ISO 27701 Lead Auditor Course prepares professionals to plan and conduct audits of Privacy Information Management Systems, assessing conformity and effectiveness against ISO 27701 requirements. The training covers the full audit process, with a focus on independence, evidence and professional judgement.
Quick Access: Introduction· Why this course exists· What this course enables· Frameworks and standards· Value· Objectives· Target audience· Prerequisites· Programme· Exam & Certification· Other information· Benefits· Logistics· FAQs· Registration
Upcoming dates
Confirmed dates.
Synchronous, live training with interaction with the trainer and the group.
Live Online • next edition
Live Online • base price
Language: available in Portuguese or English
Training: practical and case-study based
Exam: 4h
SPECIALIST LEVEL — advanced competences to address critical challenges in this area
Why this course exists
To turn ISO/IEC 27701 and GDPR requirements into real, demonstrable auditing aligned with international best practices.
Many organisations implement privacy and data protection initiatives but fail when they need to demonstrate conformity, auditable evidence and the ability to respond to internal and external audits. This course prepares professionals to structure an Audit Programme, lead teams and conduct audits of a PIMS in conformity with ISO/IEC 27701 and the GDPR, with method, consistency and a results-oriented approach.
What this course enables you to do
Structure
Design and maintain an audit programme (internal and/or external) aligned with ISO/IEC 27701 and the GDPR, supported by best practices.
Plan
Prepare and plan audits (objectives, criteria, scope, team, plan and approach), including Stage 1 and Stage 2 audits.
Conduct
Perform audits using appropriate methods for collecting and verifying evidence, with effective communication and team management in a real context.
Conclude
Record findings and nonconformities, build conclusions, produce the report and manage follow-up, supporting ongoing ISO/IEC 27701 and GDPR conformity.
Frameworks, standards and best practices addressed throughout the course
GDPR (EU 2016/679)
ISO/IEC 27001
ISO/IEC 27002
ISO 29100
ISO 19011
ISO/IEC 27007
ISO/IEC 27008
ISO/IEC 17021-1
ISO/IEC 27006
ISO/IEC 17024
Audit Programme
Stage 1 & Stage 2
BEHAVIOUR Methodology (step-by-step)
Value for the organisation
- Greater governance and control capability over the PIMS, with structured internal audits and consistent evidence.
- Reduced risk of critical nonconformities in external audits, through preparation and method.
- Continuous improvement based on findings, corrective actions and auditable follow-up.
- A more competent team to interact with privacy/security functions and support audits and ISO/IEC 27701 certification.
Introduction
The ISO 27701 Lead Auditor course is supported by a case study and challenges participants to audit a Privacy Information Management System (PIMS), integrated with an ISMS, based on the requirements of ISO/IEC 27701 and internationally recognised auditing best practices.
Beyond understanding concepts, principles and requirements, the ISO 27701 Lead Auditor course focuses on the ability to plan and conduct ISO/IEC 27701 audits, applying a structured auditing methodology proposed by BEHAVIOUR, supported by templates and tools for internal and external audits.
This Training Plan and all associated documents are protected by Copyright and registered as a literary work with IGAC.
General Objectives
At the end of this course, participants will be able to:
- Understand the fundamental concepts of privacy, data protection and information security.
- Know and understand the requirements of the GDPR and ISO/IEC 27701 and the correlation between the GDPR, ISO/IEC 27701, ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and other regulatory standards and frameworks for privacy management.
- Understand the requirements for an ISO/IEC 27701 PIMS and its implementation and operation process.
- Understand the fundamental concepts and principles of auditing based on ISO 19011.
- Establish, implement, maintain and improve an internal audit programme in conformity with ISO/IEC 27701 and the GDPR.
- Prepare and plan conformity audits against an ISO/IEC 27701 PIMS and/or audits of GDPR conformity.
- Conduct audits (Stage 1 and Stage 2), obtain evidence, record findings and conclude audits with reporting and follow-up.
