Why was ISO 27701 revised?
ISO 27701:2019 was published as an extension to ISO 27001 and ISO 27002, adding privacy-specific requirements and controls on top of an existing information security management system. While this approach had merit, it created practical problems: organisations needed ISO 27001 certification before they could certify against ISO 27701, privacy controls were scattered across multiple clauses, and the structure did not align cleanly with how organisations manage privacy in practice.
The 2025 revision addresses all of these issues. ISO 27701:2025 is a standalone management system standard with its own complete set of requirements in Clauses 4 to 10, a redesigned Annex A containing 78 clearly categorised privacy controls, and new mapping annexes that connect the standard to GDPR, ISO 29100 and its 2019 predecessor. For a full overview of what changed, see our guide to what’s new in ISO 27701:2025.
How has the structure changed?
The most fundamental change is that ISO 27701:2025 is no longer an extension standard. It is a complete, self-contained privacy information management system (PIMS) standard.
| Aspect | ISO 27701:2019 | ISO 27701:2025 |
|---|---|---|
| Standard type | Extension to ISO 27001/ISO 27002 | Standalone management system standard |
| Prerequisite | ISO 27001 certification required | No prerequisite; standalone certification possible |
| Management system clauses | Supplemented ISO 27001 Clauses 4 to 10 | Contains its own complete Clauses 4 to 10 |
| Privacy controls location | Clauses 7 (controller) and 8 (processor) with controls embedded | Annex A with three tables: A.1 Controller, A.2 Processor, A.3 Shared |
| Implementation guidance | Interspersed with normative controls | Separated into Annex B (normative) |
| Risk assessment | Extended ISO 27001 information security risk process | Dedicated privacy risk assessment in Clause 6 |
| Statement of Applicability | Extended the ISO 27001 SoA | Standalone SoA covering Annex A controls |
| Climate change | Not addressed | Included in Clauses 4.1 and 4.2 context considerations |
| Certification | Always combined with ISO 27001 | Standalone or combined, organisation’s choice |
This structural change means organisations pursuing privacy certification no longer need to implement a full information security management system first. For details on what standalone certification involves, see our standalone certification guide.
Clauses 4 to 10: standalone management system requirements
In the 2019 edition, Clauses 5 to 8 supplemented the corresponding ISO 27001 clauses. The 2025 edition contains entirely self-contained clauses:
- Clause 4 (Context) — Establishes the scope of the PIMS independently, including the new requirement to consider climate change relevance
- Clause 5 (Leadership) — Defines top management responsibilities for privacy, including a privacy policy and assignment of roles
- Clause 6 (Planning) — Introduces a dedicated privacy risk assessment and treatment process, separate from information security risk management
- Clause 7 (Support) — Covers resources, competence, awareness, communication and documented information for the PIMS
- Clause 8 (Operation) — Operational planning and control of privacy processes
- Clause 9 (Performance evaluation) — Monitoring, measurement, internal audit and management review of the PIMS
- Clause 10 (Improvement) — Nonconformity management, corrective action and continual improvement
This means an organisation can build and certify a complete Privacy Information Management System without referencing ISO 27001 at all. For a detailed walkthrough, see our ISO 27701:2025 requirements guide.
How has the Annex A control structure been reorganised?
The 2019 edition embedded privacy controls within Clauses 7 and 8, mixing normative requirements with implementation guidance. This made it difficult to distinguish what was mandatory from what was advisory, and complicated the creation of a Statement of Applicability.
ISO 27701:2025 takes a completely different approach. All privacy controls are now in Annex A, organised into three clear tables:
| Table | Scope | Number of controls | Applies to |
|---|---|---|---|
| Table A.1 | PII Controller controls | 31 | Organisations acting as data controllers |
| Table A.2 | PII Processor controls | 18 | Organisations acting as data processors |
| Table A.3 | Shared controls | 29 | All organisations regardless of role |
Implementation guidance has been moved to Annex B, which is normative, using ‘should’ language to provide implementation recommendations. This separation makes the standard easier to audit against and clearer for organisations to implement, because you can see exactly which controls are mandatory and which guidance supports them.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What happened to the 150+ controls from the 2019 edition?
