Content

    These are the key topics covered in this guide:

    1. What is ISO/IEC 27701 and why does it matter
    2. The most important change: a fully standalone standard
    3. Key changes compared to the 2019 version
    4. What this means for already-certified organisations
    5. Transition timeline and deadline
    6. Common mistakes when preparing for the transition
    7. How PrivaLex can help
    8. Frequently asked questions

    ISO/IEC 27701:2025 was published on 14 October 2025 and it represents the most significant update to privacy information management standards in years. The change that matters most is not a tweak to a control list: the standard is now a fully standalone framework. Organisations can certify a Privacy Information Management System (PIMS) without first holding ISO 27001 certification. That changes the conversation considerably, both for organisations already certified under the 2019 version and for those considering certification for the first time.

    If your organisation is already certified under ISO/IEC 27701:2019, you have until October 2028 to complete the transition. If you are planning a new implementation, the 2025 version is the version to build against. This guide explains what has changed, what it means in practice, and how to prepare.

    What Is ISO/IEC 27701 and Why Does It Matter?

    ISO/IEC 27701 is the international standard for Privacy Information Management Systems (PIMS). It provides a structured, internationally recognised framework that helps organisations establish, implement, maintain and continually improve the way they handle personally identifiable information (PII). The standard applies to both PII controllers and PII processors, terms that map directly onto the concepts of data controllers and data processors under the GDPR.

    In the 2019 edition, ISO/IEC 27701 was designed as an extension of ISO/IEC 27001. To implement or certify it, an organisation first needed a functioning Information Security Management System (ISMS) under ISO 27001. That dependency is now removed. The 2025 edition stands on its own.

    For EU organisations, the relevance is clear. The GDPR requires organisations to demonstrate accountability, to show, not just claim, that personal data is processed lawfully, fairly and securely. ISO/IEC 27701 certification provides exactly that evidence base. It demonstrates to clients, partners and regulators that your privacy governance is systematic, documented and independently verified.

    The Most Important Change: A Fully Standalone Standard

    The single most significant change in ISO/IEC 27701:2025 is structural. The standard is no longer an extension of ISO/IEC 27001. It is now an independent management system standard, following the ISO harmonised high-level structure (Clauses 4–10) in its own right. Organisations can implement and certify a PIMS without holding or pursuing ISO 27001 certification.

    This matters for several groups of organisations:

    • Organisations that process large volumes of personal data but do not need or want a full Information Security Management System under ISO 27001 can now pursue privacy certification directly.
    • SaaS companies and data-driven businesses that already hold SOC 2 for security can now add ISO/IEC 27701:2025 to address privacy, without duplicating information security audit work.
    • Public sector and non-profit entities where privacy obligations are significant but resources for a full ISO 27001 programme are limited now have a proportionate path to certification.
    • Organisations already certified under the 2019 edition can maintain an integrated PIMS and ISMS if they wish, the integration path remains available and continues to make sense for many.

    The 2025 edition also introduces a new companion standard, ISO/IEC 27706:2025, which provides guidance specifically for certification bodies auditing PIMS under the new framework. This replaces ISO TS 27006-2:2021 and brings the certification infrastructure for ISO 27701 up to date.

    Key Changes Compared to the 2019 Version

    Beyond the standalone structure, the 2025 edition introduces several substantive updates across the standard’s clauses and annexes.

    Harmonised High-Level Structure

    ISO/IEC 27701:2025 now follows the same Clauses 4–10 structure as other ISO management system standards, including ISO 27001 and ISO 42001. This makes multi-standard environments significantly easier to manage. Organisations holding multiple certifications can align audit cycles, share documentation and reduce duplication across their compliance programmes.

    Restructured Annexes for Controllers and Processors

    The control annexes have been reorganised. Annex A now consolidates controls for PII controllers and processors into a clearer structure (A.1, A.2 and A.3). The distinction between controller and processor obligations is more explicitly defined throughout, in alignment with the GDPR’s treatment of these roles.