- Acquire the knowledge required to succeed in the “BEHAVIOUR Certified Data Protection 27701 Lead Auditor” exam.
Target Audience
- Information Security and Data Protection professionals, IT/IS consultants and other specialists who need to perform internal or external audits.
- Internal auditors who participate in or lead ISO/IEC 27701 and/or GDPR audits.
- External auditors and professionals who intend to work with Certification Bodies in ISO/IEC 27701 and/or GDPR certification audits.
- Managers or heads of audit functions/departments who wish to establish an ISO/IEC 27701 and/or GDPR audit programme.
- Project managers who coordinate (or are preparing to coordinate) ISO/IEC 27701 implementation programmes and need to understand audit requirements.
- Professionals involved in the implementation or operation of a PIMS based on ISO/IEC 27701 who wish to better understand the audit process.
Prerequisites
There are no mandatory formal prerequisites. However, previous experience or exposure to data protection and privacy, Privacy Information Management Systems (PIMS) integrated with an ISMS, audits, risk management, governance and operations, as well as familiarity with standards and best practices from the ISO/IEC 27000 family and ISO/IEC 27701, is recommended.
In addition, other specific requirements may apply, where relevant, depending on the quotation/proposal presented (please consult the proposal).
Programme
Privacy, data protection and GDPR framework
- Introduction to the course
- Fundamental privacy and data protection concepts and principles
- Progressing to GDPR and/or ISO/IEC 27701 certification
- Privacy and data protection in the EU and related frameworks
ISO/IEC 27701 and ISO/IEC 27001 requirements and mapping with the GDPR
- Data protection and the EU framework (GDPR)
- Data protection and the ISO/IEC 27701 and ISO/IEC 27001 standards
- Mapping the requirements of ISO/IEC 27701, ISO/IEC 27001 and the GDPR
- Introduction to audit concepts and principles based on ISO 19011
Prepare, plan and initiate the audit; conduct Stage 1 and Stage 2
- Internal audit programme
- Preparation and planning for PIMS and GDPR audits
- Communication during the audit
- Planning and audit initiation
- Conduct the document audit (Stage 1)
- Summarise information and plan the on-site audit (Stage 2)
- Conduct the on-site audit (Stage 2)
Conclude the audit, reporting, follow-up and maintenance
- Collection and verification of information: audit methods and testing
- Identification and recording of findings
- Preparation for conclusions
- Closing the audit; preparing and distributing the report
- Follow-up activities (follow-up audit)
- Maintain ISO/IEC 27701 and/or GDPR certification
- People certification and course closure
Exam(s) and Certification
Exam “Certified Data Protection 27701 Lead Auditor”
The exam covers the following competence domains:
- Domain 1: Privacy and data protection concepts and principles
- Domain 2: EU GDPR, ISO/IEC 27701 and related data protection frameworks
- Domain 3: Fundamental audit concepts and principles based on ISO 19011
- Domain 4: Establish and maintain an internal audit programme for the GDPR and ISO/IEC 27701
- Domain 5: Prepare and plan GDPR and ISO/IEC 27701 audit activities
- Domain 6: Conduct GDPR and ISO/IEC 27701 audit activities
- Domain 7: Conclude and close GDPR and ISO/IEC 27701 audit activities
Language(s): Portuguese and English (please consult BEHAVIOUR for availability in other languages).
Duration: 4 hours.
Format: Multiple-choice questions and open questions, based on a case study.
Number of questions: 48 questions.
Pass mark: 700/1000 points.
Results: “Pass or Fail”.
Issuing entity: Behaviour (legal entity), through its certification service Behaviour Certification Services.
Retake: 1 free retake within a maximum period of 2 months after the date on which the exam result is made available.