The 2019 edition contained controls spread across Clauses 6, 7 and 8 (approximately 49 privacy-specific controls in Clauses 7 and 8, plus over 90 PII-related security subclauses in Clause 6), many of which were extensions to ISO 27002 controls. The 2025 edition has 78 controls in Annex A. This does not represent a reduction in scope. Instead, the controls have been consolidated, restructured and in many cases combined where there was overlap.
Key changes in the control landscape:
- Consolidation — Related controls that were spread across multiple clauses in 2019 have been merged into single, comprehensive controls in 2025
- Clearer categorisation — Controls are now explicitly assigned to controller, processor or shared categories, eliminating ambiguity
- Removed duplication — The 2019 edition contained controls that duplicated ISO 27002 requirements. The 2025 edition has its own dedicated control set, removing unnecessary overlap
- New controls — Some areas have gained new or significantly expanded controls, particularly around automated decision making (A.1.3.11 Automated Decision Making), de-identification and anonymisation (A.1.4.6 De-identification and Deletion), and secure development practices (A.3.27 Secure Development Life Cycle)
For a detailed mapping between the 2019 and 2025 control sets, ISO 27701:2025 includes Annex F, which provides a complete correspondence table showing how every 2019 control maps to its 2025 equivalent.
What new annexes have been added?
The 2025 edition introduces updated mapping annexes and one entirely new annex (Annex F) alongside the restructured Annex A and Annex B:
| Annex | Title | Type | Purpose |
|---|---|---|---|
| A | Privacy controls | Normative | 78 mandatory controls in 3 tables (controller, processor, shared) |
| B | Implementation guidance | Normative | Detailed guidance for implementing each Annex A control |
| C | Mapping to ISO/IEC 29100 | Informative | Links controls to the 11 ISO 29100 privacy principles |
| D | Mapping to GDPR | Informative | Maps controls to relevant GDPR articles for compliance alignment |
| E | Mapping to ISO 27018 and ISO 29151 | Informative | Correspondence with cloud privacy and PII protection standards |
| F | Correspondence with ISO 27701:2019 | Informative | Complete mapping between 2019 and 2025 controls for transition planning |
The inclusion of Annex D (GDPR mapping) is particularly significant for European organisations, as it provides an official reference for how ISO 27701 controls align with specific GDPR articles. This makes it considerably easier to use ISO 27701 certification as evidence of GDPR compliance.
What are the key practical differences for implementation?
Beyond the structural changes, there are several practical differences that affect how organisations implement the standard:
- Privacy risk assessment — Clause 6 now requires a dedicated privacy risk assessment process, separate from information security risk assessment. This must specifically address risks to PII principals (data subjects), not just risks to the organisation
- Statement of Applicability — You must produce an SoA for the Annex A controls, documenting which controls are applicable, your justification for including or excluding each one, and the implementation status. This is now an explicit requirement, not an inherited one from ISO 27001
- Climate change — Following the 2024 amendment to all ISO management system standards, Clauses 4.1 and 4.2 now require organisations to consider whether climate change is relevant to the PIMS. This is a brief consideration, not a detailed environmental assessment
- Clearer audit trail — The separation of normative controls (Annex A) from implementation guidance (Annex B) makes audit preparation more straightforward. Auditors assess against Annex A; Annex B provides the context
- Simplified documentation — Because the standard is self-contained, organisations do not need to cross-reference ISO 27001 and ISO 27002 to understand their obligations. Everything is in one document
Impact on existing documentation
Organisations transitioning from 2019 to 2025 should expect to update several key documents:
- Privacy policy — Must reflect the standalone PIMS scope rather than referencing the ISO 27001 ISMS
- Risk assessment methodology — Needs to address privacy-specific risks to PII principals, not just organisational information security risks
- Statement of Applicability — Must be rebuilt against the 78 Annex A controls, with justifications for inclusion or exclusion of each
- Processing records — The control requirements for records of processing (A.1.2.9 Records of Processing PII and A.2.2.7 Records of Processing PII) are more explicitly defined in 2025
- Internal audit programme — Audit criteria should reference the 2025 clause structure and Annex A controls
For a comprehensive overview of the 2025 requirements, see our ISO 27701:2025 requirements guide.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What does this mean for organisations currently certified to 2019?
