What does standalone certification mean?
The 2025 edition of ISO 27701 is a complete, self-contained management system standard. Unlike the 2019 edition, which was an extension to ISO 27001 and could only be certified alongside it, ISO 27701:2025 includes its own full set of management system requirements in Clauses 4 to 10.
This means organisations can now achieve ISO 27701:2025 certification on its own merits, without needing to implement or certify against ISO 27001 first. This is one of the most significant changes in the 2025 edition and fundamentally changes who can benefit from the standard.
Why was this change made?
The 2019 edition required organisations to first implement ISO 27001 (information security) before adding ISO 27701 (privacy) on top. While this made sense for organisations already managing information security, it created a significant barrier for:
- Organisations that needed privacy certification but had no immediate need for a full ISMS
- Smaller organisations where the combined cost and effort of two standards was prohibitive
- Privacy-first companies whose primary concern was demonstrating data protection compliance
- Organisations in sectors where privacy regulation is the main driver (healthcare, education, HR services)
By making ISO 27701:2025 standalone, the standard becomes accessible to a much broader range of organisations that want to demonstrate effective privacy management through an internationally recognised certification.
Who benefits from standalone certification?
Standalone certification is particularly valuable for:
- Privacy-focused startups — Companies built around data processing services that need to demonstrate trustworthiness to customers
- SMEs with limited resources — Organisations that want privacy certification without the overhead of a full information security management system
- Data processors — Cloud service providers, SaaS companies and outsourced processing services that need to demonstrate GDPR compliance to their customers
- Regulated industries — Healthcare providers, financial services firms and educational institutions where privacy is the primary regulatory concern
- Organisations with existing security frameworks — Companies using SOC 2, NIST or other security frameworks that want a dedicated privacy certification
Organisations that already hold ISO 27001 can still integrate both systems. The standards are designed to work together, and a combined approach provides comprehensive information security and privacy management.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What does the certification process involve?
The certification process for ISO 27701:2025 follows the standard ISO management system certification approach:
Your Statement of Applicability will reference the Table A.1 controller controls, Table A.2 processor controls and Table A.3 shared security controls.
| Stage | What happens | Typical duration |
|---|---|---|
| Preparation | Implement the PIMS: establish context, assess risks, implement controls, create documentation | 3 to 12 months |
| Stage 1 audit | Certification body reviews documentation and readiness. Identifies any areas needing attention before Stage 2 | 1 to 2 days |
| Stage 2 audit | On site (or remote) assessment of PIMS implementation and effectiveness. Auditors interview staff, review evidence and test controls | 2 to 5 days |
| Certification decision | Certification body reviews audit findings and decides whether to issue the certificate | 2 to 4 weeks |
| Surveillance audits | Annual audits to verify the PIMS continues to meet requirements | 1 to 2 days annually |
| Recertification | Full reassessment at the end of the three-year certification cycle | 2 to 4 days |
How does this compare to the 2019 approach?
| Aspect | ISO 27701:2019 | ISO 27701:2025 |
|---|---|---|
| Prerequisite | ISO 27001 certification required | No prerequisite, standalone certification available |
| Management system clauses | Supplemented ISO 27001 Clauses 4 to 10 | Contains its own complete Clauses 4 to 10 |
| Risk assessment | Extended ISO 27001 information security risk process | Dedicated privacy risk assessment process |
| Statement of Applicability | Extended the ISO 27001 SoA | Standalone SoA covering ISO 27701 Annex A controls |
| Certification scope | Always combined with ISO 27001 | Standalone or combined, organisation’s choice |
| Audit effort | Additional audit days on top of ISO 27001 | Can be a single, focused privacy audit |
What is the transition timeline?
Organisations currently certified to ISO 27701:2019 must transition to the 2025 edition by October 2028. Key dates:
- Now — ISO 27701:2025 is published and certification bodies are preparing their accreditation
- 2025 to 2026 — Certification bodies begin offering ISO 27701:2025 certification audits
- October 2028 — All ISO 27701:2019 certificates expire. Organisations must have transitioned to the 2025 edition
For organisations new to ISO 27701, there is no transition requirement. You should implement the 2025 edition directly. For detailed transition guidance, see our transition guide.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Can you still combine ISO 27701 with ISO 27001?
Absolutely. While standalone certification is now available, organisations that hold or are pursuing ISO 27001 can still integrate the two standards. In fact, there are strong benefits to doing so:
- Shared management system — Many Clause 4 to 10 requirements overlap, reducing duplication of effort
- Integrated risk management — Assess information security and privacy risks through a single, coordinated process
- Combined audits — Reduce audit fatigue by combining surveillance and recertification audits
- Comprehensive coverage — Address both information security and privacy in a single framework, appealing to customers and regulators
The choice between standalone and integrated certification depends on your organisation’s needs, existing certifications and customer expectations.
Why choose ISMS.online for ISO 27701:2025 certification?
ISMS.online is purpose built to accelerate your path to certification:
Key controls to prepare include A.1.2.6 Privacy Impact Assessment and A.1.2.9 Records of Processing.
- Pre-configured PIMS framework — Start with a complete ISO 27701:2025 structure including all clauses and Annex A controls, ready to customise
- Statement of Applicability builder — Generate and maintain your SoA with justifications, implementation status and evidence links
- Risk management — Integrated privacy risk register with assessment and treatment workflows aligned to the standard
- Audit readiness — Centralised evidence collection, document management and audit trail so you are always certification ready
- Expert guidance — Built in guidance for each clause and control, helping your team understand what is required without external consultancy
FAQs
Do I need to drop ISO 27001 to get standalone ISO 27701 certification?
No. Standalone certification means ISO 27001 is no longer a prerequisite, not that you cannot hold both. If you already have ISO 27001, you can maintain it and add ISO 27701:2025 as either a standalone or integrated certification. The standalone option simply gives organisations the flexibility to certify against ISO 27701 without ISO 27001 if that better suits their needs.
Is standalone certification recognised by GDPR supervisory authorities?
ISO 27701 certification (whether standalone or integrated) is not an official GDPR certification mechanism under Article 42. However, it is widely recognised by supervisory authorities and industry as strong evidence of effective privacy management. Many organisations use ISO 27701 certification to demonstrate accountability under Article 5(2) and to satisfy customer due diligence requirements for data processing agreements under Article 28.
How long does it take to achieve standalone ISO 27701 certification?
For a well-prepared organisation, the implementation phase typically takes 3 to 6 months for smaller organisations and 6 to 12 months for larger or more complex ones. The audit process adds 4 to 8 weeks. Using a platform like ISMS.online can significantly reduce the implementation timeline by providing pre-built frameworks, templates and guidance that eliminate the need to start from scratch.
