What is the ISO 27701:2025 transition timeline?
ISO/IEC 27701:2025 was published in October 2025. Organisations certified to the 2019 edition have a three-year transition period ending in October 2028.
| Milestone | Date | What it means |
|---|---|---|
| 2025 edition published | October 2025 | New certifications can be issued against either edition |
| Transition period | October 2025 – October 2028 | Organisations can plan and execute the move to 2025 |
| Transition deadline | October 2028 | All 2019 certificates expire; only 2025 certifications valid |
If your next surveillance or recertification audit falls within the transition window, it is worth discussing with your certification body whether to combine the transition with that scheduled audit.
Choosing the right auditor is critical — see our guide on how to choose an ISO 27701:2025 certification body.
What are the key transition deadlines and grace periods?
The three-year transition window gives organisations flexibility, but different milestones require action at different points. Here is a practical breakdown of what you need to do and when:
| Date | What happens | Action required |
|---|---|---|
| October 2025 | ISO 27701:2025 published. New certifications can be issued against either edition. | Begin planning your transition. Conduct a gap analysis against the 2025 requirements. |
| October 2025 – October 2026 (Year 1) | Early transition window. Certification bodies update their audit schemes. | Confirm your certification body is ready to audit against 2025. If your surveillance audit falls in this period, discuss combining it with the transition. |
| October 2026 – October 2027 (Year 2) | Mid-transition. Most certification bodies fully operational on the 2025 edition. | Complete your documentation updates and internal audit against the 2025 structure. Schedule your transition audit. |
| October 2027 – October 2028 (Year 3) | Final transition year. Urgency increases for organisations that have not yet transitioned. | Complete your transition audit before October 2028. Certification body availability may tighten as the deadline approaches. |
| October 2028 | Deadline. All ISO 27701:2019 certificates expire. Only 2025 edition certificates are valid. | If you have not transitioned, your certification lapses. You would need to certify as a new applicant, potentially requiring a full Stage 1 and Stage 2 audit. |
What happens if you miss the deadline?
If your ISO 27701:2019 certificate expires in October 2028 without transitioning:
- Your certificate is no longer valid — Customers, regulators and procurement teams who rely on your certification will see it as lapsed.
- You cannot simply renew — The 2019 edition will be withdrawn. There is no option to recertify against it.
- You start as a new applicant — Your certification body will treat you as a first-time applicant for the 2025 edition, which typically means a full Stage 1 and Stage 2 audit rather than a transition audit. This costs more and takes longer.
- Commercial impact — Any contracts, tenders or customer agreements that reference your ISO 27701 certification may be affected.
Practical advice on timing
The most cost-effective approach is to align your transition with a scheduled audit:
- If your next surveillance audit is before October 2027 — Combine the transition with that surveillance visit. This avoids a separate transition audit fee.
- If your recertification is due before October 2028 — Transition at recertification. You are already paying for a full audit; adding the 2025 edition requirements is incremental.
- If you have no scheduled audit until late 2028 — Do not wait. Book a transition audit early to avoid the rush as the deadline approaches. Certification body availability will tighten in the final six months.
Whichever timing you choose, start your gap analysis and documentation updates at least six months before your planned transition audit. The documentation changes are manageable but require thoroughness — rushing them increases the risk of nonconformities.
Our step-by-step gap analysis guide walks you through the assessment process for the 2025 edition.
What are the structural changes you need to understand?
The 2025 edition is not a minor revision. The architecture of the standard has fundamentally changed. Understanding these structural shifts is the first step in planning your transition.
Management system requirements are now self-contained
The 2019 edition extended ISO 27001 clauses with privacy-specific additions. The 2025 edition has its own complete management system requirements in Clauses 4 to 10, following the ISO Harmonized Structure. If you also hold ISO 27001, you can still integrate both systems, but ISO 27701 no longer depends on it.
Controls have moved from clauses to annexes
This is the change that affects your documentation and statement of applicability the most:
| 2019 location | 2025 location | Description |
|---|---|---|
| Clause 6 (90+ subclauses) | Table A.3 (29 controls) | Shared information security controls for PII |
| Clause 7 | Table A.1 (31 controls) | PII controller controls |
| Clause 8 | Table A.2 (18 controls) | PII processor controls |
| Embedded in Clauses 6–8 | Annex B | Implementation guidance (mirrors Annex A) |
The Annex F correspondence table maps every 2019 control to its 2025 equivalent, making gap analysis practical.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
How should you run a gap analysis?
