ISO published the second edition of ISO/IEC 27701 on October 14, 2025. The update removes the standard’s dependency on ISO 27001.
Organisations can now certify for privacy management without first implementing a full information security management system.
This matters most for companies where privacy compliance is the immediate business requirement.
HR platforms, healthcare providers, marketing agencies, and SaaS companies now have a direct path to privacy certification without first certifying their broader security management system—particularly relevant for organisations that handle security through infrastructure providers, use alternative security frameworks, or operate in sectors where privacy certification carries more regulatory or commercial weight.
The change also matters for organisations already certified under ISO 27001. The 2025 version formalises privacy management as a distinct discipline with its own governance structure, risk model, and performance requirements.
Privacy is no longer treated as a subset of information security.
What Changed in the 2025 Update
1. Standalone certification
The 2019 version required ISO 27001 as a foundation. The 2025 version doesn’t. Organisations can pursue ISO 27701 certification independently, though integration with existing security frameworks remains possible for those already certified.
2. Mandatory management system structure
Clauses 4 through 10—covering organisational context, leadership, planning, support, operations, performance evaluation, and improvement—are now mandatory requirements, not guidance.
The standard adopts the ISO High-Level Structure used across all modern ISO management systems.
This makes it easier to integrate privacy management with other frameworks like ISO 27001, ISO 9001, or ISO 14001, but it also means certification requires formal governance, not just technical controls.
3. Reorganised controls in Annex A
The 2025 version consolidates the separate control sets for PII controllers and PII processors.
The new structure includes approximately 31 controls for controllers, 18 for processors, and 29 shared controls.
The reorganisation reduces duplication and aligns the controls more closely with ISO 27002:2022, the updated information security controls standard.
5. New implementation guidance in Annex B
Annex B is new. It provides step-by-step implementation guidance for each control in Annex A. The 2019 version told organisations what to do.
The 2025 version explains how to do it, with process maps, worked examples, and decision trees. This narrows the interpretation gap that often creates inconsistencies between certified organisations.
6. Expanded risk context
The updated standard includes specific guidance on privacy risks related to AI systems, automated decision-making, cloud services, and cross-border data transfers.
These weren’t afterthoughts in 2019, but they’re central now. The risk assessment framework also incorporates environmental and sustainability considerations, reflecting broader trends in ISO management standards.
7. Stronger governance requirements
Leadership roles and responsibilities are more explicitly defined.
The standard requires senior management to demonstrate active involvement in privacy decisions, set measurable privacy objectives, and track performance against those objectives over time.
This shifts privacy from a compliance function to a strategic governance responsibility.
What This Means for Executives
The standalone structure changes the business case for certification.
Organisations no longer need ISO 27001 certification before pursuing privacy management validation.
This matters most when privacy certification serves a specific business purpose.
A B2B SaaS platform may rely on AWS or Azure for infrastructure security while needing independent validation of how it handles customer privacy at the application layer.
A marketing agency processing consumer data across multiple jurisdictions may need a privacy certification that satisfies clients in both the EU and California without requiring full ISMS certification.
The standalone structure doesn’t diminish the importance of security—it recognises that organisations often address security through other frameworks, certifications, or infrastructure arrangements while still needing to prove privacy management competence independently.
The governance requirements will demand executive attention. The 2025 version mandates defined leadership roles, measurable privacy objectives, and evidence of performance evaluation.
Most organisations already have these elements for financial management and quality management. Fewer have them for privacy. Building that structure takes time and requires senior-level commitment.
The standard doesn’t replace GDPR, NDP Act, CCPA, or other privacy laws. It provides a framework for managing compliance across jurisdictions.
A company certified for ISO 27701 can still violate data protection laws if its actual practices don’t match its documented policies.
Certification proves the management system exists and functions—not that every individual decision is correct.
For organisations operating across multiple jurisdictions, the standard offers a jurisdiction-neutral approach to privacy governance.
It won’t resolve conflicts between European, American, and Asian privacy laws, but it provides a common structure for managing those conflicts systematically.
What This Means for Tech Teams
Tech teams will handle most of the implementation work.
The reorganised controls in Annex A and the new guidance in Annex B provide a clearer roadmap than the 2019 version, but they also create new technical requirements.
1. Control mapping and gap analysis
Organisations need to map current privacy practices against the updated controls, identify gaps, and prioritise remediation.
The control consolidation helps, but it doesn’t eliminate the need for a detailed assessment.
Teams should expect to spend significant time on data flow mapping, consent mechanism reviews, and data subject rights processes.
2. AI and automated processing
The expanded guidance on AI systems will affect most organisations.
Automated decision-making, algorithmic profiling, and machine learning models all introduce privacy risks that the 2019 version didn’t address in detail.
