The rapid integration of artificial intelligence (AI) into our lives and business processes is exponentially increasing the importance of Privacy Information Management Systems (PIMS) and standards such as ISO/IEC 27701.
Privacy regulations are evolving faster than most organisations can keep up with. Just when you think you have ensured compliance, a new standard or breach redefines the competitive landscape. For this reason;
The second edition of the ISO/IEC 27701 standard, published in 2025, has officially become the standard.
This new edition has been prepared to officially replace the previous version, ISO/IEC 27701:2019 (2019 edition).
This standard, comprising a total of 64 pages, has been prepared by the ISO/IEC JTC 1/SC 27 (Information Security, Cybersecurity) Technical Committee.
What is ISO/IEC 27701?
ISO/IEC 27701 provides the framework required for organisations to establish a Privacy Information Management System (PIMS). The basic structure of the standard is to extend existing ISO/IEC 27001/27002 systems by adding a ‘privacy layer’.
Structurally, the standard presents the ISO/IEC 27001 PDCA (Plan-Do-Check-Act) approach extended to the privacy dimension.
Key Benefits and Importance for Organisations
The key benefits of implementing the ISO/IEC 27701 standard for organisations are as follows:
- Enhances Privacy and Data Protection Competence: Enables organisations to demonstrate their data protection competence at an international level.
- Supports International Compliance: Supports and facilitates compliance with international privacy regulations such as GDPR.
- Builds Trust and Transparency: Helps build trust with customers, business partners, and regulators by strengthening the organisation’s claims of accountability and transparency.
- Easy Integration: Seamless integration with existing ISO 27001 systems is straightforward.
Important Annexes to the Standard
The standard contains numerous annexes, both normative (mandatory) and informative, which are critical for PII (Personally Identifiable Information) management:
- Annex A (Normative): Contains privacy controls for PII (Personally Identifiable Information) controllers.
- Annex B (Normative): Contains privacy controls for PII processors.
- Annex D (Comparison/Mapping): Provides comparison or mapping with the GDPR.
- Other Informative Annexes: Contains comparisons with ISO/IEC 29100 (Annex C) and comparisons with ISO/IEC 27018 (cloud privacy) and ISO/IEC 29151 (Annex E).
- Annex F (Guidance): Provides guidance on the application of ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002.
This update is a development that any organisation that takes data privacy seriously should put on its agenda, and it is important that PIMS processes are made compliant with this new standard.
For detailed information on the standard: https://www.iso.org/standard/27701