A structured gap analysis is the foundation of a successful transition. Here is a practical approach:
Step 1: Map your current controls to 2025
Use the Annex F correspondence table to identify where each of your existing 2019 controls maps to in the 2025 structure. Many controls have direct equivalents, but some have been consolidated and others removed entirely.
Pay attention to controls marked “N/A” in Annex F — these are 2019 controls that have no direct 2025 equivalent. You need to determine whether the intent is already covered by a different 2025 control or whether you can safely retire the documentation.
Step 2: Identify new requirements
Review the 2025 management system requirements (Clauses 4 to 10) against your current PIMS documentation. Key areas to check:
- Clauses 4.1 and 4.2 — Climate change is now a required consideration in your context analysis and interested party assessment
- Clause 5.2 — Privacy policy requirements are now standalone (not an extension of your ISMS policy)
- Clause 6.1.2 / 6.1.3 — Privacy risk assessment and treatment requirements are self-contained
- Clause 6.3 — Planning of changes is explicitly required
Step 3: Rebuild your statement of applicability
Your existing statement of applicability referenced Clause 6, 7 and 8 controls. The 2025 edition requires a new statement of applicability based on the 78 Annex A controls, with justifications for any exclusions [see Clause 6.1.3 e)].
Step 4: Update documentation
At minimum, the following documents will need updating:
- PIMS scope statement (now self-contained, not referencing ISMS scope)
- Privacy policy (standalone, per Clause 5.2)
- Privacy risk assessment methodology (per Clause 6.1.2)
- Statement of applicability (new Annex A structure)
- Internal audit programme (covering Clauses 4–10 plus applicable Annex A controls)
- Management review inputs and outputs (per Clause 9.3)
Step 5: Conduct an internal audit against 2025
Before your transition audit, run a full internal audit against the 2025 requirements. This validates your gap analysis, tests your updated documentation and gives your management review meaningful input on transition readiness.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What controls were removed or consolidated?
The 2019 edition’s Clause 6 referenced over 90 ISO 27002 subclauses with PII-specific guidance. The 2025 edition consolidates these into 29 focused controls in Table A.3. Many 2019 subclauses that simply said “no additional guidance” have been removed.
Controls that had no PII-specific guidance (physical security, cabling, utilities, malware protection etc.) are no longer listed separately. This does not mean they are unimportant — it means the standard now focuses specifically on controls that require PII-related implementation guidance.
Annex F Tables F.1 and F.2 provide the complete mapping in both directions, so you can verify exactly which of your existing controls need to be remapped and which can be retired from your PIMS scope.
Why choose ISMS.online for your ISO 27701 transition?
ISMS.online makes the transition practical and trackable:
- Pre-mapped framework — ISO 27701:2025 controls, requirements and evidence mapped and ready to use
- Gap analysis support — Compare your existing PIMS against the 2025 structure and track what needs updating
- Statement of applicability builder — Generate your new SoA based on the 78 Annex A controls with justifications
- Document management — Version-control your updated policies, procedures and records in one place
- Internal audit tools — Plan and execute your pre-transition audit with corrective action tracking
- Dual framework support — Run ISO 27701 and ISO 27001 side by side without duplicating work
FAQs
Can I transition early to ISO 27701:2025?
Yes. New certifications can be issued against the 2025 edition from October 2025 onwards. If your next scheduled audit is coming up, discuss with your certification body whether to combine it with the transition.
Do I need to start from scratch?
No. Much of your existing work carries over. The controls have been reorganised, not fundamentally rewritten. Use Annex F to map your current controls to the new structure, update your documentation to reflect the new numbering, and fill any gaps identified in your gap analysis.
What happens if I miss the October 2028 deadline?
Your ISO 27701:2019 certification will no longer be valid after October 2028. You would need to certify against the 2025 edition as a new certification rather than a transition, which may require a full Stage 1 and Stage 2 audit.
Do I still need ISO 27001 to transition?
No. Since ISO 27701:2025 is standalone, you can transition without holding ISO 27001. If you currently hold both, you can choose to maintain both certifications independently or continue running an integrated management system.
How long does the transition typically take?
This depends on the maturity of your existing PIMS and the extent of documentation changes needed. Organisations with well-maintained systems may need a few weeks for gap analysis and documentation updates, followed by an internal audit cycle. The transition audit itself is typically combined with a surveillance or recertification visit.
For organisations looking to move quickly, we cover the fastest path to ISO 27701:2025 certification.
