Office, meeting and documents of business people, clients or team for legal matters, taxes, audit or accounting.

Standard

ISO/IEC 27701:2025 – Key Changes and Guidance

ISO/IEC 27701 has been revised to enable its requirements to be implemented as a stand-alone privacy information management system.

We’ll help you navigate the ISO/IEC 27701 changes with confidence

The new version of ISO/IEC 27701, which published in October 2025, is now available to purchase.

ISO/IEC 27701:2025 Privacy Information Management Systems (PIMS) standard provides a comprehensive, scalable framework for managing Personally Identifiable Information (PII) in line with global regulations.

Unlike its predecessor, this new edition is a stand-alone standard, with its application no longer dependent on the implementation of ISO/IEC 27001 or ISO/IEC 27002.

This change makes it easier for your organization to adopt a future-ready privacy information management system, no matter where you are on your privacy journey.

Subscribe to updates

Status of ISO 27701

What’s the status and timing of ISO/IEC 27701 changes?

Get the standard

Buy the BS EN ISO/IEC 27701:2025 standard

The revision to this standard is now complete and BS EN ISO/IEC 27701:2025 has published.

Visit the shop

Start Training

ISO/IEC 27701:2025 training courses

Our ISO/IEC 27701:2025 training courses help you understand, implement, and audit your privacy management system.

Find out more

Transition

ISO/IEC 27701:2025 transition

Our team are monitoring updates from the IAF closely and look forward to supporting you with your transition.

Subscribe for updates

Why the new ISO/IEC 27701:2025 standard matters to your organization?

Whether you already use ISO/IEC 27701, or just getting started, implementing the updated standard will help you to optimize your privacy management.

It helps you to establish a PIMS without needing ISO/IEC 27001 as a prerequisite.
It aligns with other management system standards for easier and more consistent integration.
Its full clause-based structure allows for easier comprehension of privacy system requirements.
It strengthens privacy risk handling through clearer assessment guidance.
It distinguishes controls for PII controllers and processors for additional privacy precision.
It helps you achieve flexible privacy control implementation with its informative Annex B guidance.

Support

Supporting you with ISO/IEC 27701:2025 changes

We’ll provide you with further guidance, training and support to help you implement the ISO/IEC 27701:2025 with confidence.

Subscribe to updates

Changes and Guidance

What are the changes to ISO/IEC 27701?

The published standard sets out both refinements and new priorities. Some updates are editorial; others introduce new concepts.

ISO/IEC 27701 has now become a fully standalone Privacy Information Management System (PIMS), no longer requiring ISO/IEC 27001 certification as a prerequisite for implementation or audit and therefore reducing cost and complexity.

The standard now also follows ISO’s harmonized high-level structure (Clauses 4–10), aligning it with other management system standards like ISO 9001 and ISO/IEC 42001. This makes it easier to integrate in multi-standard environments and simplifies implementation for organizations of all sizes.
Under the updated Clause 4, organizations must now define their context more holistically, including how they process personal data and the legal environments they operate in. The clause also explicitly recognizes global differences in privacy laws and requires organizations to align controls with applicable regulations.

It also calls for identifying internal and external factors, such as technology, culture, and operations, that influence privacy risks and outcomes.
The revised Clause 5 places stronger emphasis on leadership’s role in embedding privacy into the organization’s culture and governance.

An organization’s leadership is now expected to ensure that privacy is integrated across all business functions, not just IT or compliance. This supports broader adoption and relevance for legal, HR, marketing, and operations teams.
Clause 6 has been revised so that planning activities must now explicitly address privacy risks in the context of the organization’s legal, regulatory, and operational environment.
Clause 7 in ISO/IEC 27701:2025 provides a robust and independent approach to privacy management, including broader requirements for resource allocation, competence in privacy support roles and privacy awareness across all levels of the organization.
Clause 8 introduces a more streamlined and stand-alone approach to operational control within the PIMS. It sets out how organisations should plan, implement, and control privacy-related processes across the PII lifecycle and refers to the detailed controls in Annex A and Annex B. These annexes have been re-structured in the 2025 edition. The overall framework simplifies operational implementation and ensures that privacy controls are applied consistently within the organisation’s day-to-day activities.
Clause 9 in ISO/IEC 27701:2025 introduces a structured and independent approach to evaluating the effectiveness of a Privacy Information Management System (PIMS). The changes reflect the standard’s shift from being an extension of ISO/IEC 27001 to a fully standalone framework.
The revised Clause 10 introduces a more proactive and integrated approach to continual improvement within a Privacy Information Management System (PIMS). It builds directly on Clause 9 by requiring organizations to use performance data to drive improvement. This ensures that continual improvement is evidence-based and strategically aligned.
Annex A lists PIMS control objectives/controls for PII controllers and processors, restructured to align with ISO/IEC 27002:2022. It includes 34 controller controls, 21 processor controls, and 31 shared controls.

Annex B explains how to implement and evidence each Annex A control across different contexts.

Other annexes provide mappings to aid integration and transition:

Annex C: ISO/IEC 29100 Privacy Framework

Annex D: EU GDPR

Annex E: ISO/IEC 27018 (public cloud) and ISO/IEC 29151 (PII protection)

Annex F: Correspondence with ISO/IEC 27701:2019 for migration.
Visit our FAQ, which explains what the revision means for your current ISO/IEC 27701:2019 certification and how to prepare for the upcoming transition.

Visit the FAQ

Insights & Media

Guidance to help you understand privacy and digital trust

View Insights & Media

Blog

The new Data Bill: What it means for privacy in the UK

Read the Blog

Whitepaper

Supporting a Safe and Secure Digital World for Adolescents

Read the Whitepaper

Blog

A Quick Introduction to Management System Standards

Read the Blog

Your trusted privacy information management partners

Have questions about the ISO/IEC 27701:2025 revision or need support with your privacy information management system? Our team is here to help you prepare and make the transition smooth and effective.

Get in touch