Protecting personal data is no longer just a legal requirement, but a strategic responsibility for organisations. ISO/IEC 27701 provides a Privacy Information Management System (PIMS), integrated with ISO/IEC 27001, to address this need. Originally published in 2019 as ISO/IEC 27701:2019, this standard expanded the ISO/IEC 27001 framework and mandated certification to it. However, the rapid evolution of global privacy regulations, emerging threats, and significant changes introduced in ISO/IEC 27001:2022 necessitated a complete revision.
Now in its Final Draft International Standard (FDIS) stage, the new ISO/IEC 27701:2025 has been restructured to serve as a more independent and flexible standard. It aims to support broader privacy compliance—not just GDPR, but also CCPA, LGPD, and others—by providing clearer guidance for both controllers and processors of personal data.
ISO/IEC 27701:2025 allows organisations to manage privacy risks more effectively, demonstrate accountability, and foster trust in the handling of personal data.
Standard Name Updated
ISO/IEC 27701:2025 is no longer an extension of ISO/IEC 27001. The full title of the standard has been changed to:
Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance.
This reflects a major shift in the structure of the standard, clearly stating that ISO/IEC 27701:2025 is no longer an extension of ISO/IEC 27001 and ISO/IEC 27002.
The new version allows PIMS to function as a standalone system while remaining compatible for integration with ISO/IEC 27001 if desired.
|
ISO/IEC FDIS 27701 |
ISO/IEC 27701:2019 |
|
Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance |
Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines |
Certification and Transition to the 2025 Edition
Organisations intending to obtain a new certification or those looking to upgrade their current ISO/IEC 27701:2019 certification to the 2nd edition are strongly advised to consult their certification bodies regarding the latest procedures and applicable deadlines. As of the time this catalogue was prepared, the official rules for certification and transition to the revised standard have not yet been published.
Historically, such transition and certification guidance is issued approximately one to two months following the release of the new standard. Subsequently, accreditation bodies will adopt these rules, and in some cases, they may add their own specific requirements.
To ensure compliance and avoid disruptions in certification status, organisations should closely monitor updates and begin internal preparations for the transition as early as possible.
On 19 December 2024, ISO/IEC FDIS 27701 was formally registered for approval. This was followed by the launch of an eight-week Final Draft International Standard (FDIS) ballot process. Upon its successful conclusion, the updated version will officially replace ISO/IEC 27701:2019.
Official guidance regarding certification and transition procedures will be released following the publication of the new edition. Organisations must monitor these developments to remain compliant with evolving privacy and information security requirements.
What Does ISO 27701:2025 Bring?
Independent Management System:
ISO 27701 will no longer be positioned as an extension of ISO 27001. As a standalone management system, privacy is now considered a critical area on its own. Of course, integration with other ISO management systems is possible, but privacy is given separate emphasis.
Expanded Requirements:
- Scope Definition (4.3): The requirement for alignment with ISO 27001 has been removed.
- Privacy Policy (5.2): Now mandatory.
- Roles and Responsibilities (5.3): Defined roles are required.
- Privacy Risk Management (6.1): A specific risk management approach is needed.
- Objectives and KPIs (6.2, 9.1): Metrics and reporting that clarify privacy objectives are emphasized.
Release Date and Transition Period:
The final release date for ISO 27701:2025 is planned for May 2025. Organisations will have a 3-year transition period to comply with the new standards.
This update facilitates treating privacy independently while seamlessly aligning with broader governance strategies.
- Reviewing your privacy policies
- Updating your risk management processes
- Creating a roadmap to comply with new requirements
This version change has been made due to the arrival of the new version of ISO 27001 and the increasing importance of environmental impact in management system standards; you do not need to rush the version transition.
