Everything You Need to Know About the ISO 27701:2025 Standard Update

By Christie Rae • 26 November 2025

The International Organization for Standardization (ISO) released the updated ISO/IEC 27701 standard for privacy information management in October 2025. Formerly an extension to ISO 27001 and ISO 27002, the ISO 27701:2025 update establishes ISO 27701 as an independent standard.

In this blog, we explore the differences between ISO 27701:2025 and its 2019 iteration and discuss what they mean for your business.

What Has Changed in the ISO 27701:2025 Standard?

ISO 27701’s change from extension to standard in its own right comes with a new title; Information security, cybersecurity and privacy protection – Privacy information management systems, reflecting its new status. This replaces the previous title, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.

Top-level changes include:

ISO 27701 is now a standard rather than an extension of ISO 27001
Management clauses 4.1 to 10.2 have been added
Annexes have been renamed and renumbered
Privacy controls remain the same, with the same requirements
A new annex containing 29 information security controls has been added
New information security controls replace ISO 27701:2019 clause 6.

We’ll explore these changes in more depth.

ISO 27701:2019 to ISO 27701:2025 Clause Restructure

The standard has seen a restructure, with management clauses 4.1 through to 10.2 introduced in line with ISO 27001 and ISO 27002.

The previous version of the standard, ISO 27701:2019, featured clauses detailing PIMS (Privacy Information Management System)-specific requirements in relationship to ISO 27001, PIMS-specific requirements in relation to ISO 27002, additional guidance for PII (personally identifiable information) controllers and additional guidance for PII processors.

Clause 1, scope, now refers to requirements for establishing, implementing, maintaining and continually improving a standalone privacy information management system (PIMS) rather than building a PIMS as an extension to ISO 27001 and ISO 27002.

Clause 2, normative references, contains a shorter list of references, due to ISO 27701 now existing as a standard rather than an extension. The 2025 update references only ISO/IEC 29100, Information technology — Security techniques — Privacy framework.

Removed references from the 2019 edition include:

ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls.

Clause 3, terms, definitions and abbreviations, is expanded due to the broader scope of the standard, and now features references to objectives, interested parties, etc. in keeping with other ISO standards.

Clause 4 is now context of the organisation. This clause requires organisations to determine internal and external issues relevant to its ability to achieve the intended results of their PIMS. They must also determine the needs and expectations of interested parties, determine the scope of their PIMS, and then establish, implement, maintain and improve their PIMS.

Clause 5 is now leadership, replacing the PIMS-specific requirements related to ISO 27001 from the 2019 standard. This clause is designed to ensure top management demonstrate leadership and commitment relating to their PIMS, establish a suitable privacy policy, and delegate roles, responsibilities and authorities appropriately.

Clause 6 is now planning, replacing the PIMS-specific requirements related to ISO 27002 from the 2019 standard. This clause focuses on actions to address risks and opportunities, including privacy risk assessment and treatment. Organisations must also establish privacy objectives and plan how to achieve them, and plan for changes to the PIMS.

Clause 7 is now support, replacing the additional ISO 27002 guidance for PII controllers. This clause requires organisations to ensure appropriate resources, competence, awareness, communication and documented information are available for the establishment, implementation, maintenance and continual improvement of the PIMS.

Clause 8 is now operation, replacing the additional ISO 27002 guidance for PII processors. The clause requires organisations to plan, implement and control the processes needed to meet compliance requirements. It also requires organisations to perform privacy risk assessments and implement privacy risk treatments.

Clause 9, performance evaluation is a new addition to the standard. This clause focuses on monitoring, measurement, analysis and evaluation, including internal audits and management reviews.

Clause 10, improvement, is also a new addition to the standard. It requires organisations to take actions to continually improve their PIMS.

Clause 11, further information on annexes, is a new addition and provides information on Annex C, D, E and F.

Changes to Annexes

The ISO 27701 annexes have been renamed and renumbered, but the privacy controls remain the same and contain the same requirements. Annex A is consolidated into one, where it was previously two separate annexes for PII processors and PII controllers.

However, new information security controls have been added.

New Information Security Controls

The 29 new information security controls are located in Table A.3 – Control objectives and controls for PII controllers and PII processors. Controls include:

Policies for information security
Classification of information
Identity management
Access rights
Addressing information security within supplier agreements
Information security awareness, education and training

And more.

I’m Already ISO 27701 Certified, What Does This Mean for Me?

The deadline for transitioning to the new ISO 27701 standard is October 2028. However, many of the information security controls in the new ISO 27701:2025 update are directly aligned with requirements for ISO 27001. As a result, organisations that are already certified to ISO 27701 as an extension of ISO 27001 should find the move to ISO 27701:2025 as a separate standard relatively seamless.

Strengthen Your Data Privacy Posture Today

Data privacy is a key element of IO’s compliance loop: information security, data privacy and AI governance, all supporting organisational resilience. Organisations that embed cyber resilience quickly emerge as leaders in their industry and achieve a competitive advantage. The updated ISO 27701 supports building a privacy information management system and improving data privacy practices holistically.

The IO platform and tools are ready to support you now, from helping you understand the changes, checking the impact on your organisation’s data privacy objectives, implementation guidance, and transitioning your certification. Unlock your compliance advantage today – book your demo!

Christie Rae

Christie is a content marketing specialist at ISMS.online. With over seven years' experience, she aims to write informative, engaging content and has worked across a range of industries including cybersecurity, software as a service, tech and pharmaceuticals.

Build Once, Comply Everywhere: The Multi-Framework Compliance Playbook 

The Compliance Complexity Problem  As the regulatory burden on businesses grows, so does the need for multi-framework compliance. Faced with req...

Christie Rae

Cyber security 31 October 2025

The Spine-Tingling Cyber Incidents Scaring Us This Halloween

The past few years have seen an array of high-profile cyber incidents, from supply chain attacks to zero-day vulnerabilities, ransomware to deepfak...

Christie Rae

Cyber security 19 September 2025