What is the ISO 27701:2025 transition timeline?
ISO/IEC 27701:2025 was published in October 2025. Organisations certified to the 2019 edition have a three-year transition period ending in October 2028.
| Milestone | Date | What it means |
|---|---|---|
| 2025 edition published | October 2025 | New certifications can be issued against either edition |
| Transition period | October 2025 – October 2028 | Organisations can plan and execute the move to 2025 |
| Transition deadline | October 2028 | All 2019 certificates expire; only 2025 certifications valid |
If your next surveillance or recertification audit falls within the transition window, it is worth discussing with your certification body whether to combine the transition with that scheduled audit.
What are the structural changes you need to understand?
The 2025 edition is not a minor revision. The architecture of the standard has fundamentally changed. Understanding these structural shifts is the first step in planning your transition.
Management system requirements are now self-contained
The 2019 edition extended ISO 27001 clauses with privacy-specific additions. The 2025 edition has its own complete management system requirements in Clauses 4 to 10, following the ISO Harmonized Structure. If you also hold ISO 27001, you can still integrate both systems, but ISO 27701 no longer depends on it.
Controls have moved from clauses to annexes
This is the change that affects your documentation and statement of applicability the most:
| 2019 location | 2025 location | Description |
|---|---|---|
| Clause 6 (90+ subclauses) | Table A.3 (29 controls) | Shared information security controls for PII |
| Clause 7 | Table A.1 (31 controls) | PII controller controls |
| Clause 8 | Table A.2 (18 controls) | PII processor controls |
| Embedded in Clauses 6–8 | Annex B | Implementation guidance (mirrors Annex A) |
The Annex F correspondence table maps every 2019 control to its 2025 equivalent, making gap analysis practical.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
How should you run a gap analysis?
A structured gap analysis is the foundation of a successful transition. Here is a practical approach:
Step 1: Map your current controls to 2025
Use the Annex F correspondence table to identify where each of your existing 2019 controls maps to in the 2025 structure. Many controls have direct equivalents, but some have been consolidated and others removed entirely.
Pay attention to controls marked “N/A” in Annex F — these are 2019 controls that have no direct 2025 equivalent. You need to determine whether the intent is already covered by a different 2025 control or whether you can safely retire the documentation.
Step 2: Identify new requirements
Review the 2025 management system requirements (Clauses 4 to 10) against your current PIMS documentation. Key areas to check:
- Clauses 4.1 and 4.2 — Climate change is now a required consideration in your context analysis and interested party assessment
- Clause 5.2 — Privacy policy requirements are now standalone (not an extension of your ISMS policy)
- Clause 6.1.2 / 6.1.3 — Privacy risk assessment and treatment requirements are self-contained
- Clause 6.3 — Planning of changes is explicitly required
Step 3: Rebuild your statement of applicability
Your existing statement of applicability referenced Clause 6, 7 and 8 controls. The 2025 edition requires a new statement of applicability based on the 78 Annex A controls, with justifications for any exclusions [see Clause 6.1.3 e)].
Step 4: Update documentation
At minimum, the following documents will need updating:
- PIMS scope statement (now self-contained, not referencing ISMS scope)
- Privacy policy (standalone, per Clause 5.2)
- Privacy risk assessment methodology (per Clause 6.1.2)
- Statement of applicability (new Annex A structure)
- Internal audit programme (covering Clauses 4–10 plus applicable Annex A controls)
- Management review inputs and outputs (per Clause 9.3)
Step 5: Conduct an internal audit against 2025
Before your transition audit, run a full internal audit against the 2025 requirements. This validates your gap analysis, tests your updated documentation and gives your management review meaningful input on transition readiness.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What controls were removed or consolidated?
The 2019 edition’s Clause 6 referenced over 90 ISO 27002 subclauses with PII-specific guidance. The 2025 edition consolidates these into 29 focused controls in Table A.3. Many 2019 subclauses that simply said “no additional guidance” have been removed.
Controls that had no PII-specific guidance (physical security, cabling, utilities, malware protection etc.) are no longer listed separately. This does not mean they are unimportant — it means the standard now focuses specifically on controls that require PII-related implementation guidance.
Annex F Tables F.1 and F.2 provide the complete mapping in both directions, so you can verify exactly which of your existing controls need to be remapped and which can be retired from your PIMS scope.
Why choose ISMS.online for your ISO 27701 transition?
ISMS.online makes the transition practical and trackable:
- Pre-mapped framework — ISO 27701:2025 controls, requirements and evidence mapped and ready to use
- Gap analysis support — Compare your existing PIMS against the 2025 structure and track what needs updating
- Statement of applicability builder — Generate your new SoA based on the 78 Annex A controls with justifications
- Document management — Version-control your updated policies, procedures and records in one place
- Internal audit tools — Plan and execute your pre-transition audit with corrective action tracking
- Dual framework support — Run ISO 27701 and ISO 27001 side by side without duplicating work
FAQs
Can I transition early to ISO 27701:2025?
Yes. New certifications can be issued against the 2025 edition from October 2025 onwards. If your next scheduled audit is coming up, discuss with your certification body whether to combine it with the transition.
Do I need to start from scratch?
No. Much of your existing work carries over. The controls have been reorganised, not fundamentally rewritten. Use Annex F to map your current controls to the new structure, update your documentation to reflect the new numbering, and fill any gaps identified in your gap analysis.
What happens if I miss the October 2028 deadline?
Your ISO 27701:2019 certification will no longer be valid after October 2028. You would need to certify against the 2025 edition as a new certification rather than a transition, which may require a full Stage 1 and Stage 2 audit.
Do I still need ISO 27001 to transition?
No. Since ISO 27701:2025 is standalone, you can transition without holding ISO 27001. If you currently hold both, you can choose to maintain both certifications independently or continue running an integrated management system.
How long does the transition typically take?
This depends on the maturity of your existing PIMS and the extent of documentation changes needed. Organisations with well-maintained systems may need a few weeks for gap analysis and documentation updates, followed by an internal audit cycle. The transition audit itself is typically combined with a surveillance or recertification visit.
