The updated ISO/IEC 27701, now an independent standard, will assist companies in improving their privacy information management.
The wait for the new version of the Privacy Information Management System standard ISO/IEC 27701 is over. The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) announced on 14 October 2025 that the new version had been approved and published.
The new standard is structured to integrate with other existing management systems such as ISO 9001 (quality), ISO/IEC 27001 (information security) and ISO/IEC 42001 (artificial intelligence), making it adaptable and flexible for organisations of all shapes, sizes and complexities.
For legal and compliance professionals, ISO/IEC 27701:2025 presents both a compliance tool and an implementation challenge. Its controls are closely aligned with global regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil’s General Data Protection Law (LGPD). However, it requires additional expertise to address local legal nuances while maintaining judicial impartiality. Lawyers and compliance officers are now the architects of defensible privacy programmes, translating regulatory demands into operational reality.
Here are the most significant updates:
Key Changes in ISO/IEC 27701:2025
1. It is now an Independent Standard
· Unlike the 2019 version, which was an extension of ISO/IEC 27001, the 2025 version is now a completely independent standard.
· Organisations can now obtain ISO/IEC 27701:2025 certification without needing ISO/IEC 27001 certification.
2. Updated Structure
· The standard has adopted ISO’s high-level structure (HLS), aligning with other management system standards such as ISO 9001, ISO/IEC 20000-1, and ISO/IEC 42001.
3. Clauses 4-10 now define all requirements for the Privacy Information Management System (PIMS).
4. Enhanced Privacy Risk Management
· Privacy risks are now treated equally to security risks, with enriched requirements for risk identification, treatment, and monitoring.
· New threat vectors such as AI, automated processing, and third-party data sharing are explicitly addressed.
5. Expanded Scope
· The standard now covers biometric data, health data, and IoT data, and includes stronger requirements for consent, transparency, and cross-border data transfers.
6. Modernised Controls
Dependency on the ISO/IEC 27001 Statement of Applicability has been removed.
This introduces:
· 31 controls for PII Controllers
· 18 controls for PII Processors
· 29 common controls applicable to both.
The provision that ‘additional controls may be permitted’ is explicitly emphasised; that is, the listed controls will not be restrictive in the mandatory scope.
Some controls have undergone name changes and minor corrections (for example, one of the ‘Obligations to PII principals’ controls has been renamed ‘Comply with obligations to PII principals’).
With the new version, normative implementation guidance is added under the name Annex B; implementation recommendations are provided for PII controllers and processors.
The controller/processor guidance and controls, previously provided in separate appendices, are being restructured in a more systematic manner.
The approach to referencing information security standards is changing — references to ISO 27001/27002 will be treated as ‘supporting references’ without implying dependency.
7. Compliance with Global Regulations
· Compliant with privacy laws such as GDPR (EU) and CCPA/CPRA (US), as well as emerging regulations in Africa and Asia.
8. Governance and Accountability
· Greater emphasis on defined privacy roles, measurable KPIs, and continuous performance monitoring.
· Designed to support auditable and demonstrable privacy accountability.
· Risks posed by third-party service providers (e.g., SaaS/cloud providers), data flow, and control chain will be addressed more robustly.
9. Transition Guide
· If your organisation already holds ISO 27701:2019 certification, it would be beneficial to conduct a GAP analysis for transitioning to the new version. To do this, you should create a checklist or request a GAP Analysis from an independent audit organisation such as CFECERT.
· Even if your organisation does not hold ISO 27001, it may be sensible to evaluate this opportunity, as it will be possible to transition directly to ISO 27701 with the 2025 version. You can reassess your organisation’s requirements in terms of legal regulations. If ISO 27001 is no longer mandatory for you, you can enter the ISO 27701 process directly by contacting us.
· It will be necessary to update new risk assessment methods to cover cloud/AI/data flow scenarios.
To summarise the roadmap for the version transition:
1. Conduct a comprehensive gap analysis between your current practices and the new requirements in ISO/IEC 27701:2025. You can determine priorities using sector-specific and cross-jurisdictional guidance or contact CFECERT.
2. Inform the board of directors and senior management about increasing privacy responsibilities, emphasising both compliance and brand value.
3. Integrate personal data and privacy management into broader corporate risk and security strategies.
4. You can leverage privacy-enhancing technologies such as encryption, secure audit trails, and continuous monitoring to automate compliance and evidence creation.
5. Build privacy competence across your organisation. Invest in training and ongoing awareness initiatives tailored to functional roles. As CFE Academy, you can reach us at info@cfecert.co.uk for our ISO 27701:2025 Version Transition, Lead Auditor Transition, and Awareness training courses.
6. You can review and update your internal audit cycles and procedures/policies. You can continuously update the controls/policies and procedures you need in line with the principle of continuous improvement in your business.
