data is collected, stored, shared, and deleted. A privacy program built around ISO 27701 helps answer those questions with documented controls and repeatable processes.
What ISO 27701 actually adds
ISO 27701 is a privacy extension to ISO 27001. It does not replace security controls; it adds privacy-specific governance for personally identifiable information, often called PII. The standard helps organizations define how they act as a PII controller, a PII processor, or both.
For a SaaS business, that distinction is important. If your platform decides why and how customer data is used, you may act as a controller in some contexts. If you process data on behalf of enterprise customers, you may act as a processor. Many SaaS companies do both depending on the workflow.
ISO 27701 helps you document that reality instead of guessing at it.
What does a privacy program need to cover?
A useful privacy program is not just a policy page. It should connect governance, product design, operations, and evidence. At minimum, a SaaS team should be able to answer these questions:
- What personal data do we collect, and why?
- Where does the data flow, including vendors and sub-processors?
- Who can access it internally?
- How long do we keep it?
- How do we handle deletion, correction, and access requests?
- How do we assess new features that change data processing?
- How do we prove these controls are working?
If those answers live only in people’s heads, the privacy program will break under growth, audits, or customer due diligence.
Key takeaways
- ISO 27701 turns privacy into a managed system, not a one-off policy.
- SaaS teams need clear roles, data maps, retention rules, and request handling.
- Evidence matters as much as intent: auditors and customers want proof.
- In Indonesia, privacy programs should align with local legal and contractual requirements.
- ISO 27701 supports compliance work, but it does not guarantee certification or legal outcomes.
How to build the program in practice
Start with scope. Define which products, teams, and environments are included. For a SaaS company, that usually means production systems, support tooling, analytics platforms, and the vendors that touch customer data. If you run multiple products, such as a self-hosted e-signature platform or WhatsApp-based engagement tools, each product may have different privacy risks and data flows.
Next, map the data. Create a living inventory of data categories, processing purposes, retention periods, and legal or contractual bases. Keep it simple enough for engineering and product teams to update. A data map should show where data enters the system, where it is transformed, where it is stored, and where it exits.
Then define privacy roles and responsibilities. Someone must own privacy governance, even if the company does not have a large legal team. In smaller SaaS organizations, that owner may be a security lead, compliance lead, or Fractional CTO working with management. The key is to make accountability explicit.
After that, build controls around the lifecycle of personal data:
- collection minimization at the product layer
- encryption in transit and at rest
- access reviews for support and engineering staff
- retention and deletion rules
- vendor due diligence and contract review
- incident response for privacy events
- subject request workflows for access, correction, and deletion
These controls should be integrated into engineering workflows, not bolted on later. For example, a new feature should not launch until privacy review confirms the data fields, retention, and third-party sharing.
How does ISO 27701 fit with ISO 27001?
Think of ISO 27001 as the security foundation and ISO 27701 as the privacy layer on top. Security controls protect systems and data broadly. Privacy controls focus on lawful, transparent, and limited use of personal data.
A SaaS company pursuing ISO 27701 usually needs a mature ISO 27001-style management system first. That means policies, risk management, internal audits, management review, corrective actions, and evidence collection already exist. ISO 27701 then extends that system with privacy-specific requirements.
This is why many teams treat privacy and security as one operating model. It reduces duplication and makes it easier to maintain controls as the product evolves.
What evidence should you prepare?
Evidence is where many privacy programs become real. If a control exists but nobody can show it, the program will be hard to defend in an audit or customer review.
Useful evidence includes:
- data protection or privacy policy
- records of processing activities
- data flow diagrams
- vendor and sub-processor assessments
- access review logs
- retention and deletion procedures
- incident response records
- privacy impact or risk assessments for new features
- training records for relevant staff
- customer request handling logs
For SaaS teams in Indonesia, it is also wise to keep evidence of how local obligations are reviewed and how cross-border transfers are assessed where applicable. That review should be done with qualified legal or audit support when needed.
Common mistakes SaaS teams make
One common mistake is treating privacy as a legal document project. A policy alone does not manage data. Another mistake is building controls only for enterprise sales questionnaires, then failing to operationalize them in product and support teams.
Teams also often overfocus on certification and underfocus on operating discipline. ISO 27701 is most valuable when it improves day-to-day decisions: what data to collect, what to delete, what to share, and how to respond when a customer asks for proof.
A final mistake is ignoring vendors. SaaS products often depend on cloud hosting, analytics, ticketing, messaging, and payment providers. If those vendors process personal data, they belong in the privacy program.
A practical rollout plan for a SaaS company
A realistic rollout can happen in phases:
- Assess current state: review existing security and privacy controls.
- Map data flows: identify all personal data and third parties.
- Assign ownership: define who approves privacy decisions.
- Close control gaps: add retention, request handling, and vendor review processes.
- Automate evidence: use workflows and tooling to capture proof continuously.
- Run internal reviews: test whether controls work as designed.
- Prepare for external assessment: organize documentation and remediation plans.
This approach is especially useful for remote-first teams, including companies operating from Jakarta with distributed engineering and customer success functions. Clear documentation and automation reduce dependency on informal knowledge.
Where APLINDO fits
APLINDO helps funded startups and enterprises design compliance programs that work in real engineering environments. Based in Jakarta and operating remote-first, APLINDO supports SaaS engineering, applied AI, Fractional CTO work, and ISO/compliance consulting. For privacy programs, that often means helping teams connect governance requirements to product architecture, evidence automation, and operational workflows.
If your SaaS team needs privacy controls that are practical, auditable, and aligned with business growth, ISO 27701 is a strong framework to build from. The goal is not paperwork. The goal is a privacy operating model that your team can actually run.
FAQ
Is ISO 27701 only for large companies?
No. Startups and mid-sized SaaS companies can use it too, especially when enterprise customers expect formal privacy controls.
Does ISO 27701 cover all privacy laws?
No. It is a management framework, not a substitute for legal review. You still need to assess applicable laws and contracts.
How long does it take to implement?
It depends on your current maturity. Teams with existing ISO 27001 controls can move faster than teams starting from scratch.
Can privacy controls be automated?
Yes. Many controls can be supported with ticketing workflows, IAM reviews, data discovery, retention tooling, and evidence collection automation.
Should product teams be involved?
Absolutely. Privacy decisions affect feature design, data collection, telemetry, support, and deletion workflows, so product and engineering must participate.