New ISO/IEC 27701:2025 Standard

It’s done — the ISO/IEC 27701:2025 standard has finally been published.

For everyone who has worked with ISO/IEC 27001:2022 and ISO/IEC 27701:2019, this update was long awaited.

I’ll admit it was difficult working with the 2019 version, since the two versions were out of sync, which complicated compliance and especially integration between the two.

But that is now a thing of the past. The 2025 version fixes this and is fully aligned with the structure and terminology of ISO/IEC 27001:2022.

Private — Photo by Dayne Topkin on Unsplash

Now a Standalone Standard

This is the most important change: ISO/IEC 27701:2025 is no longer an extension of ISO 27001, but a standalone standard.

It is now possible to certify a PIMS (Privacy Information Management System) without having or maintaining a full ISMS.

Privacy is now recognized as a governance domain in its own right, like information security.

Integration remains easy and possible with other ISO standards (ISO 27001, ISO 9001, etc.).

New Structures and Annexes

Clauses 4 to 10 have been redesigned to provide a framework suited to privacy management. The structure remains familiar, but each clause is now formulated for the PIMS.

  • Annex A: Merges the obligations of controllers (C) and processors (P) into a single, simplified section.
  • Annex B: A major addition that provides concrete implementation guidance (as 27002 does for 27001), with examples of policies, DPIAs (impact analyses), consent management, and incident notification.
  • Annex C: Explicit mapping to other regulatory frameworks (GDPR, LGPD, CCPA, etc.).

Other Requirements and Expanded Obligations

The standard introduces several key new obligations:

  • Clause 4.3 — Scope definition: The requirement to align with ISO 27001 has been removed.
  • Clause 5.2 — Privacy policy: Now mandatory.
  • Clause 5.3 — Roles and responsibilities: Clearly defined roles are required.
  • Clause 6.1 — Privacy risk management: Introduction of a specific privacy risk management approach.
  • Clauses 6.2 and 9.1 — Objectives and indicators (KPIs): Objectives must be measurable, tracked, and clearly reported.

Once again, this increases traceability and accountability, especially for DPOs and CISOs.

Global Vision

While the 2019 version was closely aligned with or inspired by the GDPR, the 2025 version adopts an international vision.

It now covers:

  • the GDPR (Europe),
  • the CCPA (California),
  • the LGPD (Brazil),
  • as well as other frameworks in Africa, the Middle East, and Asia.

This global approach allows organizations to have a single certified, coherent framework that works worldwide for managing personal data compliance across multiple jurisdictions.

New Themes and Technical Requirements

The standard also covers topics the 2019 version did not really address:

  • Privacy protection in AI: Transparency, minimization, and consent requirements for algorithmic systems.
  • Cross-border data transfers: Strengthened obligations for documentation, contractual clauses, and risk assessment.
  • Biometric data protection: Facial recognition, fingerprints, voice, etc.
  • Remote work and BYOD: New requirements for securing personal environments.

Publication Date and Transition Period

As with any other ISO standard, organizations have a three-year transition period to comply with the new requirements.

This period begins today: October 14, 2025.

The 2025 edition marks a significant evolution — more modern and easier to integrate. It establishes privacy protection as an independent, strategic governance domain.

ISO reference: https://www.iso.org/standard/27701

I invite you to click “Follow” to keep learning about information security and privacy topics.