The new version of ISO/IEC 27701 is now official, and it redefines how organisations must manage privacy within their security framework. If your company is already certified or planning to certify, this is the moment to understand the changes and prepare your transition.
An update that strengthens privacy governance
Since its initial publication in 2019, ISO/IEC 27701 has become the reference standard for extending ISO/IEC 27001 with specific privacy requirements. Now, the 2025 version arrives to align with ISO 27001:2022, incorporate the latest GDPR updates, and reflect the evolution of the global digital and regulatory ecosystem.
“ISO 27701:2025 is not just a technical revision; it is an update of how organisations must demonstrate privacy by design, accountability and transparency.”
The new version also aims to improve interoperability with other ISO privacy standards, such as ISO 29100 (privacy principles), ISO 27018 (protection of personal data in the cloud) and ISO 29151 (PII protection controls).
The result: a more consistent and applicable model for organisations managing personal information in increasingly complex and regulated environments.
Key changes compared with the 2019 version
Although the overall structure remains, the standard introduces significant improvements across four key areas:
1. Alignment with ISO/IEC 27001:2022
The most relevant change. ISO 27701:2025 adopts the updated structure and terminology of ISO 27001:2022 and its Annex A. This brings new links between security and privacy controls, enabling smoother integration between both management systems.
2. Clarification of roles and responsibilities
The distinction between controllers and processors is reinforced, aligned with the GDPR and equivalent frameworks in other jurisdictions. Guidance on relationships between stakeholders, including subprocessors and technology partners, is also expanded.
3. New controls and references
The 2025 version incorporates controls related to:
- The lifecycle management of personal information, from collection to deletion.
- Privacy in AI and automated environments (cross-references to ISO 42001 and ethical AI principles).
- International transfers and cross-border risk assessments.
4. Improved traceability and assessment
The standard introduces stricter requirements for evidence and documentation to demonstrate compliance, transparency and accountability. This strengthens the logic of accountability and supports integration with regulatory audits or multiple certifications (ISO 27001, ENS, NIS2, DORA…).
What this means for already-certified organisations
Organisations certified under ISO/IEC 27701:2019 will need to undergo a formal transition to the 2025 version within the timeframe set by their certification body (typically 12 to 24 months).
While the foundation of the management system remains valid, it will be necessary to:
- Update the Statement of Applicability (SoA) to reflect the new controls.
- Review the privacy risk matrix, incorporating more current technological scenarios (AI, cloud, biometric data).
- Align PIMS documentation with the new structure of ISO 27001:2022.
- Strengthen internal training and awareness on the new requirements, especially for compliance and security teams. “The transition to ISO 27701:2025 doesn’t mean starting from scratch, it means evolving your system toward a more mature model aligned with today’s data reality.”
Why this update matters
ISO/IEC 27701:2025 marks a decisive step toward stronger and more unified privacy governance.
By integrating more effectively with standards on security, ethics and artificial intelligence, it helps companies demonstrate more than compliance: trust, responsibility and readiness for upcoming regulatory challenges, from the AI Act to the full enforcement of NIS2 and DORA.
“Privacy is no longer just a legal requirement; it is a strategic value that strengthens digital trust.”
Conclusion
The update to ISO 27701 arrives at a crucial moment for European organisations: with the rise of AI, sector-specific regulation and accelerated digitalisation, privacy needs a more agile, aligned and auditable framework.
At PrivaLex Partners, we help organisations adapt their ISO 27001 and 27701 systems to the new version, integrating privacy, security and compliance into a single, practical and sustainable model.
Is your company ready for the transition to ISO 27701:2025? We’ll help you plan and implement a frictionless upgrade.