11 November 2025 – Updated guidance for Privacy Information Management Systems (PIMS) has been published by BSI, with the goal of meeting stringent requirements more accessible, practical and relevant and better at addressing increasingly complex privacy considerations.
The newly revised international standard for PIMS, Information security, cybersecurity and privacy protection – Privacy Information Management Systems – Requirements and guidance (BS EN ISO/IEC 27701:2025), marks a major milestone in the evolution of privacy standards. Crucially, it is no longer an extension of Information Security Management Systems (ISO/IEC 27001) and its controls (ISO/IEC 27002) but is now standalone guidance, broadening its relevance. Certification to it will no longer requires ISO/IEC 27001, making it relevant beyond traditional IT and security teams to include legal, compliance, and privacy professionals, and potentially reducing costs of compliance.
The updated approach aims to address today’s complex privacy challenges and increasingly diverse regulatory requirements, including maintained mappings to the EU GDPR, as well as growing public demand for stronger data protection, by offering organizations in industries including technology, healthcare, finance, retail, and the public sector a dedicated, certifiable privacy standard.
Building on its standalone status, the revision focuses on usability: cleaner control structure, clearer responsibilities, and easier conformity assessment. As privacy concerns grow alongside digital transformation, cloud adoption, and AI integration, BS EN ISO/IEC 27701:2025 is designed to provide practical, globally aligned guidance for managing Personally Identifiable Information (PII) across complex, cross-border environments. The standard offers a simplified route to privacy certification that supports legal compliance, enhances governance, and strengthens trust with customers, partners, and regulators.
David Cuckow, Director of Digital at BSI, said: “Every day, concerns around privacy and protecting data grow, against a backdrop of rapid digital transformation, cloud adoption, and AI integration. This updated standard offers organizations a streamlined and effective approach to privacy management, simplifying compliance with key regulations like GDPR and CCPA. The standalone certification option also has the potential to reduce both the cost and complexity traditionally associated with privacy certification.
“This updated standard aims to strengthen governance and accountability by clarifying roles and responsibilities, helping organizations not only meet legal requirements but also build a competitive advantage and enhance their reputation in today’s privacy-conscious marketplace.”
Annex B has been expanded to provide more detailed and actionable implementation guidance for each control. Additionally, the standard features improved global alignment through mappings to GDPR and related standards including ISO/IEC 29100, 27018, and 29151, and it supports ISO/IEC 27706, enabling certification bodies to offer direct Privacy Information Management System (PIMS) certification.
For further information on the standard, visit https://knowledge.bsigroup.com/products/information-security-cybersecurity-and-privacy-protection-privacy-information-management-systems-requirements-and-guidance-1