The 2025 version requires organisations to assess these risks explicitly and document mitigation measures.
For teams using AI in customer analytics, fraud detection, or personalisation, this means new documentation requirements and potentially new controls.
3. Cross-border data transfers
The updated guidance on cross-border data flows addresses one of the most unstable areas of privacy law.
Data localisation laws are spreading.
The standard now requires transfer impact assessments and supplementary measures for international data flows.
Tech teams will need to document where data moves, why it moves, and what protections apply at each step.
4. Performance metrics
The requirement for measurable privacy objectives creates new tracking responsibilities.
Most organisations measure security incidents. Fewer track privacy performance—data minimisation rates, consent withdrawal patterns, data subject request response times, or the accuracy of personal data records.
Building these metrics into operational dashboards takes planning and often requires new logging or reporting infrastructure.
5. Integration with existing systems
For organisations already certified under ISO 27001, the 2025 update clarifies where privacy and security responsibilities diverge.
Data subject rights, consent management, and third-party data sharing all require privacy-specific controls that go beyond information security.
Teams will need to determine which controls overlap, which are distinct, and how to avoid duplication while maintaining both systems.
Certification Timeline and Transition
ISO published the 2025 version on October 14, 2025.
Certification bodies are still aligning their accreditation schemes with the new standard.
I expect to see accredited ISO 27701:2025 certifications starting as early as 2026.
Organisations with existing ISO 27701:2019 certifications have until 2028 to transition.
The three-year window is standard for ISO revisions, but the extent of the changes—particularly the shift to standalone certification and the mandatory governance requirements—means most organisations will need more than a simple recertification audit.
For new certifications, the timeline depends on organisational readiness. A company with mature privacy practices, documented controls, and existing governance structures might certify within six to nine months.
A company starting from scratch should expect 12 to 18 months, assuming dedicated resources and management support.
The gap analysis phase determines everything else.
Organisations need to assess current practices against the new requirements, identify missing controls, and build remediation plans.
Annex B helps, but it’s not a substitute for internal evaluation.
Most organisations will spend more time on governance structure than on technical controls, simply because the leadership and performance requirements are newer and less familiar.
What Hasn’t Changed
ISO 27701 remains a framework, not a prescription. It doesn’t mandate specific technologies, processes, or organisational structures.
Organisations choose how to meet the controls based on their risk profile, regulatory environment, and operational context.
The standard remains jurisdiction-neutral. It doesn’t favour European, American, or Asian privacy models.
That flexibility is valuable for multinational organisations, but it also means the standard won’t resolve legal conflicts or provide definitive answers on compliance with specific laws.
Certification still requires third-party audit.
Organisations document their privacy management system, implement controls, and demonstrate evidence of performance.
An accredited certification body audits the system and issues certification if the requirements are met.
The process is rigorous, and it should be—certification is meant to provide assurance to external parties, not just internal validation.
Practical Considerations for Implementation
1. Start with gap analysis
Map current privacy practices against the new controls. Identify what’s missing. Prioritize based on risk, regulatory exposure, and resource availability. Don’t assume existing documentation is sufficient—the governance requirements in the 2025 version are more explicit than most organisations have in place.
2. Define leadership roles early
The standard requires a clear assignment of privacy responsibilities at the senior management level.
Determine who owns privacy objectives, who approves policy changes, who evaluates performance, and who authorises major privacy decisions. Document these roles and make sure the people in them understand their responsibilities.
3. Build measurable objectives
Privacy objectives need to be specific, measurable, and tracked over time. Identify KPIs that reflect privacy performance—not just incident counts, but data minimisation metrics, consent quality measures, and data subject request handling efficiency. Integrate these metrics into regular management reviews.
3. Use Annex B systematically
The new implementation guidance is detailed. Work through it control by control, not as a reference document but as a project plan. Annex B provides decision trees and process maps—use them to design workflows, not just to check boxes.
4. Plan for AI and automated processing
If your organisation uses automated decision-making, algorithmic profiling, or machine learning models, allocate time to document how these systems work, what privacy risks they create, and what controls mitigate those risks.
The guidance is more detailed than the 2019 version, and auditors will expect detailed responses.
5. Address cross-border transfers explicitly
Map data flows across jurisdictions.
Document transfer mechanisms—Standard Contractual Clauses, Binding Corporate Rules, adequacy decisions, or other legal bases.
Conduct transfer impact assessments where required. This is time-consuming, but it’s also one of the areas where regulators are most active.
6. Integrate with existing management systems
If you’re already certified for ISO 27001, ISO 9001, or other management standards, look for integration opportunities. The High-Level Structure makes this easier, but it still requires deliberate planning. Avoid duplicating documentation, but don’t assume privacy requirements are automatically covered by security or quality controls.