    Expanded Guidance on AI and Digital Environments

    The 2025 edition provides greater clarity on managing personal data within AI and automated decision-making contexts. This includes cross-references to ISO/IEC 42001 (AI management systems) and guidance on privacy controls in environments where automated processing, profiling and AI-driven decisions are involved.

    Stronger Governance and Leadership Requirements

    Clause 7 now includes broader requirements for resource allocation, competence in privacy support roles and privacy awareness across all levels of the organisation. The standard strengthens the expectation that privacy governance is embedded in leadership and organisational strategy, not delegated entirely to a compliance team.

    PII Lifecycle and Operational Controls

    Clause 8 introduces a more streamlined approach to operational control across the full PII lifecycle, from collection and processing through to deletion. It references Annexes A and B for the detailed controls and ensures that privacy requirements are applied consistently in day-to-day operations.

    Shorter Normative References List

    Because the standard now stands alone, Clause 2 (normative references) contains a shorter list. The 2025 edition references ISO/IEC 29100 (Privacy Framework) as its primary normative reference, rather than ISO 27001 and ISO 27002 as in the 2019 version. This reflects the standard’s independence while maintaining alignment with the broader ISO privacy framework.

    What This Means for Already-Certified Organisations

    If your organisation is currently certified under ISO/IEC 27701:2019, the transition does not mean starting over. The foundation of your PIMS remains valid. What changes is the structure you align it to and the evidence you need to demonstrate under the new clauses and controls.

    The practical transition steps are:

    • Conduct a gap assessment comparing your current PIMS documentation against the 2025 structure and control requirements.
    • Update your Statement of Applicability (SoA) to reflect the restructured annexes and any new or revised controls.
    • Review your privacy risk matrix to incorporate current technological scenarios, including AI, cloud processing and cross-border data flows.
    • Update governance documents, process records and internal audit programmes to align with the revised clause structure.
    • Ensure controller and processor roles and responsibilities are explicitly documented in line with the updated Annex A.
    • Train relevant staff, compliance, legal, security and privacy teams, on the revised structure and new requirements.
    • Coordinate with your certification body to schedule your transition audit before the October 2028 deadline.

    Organisations that are already certified to ISO 27001:2022 and hold the 2019 version of ISO 27701 as an extension should find the transition relatively straightforward, since many of the structural changes in ISO 27701:2025 draw on elements already present in ISO 27001:2022 and ISO 27002:2022.

    Transition Timeline and Deadline

    ISO/IEC 27701:2025 was published on 14 October 2025. The transition period is three years, giving organisations certified under the 2019 edition until October 2028 to complete their transition audit and align with the new version.

    Accreditation body guidance (from bodies such as the IAF, UKAS, ENAC and others) on specific transition audit requirements was expected within one to three months of publication. Organisations should confirm the requirements with their certification body as that guidance is finalised.

    For organisations planning new implementations, the 2025 edition is the current version and should be used as the basis for any new PIMS design. There is no reason to build against the 2019 version.

    Common Mistakes When Preparing for the Transition

    Waiting until the deadline is close

    Three years feels like a long time, but transition audits need to be scheduled with certification bodies, and good slots fill up. Organisations that start early can also integrate the transition into their regular surveillance audit cycle, which reduces disruption and cost.

    Treating the standalone change as irrelevant if you already hold ISO 27001

    Even if your organisation continues to operate an integrated PIMS and ISMS, the structural changes in the 2025 edition still require a gap assessment and documentation update. The standalone capability does not remove the transition requirement for currently certified organisations.

    Updating documentation without updating practice

    The most common gap in any management system transition is updating the SoA and policy documents without verifying that operational controls, training records and risk treatment decisions actually reflect the new requirements. Auditors assess evidence of implementation, not just documentation.

    Overlooking the AI and automated processing requirements

    If your organisation uses AI tools, automated decision-making or profiling that involves personal data, the 2025 edition’s expanded guidance on AI environments is directly relevant to your PIMS scope. Failing to address this in your gap assessment will create nonconformities.

    How PrivaLex Can Help

    At PrivaLex Partners we support organisations through the full ISO/IEC 27701 journey, from initial gap assessment through to certification and ongoing maintenance. Whether you are transitioning from the 2019 version or building a PIMS for the first time against the 2025 standard, we provide direct expert support adapted to your organisation’s size, sector and existing compliance posture.