Certification (levels and requirements)
After successfully completing the exam and accepting/signing the applicable agreement and Code of Ethics, the candidate may apply for one of three levels, according to experience:
- Certified Data Protection 27701 Associate Auditor: no previous experience required
- Certified Data Protection 27701 Auditor: 2 years of experience in privacy and/or data protection and auditing
- Certified Data Protection 27701 Lead Auditor: 5 years of experience in privacy and/or data protection and auditing
A Certificate and a Digital Certification Badge (i.e., “badge”) will be issued to participants who successfully complete the certification exam and satisfy all the requirements of the certification for which they are applying. The certification is issued by Behaviour (legal entity), through its certification service Behaviour Certification Services.
The personal certification programme “Certified Data Protection 27701 Lead Auditor” is designed and maintained in accordance with ISO/IEC 17024.
Certification programmes are valid only for individuals (not organisations), and the award and maintenance of certification depend on the exam result, professional experience and compliance with the applicable agreement/Code of Ethics.
If the professional does not comply with the agreement/Code of Ethics, the certification is not granted or is revoked.
Other Information
General Information
- Training in Portuguese or English.
- Online training materials (documentation in English), with online access, in accordance with the awarded conditions.
- Practical step-by-step auditing methodology.
- Behaviour digital Training Attendance Certificate with 40 CPD/CPE credits.
- Online Certification Exam, in Portuguese or English. The exam may be taken up to 2 months from the course start date.
- If the candidate does not pass the exam, they are entitled to 1 free retake within a maximum period of 2 months after the result is made available.
- Digital diploma and digital badge after passing the exam and completing the application process (at no additional cost).
Trainer(s)
Benefits
View benefits
- ISO/IEC 27701 supports an auditable PIMS that is internationally recognised.
- Audit structuring and evidence for privacy and data protection, in conformity with the GDPR.
- Audit-oriented course, with a practical step-by-step methodology and case study.
- Exam with multiple-choice and open questions, based on a case study, to assess competences more effectively.
- Free retake within the period defined in the scheme.
Logistics
Useful information
- Live Online (synchronous time): 09h30–17h30 (Lisbon time), with lunch break and short breaks
- Classroom (synchronous time): 09h30–17h30 (Lisbon time), with lunch break and short breaks
- 28 hours of synchronous training, distributed across 4 consecutive days
- Estimated 12 hours of guided autonomous work, intended for content consolidation and exam preparation, carried out flexibly outside the synchronous sessions
- Requirements: computer with stable internet, browser, PDF reader, audio/video
Hotels in Lisbon
Frequently Asked Questions
Objective answers to the most frequently asked questions about the ISO 27701 Lead Auditor course.
What is the difference between this course and the ISO 27701 Lead Implementer course?
The ISO 27701 Lead Auditor course is focused on planning, conducting and concluding audits, collecting and evaluating evidence, recording findings and supporting follow-up. The ISO 27701 Lead Implementer course, by contrast, focuses on the implementation, operation, maintenance and improvement of the PIMS.
Is this course suitable for someone who already knows the GDPR but has not yet led formal audits?
Yes. The course is particularly useful for professionals who already have contact with privacy and data protection and want to evolve towards a more structured auditing approach, with method, criteria, evidence and conclusions.
Can this course support internal teams before an external or certification audit?
Yes. The course helps participants better understand audit logic, evidence expectations, the formulation of findings and the preparation needed to interact more consistently with external or certification audits.
Can an organisation without ISO/IEC 27701 certification still derive value from this course?
Yes. The course may be relevant even before formal certification exists, because it helps structure internal audit capability, strengthen privacy governance and prepare the organisation for future stages of implementation, assessment or certification.
Is this course relevant when privacy is audited in conjunction with information security?
Yes. The course is especially useful in contexts where the PIMS is integrated with an ISMS, helping participants understand the articulation between privacy, data protection, information security controls and audit evidence.
For general questions about registration, delivery modes, exams, certification and recertification, please consult the BEHAVIOUR® FAQs.
Registration
Complete the form to request your registration for the preferred edition. Check the upcoming dates.
Request more information
If you would like help to frame the course within your professional or organisational context, contact us and we will indicate the most suitable path.
Request Information
Companies: request a proposal
For team registrations, we provide volume conditions and a proposal tailored to the organisational need.
Request Proposal