What are the ISO 27701:2025 management system requirements?
ISO 27701:2025 uses the Harmonized Structure (HS), the common framework shared by all modern ISO management system standards. Clauses 4 to 10 define the core requirements that every organisation must meet to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS).
A major change in the 2025 edition is that ISO 27701 is now a standalone management system standard. It no longer requires ISO 27001 as a prerequisite, meaning organisations can implement and certify against ISO 27701:2025 independently. Learn more about this in our standalone certification guide.
How are the clauses structured?
The seven management system clauses follow a logical sequence from understanding your context through to continual improvement. Together they form the Plan, Do, Check, Act (PDCA) cycle that drives effective privacy management.
| Clause | Title | PDCA Phase | Summary |
|---|---|---|---|
| Clause 4 | Context of the Organization | Plan | Understand your organisation, interested parties, scope and PIMS boundaries |
| Clause 5 | Leadership | Plan | Top management commitment, privacy policy and organisational roles |
| Clause 6 | Planning | Plan | Privacy risk assessment, risk treatment, objectives and change planning |
| Clause 7 | Support | Do | Resources, competence, awareness, communication and documented information |
| Clause 8 | Operation | Do | Operational planning, privacy risk assessment and risk treatment execution |
| Clause 9 | Performance Evaluation | Check | Monitoring, internal audit and management review |
| Clause 10 | Improvement | Act | Continual improvement and corrective action |
How do these clauses relate to Annex A controls?
The management system clauses (4 to 10) define how you run your PIMS, while the Annex A controls define what privacy controls you implement. Clause 6.1.3 (privacy risk treatment) is where the two connect: your risk treatment process determines which Annex A controls are applicable, and these are documented in your Statement of Applicability (SoA).
The Annex A controls are organised into three tables:
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What is different from the 2019 edition?
The management system requirements in ISO 27701:2025 include several important changes compared to the 2019 edition:
- Standalone standard — The clauses now form a complete, self-contained management system. ISO 27001 is no longer a prerequisite
- Privacy risk focus — Clause 6 now explicitly references privacy risk assessment and privacy risk treatment, rather than relying on the information security risk processes from ISO 27001
- Climate change — Clauses 4.1 and 4.2 include new requirements to consider climate change as a relevant issue when determining context and interested party expectations
- Harmonized Structure alignment — The clauses align with the latest HS requirements, including updated terminology and structure
- Planning of changes — Clause 6.3 adds an explicit requirement to plan changes to the PIMS in a structured manner
For a detailed comparison, see our Annex F correspondence guide and what’s new in ISO 27701:2025.
Who do these requirements apply to?
The management system clauses (4 to 10) apply to all organisations implementing ISO 27701:2025, regardless of whether they act as PII controllers, PII processors, or both. The distinction between controller and processor roles is addressed through the Annex A controls, not the management system clauses.
This makes the requirements applicable to organisations of any size or sector that process personal data and want to demonstrate effective privacy management through certification or self-declaration.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
Why choose ISMS.online for ISO 27701:2025 compliance?
ISMS.online provides an integrated platform for implementing every clause of ISO 27701:2025:
- Pre-built PIMS framework — Clause-by-clause structure with templates, policies and procedures ready to customise
- Privacy risk management — Built in risk register with assessment and treatment workflows aligned to Clauses 6 and 8
- Policy and document control — Version controlled documentation with approval workflows for Clause 7.5 requirements
- Audit management — Plan, execute and track internal audits with evidence collection for Clause 9.2
- Management review — Structured review templates with input tracking and action management for Clause 9.3
FAQs
Can ISO 27701:2025 be implemented without ISO 27001?
Yes. The 2025 edition is a standalone management system standard with its own complete set of requirements in Clauses 4 to 10. You no longer need ISO 27001 certification as a prerequisite. However, organisations that already hold ISO 27001 can integrate both systems for a combined information security and privacy management approach.
What is the relationship between the clauses and the Annex A controls?
The clauses define how to run your PIMS (governance, risk management, documentation, auditing), while Annex A provides the specific privacy controls to implement. Clause 6.1.3 connects the two through the risk treatment process, where you determine which Annex A controls apply based on your privacy risk assessment.
Do all seven clauses need to be fully implemented for certification?
Yes. Clauses 4 to 10 contain mandatory requirements (indicated by the word “shall”). Every requirement must be addressed for certification. Unlike Annex A controls, which can be excluded through the Statement of Applicability where justified, the management system clauses cannot be excluded.