    Our support covers: gap analysis against ISO/IEC 27701:2025; SoA review and update; PIMS documentation aligned to the new clause structure; controller and processor obligation mapping; internal audit preparation; team training on revised requirements; and coordination with your certification body on transition audit planning.

    We also help organisations decide whether to pursue an integrated PIMS and ISMS under ISO 27001 and ISO 27701, or to implement ISO 27701:2025 as a standalone certification. For many SaaS companies and data-driven organisations in the EU, the standalone path opens a more efficient route to demonstrating privacy accountability without the full overhead of ISO 27001.

    Schedule a session with PrivaLex to assess your transition requirements and plan a practical path to ISO/IEC 27701:2025 compliance.

    Frequently Asked Questions (FAQs)

    Does ISO/IEC 27701:2025 still require ISO 27001 certification first?

    No. This is the most important change in the 2025 edition. ISO/IEC 27701:2025 is now a fully standalone standard. Organisations can implement and certify a PIMS without holding ISO 27001 certification. If you already hold ISO 27001 and want to maintain an integrated system, that remains possible, but it is no longer a requirement.

    When is the transition deadline for organisations certified under the 2019 version?

    October 2028. ISO/IEC 27701:2025 was published on 14 October 2025 and the transition period is three years. Organisations certified under the 2019 edition need to complete their transition audit and align with the new version before that deadline.

    If we already have ISO 27001 and ISO 27701:2019, what do we actually need to do?

    You need to conduct a gap assessment against the 2025 structure and controls, update your SoA and relevant documentation, review your risk treatment plan for PII, train your team on the revised requirements, and schedule a transition audit with your certification body. Organisations already aligned with ISO 27001:2022 should find the transition relatively manageable, since the 2025 edition draws on the same structural foundations.

    Is ISO/IEC 27701:2025 relevant for GDPR compliance?

    Yes, directly. ISO/IEC 27701 maps closely onto the GDPR’s accountability requirements. The standard’s framework for documentation, risk management, controller and processor obligations, data subject rights and breach response aligns with what the GDPR requires organisations to demonstrate. Certification does not constitute legal GDPR compliance in itself, that requires a legal analysis of your specific processing activities, but it provides strong, auditable evidence that your privacy governance is systematic and mature.

    Can we certify ISO/IEC 27701:2025 alongside SOC 2 instead of ISO 27001?

    Yes. Because ISO/IEC 27701:2025 is now standalone, organisations that hold SOC 2 for security can add ISO 27701 to cover privacy without needing to layer in a full ISO 27001 programme. This is particularly relevant for SaaS companies and technology organisations with primarily US-market security requirements who also need to demonstrate privacy compliance to EU buyers. The two frameworks address different domains, security and privacy, and complement each other without significant duplication.

    How long does a new ISO/IEC 27701:2025 implementation take?

    For a new standalone implementation, most organisations should expect three to six months from a structured gap assessment to certificate issuance, depending on organisational size, the volume and complexity of personal data processing, and whether existing privacy documentation and controls are already in place. For organisations transitioning from the 2019 version with a functioning PIMS, the timeline can be shorter. PrivaLex can provide a more precise estimate after an initial assessment of your current posture.

    Next Step

    Whether you are managing an existing ISO 27701 certification, considering the standalone path for the first time, or trying to understand how the 2025 update affects your broader compliance programme, the right starting point is a structured gap assessment.

    Schedule a session with PrivaLex and we will help you understand exactly where you stand and what your transition or implementation plan should look like.

    Avatar photo

    Alberto Navas

    Alberto specializes in information security and privacy certifications, bringing extensive hands-on experience implementing and internally auditing frameworks such as ISO 27001, ISO 22301, ENS, and other cybersecurity and resilience standards. At PrivaLex Partners, he helps companies strengthen their security posture and achieve certification efficiently, without losing sight of business continuity. Alberto is known for his practical, structured approach: breaking down complex technical requirements into clear, manageable steps that support both compliance goals and day-to-day operations.