Why was ISO 27701 updated?
The first edition of ISO 27701 was published in 2019 as an extension to ISO 27001 and ISO 27002. Since then, the privacy landscape has shifted significantly. New regulations have emerged, technology has evolved (AI, IoT, biometrics), and organisations have called for a standard that can stand on its own rather than depending on a separate information security management system.
ISO/IEC 27701:2025, published in October 2025, is the second edition. It replaces the 2019 version entirely and introduces structural changes designed to make privacy information management more practical and accessible.
What are the biggest changes in ISO 27701:2025?
The 2025 edition brings seven key changes that organisations need to understand:
1. Standalone standard
The most significant shift is that ISO 27701:2025 is now a standalone management system standard. Organisations no longer need to hold ISO 27001 certification first. The standard contains its own complete set of requirements (Clauses 4 to 10), covering context, leadership, planning, support, operation, performance evaluation and improvement.
This opens the door to organisations that want privacy certification without the overhead of a full ISMS, while still allowing integration with ISO 27001 for those that want both.
2. Restructured Annex A with three control tables
The old Clauses 7 (PII controller guidance) and 8 (PII processor guidance) have been replaced by a unified Annex A with three tables:
| Table | Scope | Controls |
|---|---|---|
| Table A.1 | PII controller controls | 31 controls |
| Table A.2 | PII processor controls | 18 controls |
| Table A.3 | Shared security controls (controllers and processors) | 29 controls |
This gives organisations 78 privacy controls in total, each with matching implementation guidance in Annex B. The structure makes it much clearer which controls apply to your role.
3. Annex B provides implementation guidance
Annex B mirrors each Annex A control with detailed implementation guidance. Where the 2019 version embedded guidance within Clauses 6, 7 and 8, the 2025 edition separates the “what” (Annex A) from the “how” (Annex B). This makes auditing and gap analysis more straightforward.
4. New mapping annexes
The 2025 edition includes four mapping annexes:
- Annex C — Mapping to ISO/IEC 29100 privacy principles
- Annex D — Mapping to GDPR articles
- Annex E — Mapping to ISO/IEC 27018 and ISO/IEC 29151
- Annex F — Correspondence with ISO 27701:2019 (new in 2025)
Annex F is particularly valuable for organisations transitioning from the 2019 edition, as it maps every old control to its 2025 equivalent.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
5. Streamlined Clause 6 replaces the old Clause 6
The 2019 edition’s Clause 6 contained over 90 subclauses referencing ISO 27002 controls with PII-specific additions. In 2025, this has been consolidated into Table A.3 (shared security controls) with 29 focused controls. The result is a significantly more manageable scope.
6. Simplified management system requirements
Clauses 4 to 10 now follow the standard ISO management system structure (Harmonized Structure). They are self-contained and do not require cross-referencing with ISO 27001 clauses, though alignment is straightforward for organisations that hold both certifications.
7. Climate change consideration
In line with recent ISO amendments across all management system standards, Clauses 4.1 and 4.2 now require organisations to determine whether climate change is a relevant issue to their PIMS context.
How does the control structure compare to 2019?
| Aspect | ISO 27701:2019 | ISO 27701:2025 |
|---|---|---|
| Dependency | Extension to ISO 27001 + 27002 | Standalone standard |
| Controller guidance | Clause 7 (embedded) | Table A.1 + Annex B.1 (31 controls) |
| Processor guidance | Clause 8 (embedded) | Table A.2 + Annex B.2 (18 controls) |
| Security controls | Clause 6 (90+ subclauses referencing ISO 27002) | Table A.3 + Annex B.3 (29 controls) |
| Total privacy controls | Spread across Clauses 6, 7, 8 | 78 controls in Annex A |
| GDPR mapping | Annex D | Annex D (updated) |
| 2019 correspondence | N/A | Annex F (new) |
What is the transition deadline?
Organisations certified to ISO 27701:2019 have until October 2028 to transition to the 2025 edition. This gives a three-year window from the publication date.
During the transition period:
- New certifications can be issued against either edition
- Existing 2019 certificates remain valid until their expiry or the transition deadline, whichever comes first
- Certification bodies will need to update their audit programmes to assess against the 2025 requirements
For a step-by-step approach to the transition, see our ISO 27701 transition guide.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What does standalone certification mean in practice?
Under the 2019 edition, an organisation could only achieve ISO 27701 certification if it already had (or was simultaneously certifying to) ISO 27001. This created a barrier for organisations that needed privacy certification but not a full information security management system.
With the 2025 edition, organisations can certify to ISO 27701 independently. The standard now includes its own management system requirements (Clauses 4 to 10) and its own set of controls (Annex A). However, integration with ISO 27001 remains straightforward and is encouraged where both disciplines are relevant.
Why choose ISMS.online for ISO 27701:2025?
ISMS.online gives you a practical, structured way to implement and maintain your Privacy Information Management System aligned to ISO 27701:2025:
- Pre-built framework — ISO 27701:2025 controls, clauses and evidence requirements mapped and ready to work with from day one
- Integrated risk management — Run privacy risk assessments alongside information security risks in one place
- Policy and control management — Draft, approve, distribute and track acknowledgement of privacy policies
- Supplier management — Track PII processor contracts, subcontractor disclosures and cross-border transfer records
- Audit readiness — Maintain your statement of applicability, evidence packs and corrective actions in a single platform
- Dual certification support — Run ISO 27701 standalone or integrated with ISO 27001 without duplicating effort
FAQs
Is ISO 27701:2025 backwards compatible with the 2019 version?
Not directly. The structure has changed significantly, with the old Clauses 6, 7 and 8 replaced by Annex A and Annex B. However, Annex F provides a complete correspondence table mapping every 2019 control to its 2025 equivalent, making gap analysis straightforward.
Do I still need ISO 27001 to get ISO 27701 certified?
No. ISO 27701:2025 is a standalone standard with its own management system requirements. You can certify to it independently. If you already hold ISO 27001, you can integrate both systems and benefit from shared processes.
When do I need to transition from ISO 27701:2019?
The transition deadline is October 2028, giving you three years from the publication of the 2025 edition. Existing 2019 certificates remain valid until their expiry or the transition deadline, whichever comes first.
How many controls are in ISO 27701:2025?
Does ISO 27701:2025 cover AI and biometric data?
The standard is technology neutral but its controls for automated decision making (A.1.3.11 Automated Decision Making), privacy impact assessment (A.1.2.6 Privacy Impact Assessment) and data minimisation (A.1.4.5 PII Minimisation) are directly relevant to AI, IoT and biometric processing. The principles apply regardless of the technology used.