If your organisation already holds ISO 27701:2019 certification, the transition to 2025 requires careful planning but does not mean starting over. Much of the work you have already done remains valid. Your existing privacy policies, processing records and many of your operational procedures will carry forward with updates rather than wholesale replacement.
The main areas requiring attention are:
- Gap analysis against Annex A — Map your existing 2019 controls to the 78 Annex A controls using Annex F as your reference. Identify any new controls you have not previously addressed
- Privacy risk reassessment — Your risk assessment methodology may need updating to reflect the Clause 6 requirements, which focus specifically on risks to PII principals rather than organisational information security risks
- SoA rebuild — Your Statement of Applicability must be rewritten against the new Annex A structure, with justifications for each of the 78 controls
- Independence review — If you intend to certify ISO 27701:2025 as a standalone standard, ensure your PIMS documentation is self-contained and does not rely on references to your ISO 27001 ISMS for completeness
What is the transition timeline?
Organisations currently certified to ISO 27701:2019 must transition to the 2025 edition by October 2028. Key milestones:
- Now — ISO 27701:2025 is published and available for implementation
- 2025 to 2026 — Certification bodies complete their accreditation and begin offering ISO 27701:2025 audits
- October 2028 — All ISO 27701:2019 certificates expire. Transition must be complete
The three-year transition window is generous, but organisations should not wait until the last moment. Early adopters will benefit from less competition for auditor availability and more time to address any gaps identified during implementation.
Organisations new to ISO 27701 should implement the 2025 edition directly. There is no benefit to implementing the 2019 edition at this stage, as it will be withdrawn at the end of the transition period. For step by step transition planning, see our transition guide.
Why choose ISMS.online for your transition?
ISMS.online is purpose built to help organisations navigate the transition from 2019 to 2025 and achieve certification efficiently:
- Pre-built ISO 27701:2025 framework — Start with the complete clause structure, all 78 Annex A controls and implementation guidance already mapped and ready to customise
- Gap analysis tools — Identify exactly where your existing PIMS meets 2025 requirements and where additional work is needed
- Statement of Applicability builder — Generate and maintain your SoA with control justifications, implementation status and linked evidence
- Privacy risk register — Integrated risk assessment and treatment workflows aligned to the Clause 6 requirements
- Audit readiness dashboard — Track your progress, centralise evidence and ensure you are certification ready before your audit date
FAQs
Do I need to recertify under the 2025 edition?
Yes. All ISO 27701:2019 certificates must be transitioned to the 2025 edition by October 2028. This can be done during a scheduled surveillance or recertification audit, or through a dedicated transition audit. Your certification body will assess your PIMS against the 2025 requirements, including the restructured Annex A controls and the new Clause 6 privacy risk assessment requirements.
Can I use my existing ISO 27001 ISMS alongside ISO 27701:2025?
Absolutely. ISO 27701:2025 is designed to work both as a standalone standard and as a complement to ISO 27001. If you already have an ISMS in place, you can integrate your PIMS with it, sharing common management system elements such as document control, internal audit and management review. Many organisations will choose this approach to avoid duplicating effort across the two systems.
What is the deadline for transitioning from ISO 27701:2019?
The transition deadline is October 2028. After this date, all ISO 27701:2019 certificates will no longer be valid. Organisations should plan their transition well in advance to secure auditor availability and allow sufficient time for any necessary changes to their privacy information management system.
