A client recently asked me whether their ISO 27001 certification was enough to meet Bill 25 requirements.

My short answer: no. ISO 27001 protects information.

ISO/IEC 27701 protects personal information.

If your organization collects, processes, or retains personal information — whether from your clients, your employees, or your clients’ customers — this standard concerns you directly.

A bit of history

The standard first circulated under the name ISO/IEC 27552 starting in 2016, before being formally integrated into the ISO family and published on August 6, 2019 under its current number.

The “01” at the end of the number is not accidental — in ISO nomenclature, it indicates that the standard contains certifiable requirements, not just guidelines.

You can therefore have your personal information management programme audited and certified by an accredited certification body.

Originally developed as an extension of ISO/IEC 27001 and ISO/IEC 27002, ISO/IEC 27701 helps organizations establish and maintain personal data management systems in line with privacy protection principles worldwide.

What changed in 2025

The 2025 update replaces the 2019 version and introduces structural and conceptual changes that make the PIMS framework clearer, more flexible, and easier to integrate into different types of organizations.

The most significant change: ISO/IEC 27701:2025 is now a standalone standard.

You no longer need to be ISO 27001 certified to obtain ISO 27701:2025 certification. The standard can now be implemented and certified independently.

This allows smaller organizations or those less focused on security to adopt ISO 27701 without the obligations of a full information security management system.

That said, for the vast majority of organizations already managing ISO 27001, integrating the two standards remains the most efficient path.

What exactly is personal information?

Personal information (PII — Personally Identifiable Information) is any information that allows a specific person to be identified, directly or indirectly.

Name, address, phone number, email address, IP address, location data, medical information, biometric data — all of these are personal information.

What makes managing this data complex is that an organization can have two distinct roles:

  • Data controller (PII Controller): you decide why and how data is collected and used
  • Data processor (PII Processor): you process data on behalf of another organization

ISO/IEC 27701 addresses both roles, with distinct controls depending on your position.

The 2025 standard structure

The 2025 version adopts the harmonized Annex SL structure, common to all ISO management systems. If you know ISO 27001, you will recognize the thread.

The main clauses:

  • Clause 4 — Context of the organization: define PIMS scope, interested parties, and your role (controller or processor)
  • Clause 5 — Leadership: the standard requires management to establish clear commitment to the PIMS
  • Clause 6 — Planning: identify risks and opportunities related to personal information protection, define a risk assessment process, and create a statement of applicability documenting selected controls
  • Clause 7 — Support: resources, competencies, awareness, and documentation
  • Clause 8 — Operation: control implementation, privacy incident management, impact assessments (PIA)
  • Clause 9 — Performance evaluation: internal audits, management review
  • Clause 10 — Improvement: non-conformity treatment and continual improvement

The annexes have been restructured. The new structure includes 31 privacy protection controls for controllers, 18 for processors, and 29 information security controls.

What this means for your Bill 25 compliance

ISO/IEC 27701 is not a substitute for Bill 25. It is a framework that helps you demonstrate that you have taken structured, auditable measures to protect personal information.

The standard improves the link between its controls and requirements of regulations such as GDPR, CCPA, and other laws, enabling a single, coherent governance model for international operations.

In practice, ISO/IEC 27701 certification gives you:

  • Structured, third-party verifiable proof that you manage personal information seriously
  • A framework for responding to data subject rights: access, rectification, deletion
  • A solid basis for your privacy impact assessments (PIAs), required by Bill 25 for high-risk projects
  • An advantage in tenders where clients assess your data protection maturity

If you are certified to ISO 27701:2019, what should you do?

Organizations certified under the 2019 version have until October 2028 to transition to the 2025 version.

Certification bodies are still awaiting formal IAF directives to begin transition audits, so no urgent action is required immediately. But this is the time to start your gap analysis.

In short, ISO/IEC 27701 answers a question your clients, partners, and the Commission d’accès à l’information will inevitably ask you: how do you demonstrate that you protect personal information in a systematic, verifiable way?

Good intentions and a policy in a drawer are no longer enough. A structured, audited, and certified programme — yes.