ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance was published on 14 October 2025 by ISO/IEC JTC 1/SC 27, replacing ISO/IEC 27701:2019. The transition window closes on October 2028 (3-year window).
The most significant change is architectural: ISO/IEC 27701:2025 transforms the standard from an extension of ISO/IEC 27001 (requiring ISMS as foundation) to a standalone management system standard that can be certified independently. This fundamentally changes certification strategy and accessibility for organizations whose primary need is privacy management.
Strategic implication: Organizations without ISO/IEC 27001 — or those who do not need full information security certification — can now pursue ISO/IEC 27701:2025 alone. SOC 2 + ISO/IEC 27701:2025 becomes a viable combination. SMBs, public-sector entities, and privacy-focused organizations gain accessible privacy certification.
Cross-reference: This is the dedicated Transition Page. For ISO/IEC 27701 fundamentals, certification pathway, sector applicability, and pricing.
see → ISO 27701 Privacy Information Management System
Item | Status |
Previous edition | ISO/IEC 27701:2019 (extension to ISO/IEC 27001 and ISO/IEC 27002) |
Current edition (NEW) | ISO/IEC 27701:2025 — published 14 October 2025 (STANDALONE) |
ISO publication stage | Stage 60 (Publication) — current edition |
Publication date | 14 October 2025 |
Transition deadline | October 2028 (3-year transition window) |
Existing 2019 certificates | Valid until October 2028, OR earlier expiry of 3-year cycle, whichever is sooner |
Architectural change | MAJOR — Extension to ISO 27001 → STANDALONE management system |
Affected organisations | All ISO/IEC 27701:2019 certificate holders globally |
Issuing technical committee | ISO/IEC JTC 1/SC 27 — Information security, cybersecurity and privacy protection |
Edition number | Second edition (replaces first edition 2019) |
New companion CB standard | ISO/IEC 27706:2025 — replaces ISO/IEC TS 27006-2:2021 for certification bodies |
Guardian transition service | Available 2026 — combined audits, standalone transition, new applicant standalone certifications |
Tier | Tier 2 — UAF/IAS via Guardian Assessment under IAF MLA |
ISO/IEC 27701:2025 introduces fundamental changes — most significantly the architectural shift from extension to standalone, plus structural and content updates:
The most impactful change. ISO/IEC 27701:2025 is no longer an extension of ISO/IEC 27001 and ISO/IEC 27002. It is now a complete, standalone management system standard.
ISO/IEC 27701:2025 adopts the standard ISO management system framework structure:
This makes ISO/IEC 27701:2025 fully compatible with ISO 9001, ISO/IEC 27001, ISO/IEC 42001, and other ISO management system standards.
Significant restructure. Controls for PII Controllers and PII Processors — previously in separate Annex A and Annex B — are now consolidated:
Privacy controls themselves remain substantially the same in content, but the consolidated structure reduces duplication and improves clarity.
Significant simplification. ISO/IEC 27701:2025 includes only 29 information security controls taken from ISO/IEC 27001:2022 — specifically those with direct or potential privacy impact:
Recognizing rapid evolution of digital ecosystems and AI:
ISO/IEC 27701:2025 strengthens privacy as a leadership and governance topic:
ISO/IEC 27701:2025 explicitly aligns with global privacy regulatory landscape:
For certification bodies, not organizations directly. ISO/IEC 27706:2025 — “Requirements for bodies providing audit and certification of privacy information management systems” — replaces ISO/IEC TS 27006-2:2021:
Element | ISO/IEC 27701:2019 (previous) | ISO/IEC 27701:2025 (current) |
Title | “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” | “Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance” |
Architecture | Extension of ISO/IEC 27001 — required ISMS as prerequisite | STANDALONE management system standard |
ISO 27001 prerequisite? | YES — required ISO/IEC 27001 certification | NO — can be certified independently |
Clause structure | Sections 5-8 (extension structure with PIMS-specific guidance) | Clauses 4-10 (standard ISO management system structure) + Clause 11 |
Annex structure | Annex A (31 controls for PII Controllers) + Annex B (18 controls for PII Processors) | Consolidated A.1 (common) + A.2 (Controllers) + A.3 (Processors) |
Information security controls | References all 114 controls of ISO/IEC 27002:2013 | 29 focused controls selected for direct privacy impact |
AI / digital ecosystems | Limited explicit guidance | Explicit guidance on AI and digital ecosystem PII management |
Performance evaluation | Inherited from ISO 27001 (no separate clause) | Explicit Clause 9 (internal audit, management review) |
Improvement | Inherited from ISO 27001 (no separate clause) | Explicit Clause 10 (continual improvement, corrective action) |
CB requirements | ISO/IEC TS 27006-2:2021 (Technical Specification) | ISO/IEC 27706:2025 (full International Standard) |
Privacy controls (substance) | Privacy controls and requirements | Substantially same content, restructured presentation |
Date | Milestone |
14 October 2025 | ISO/IEC 27701:2025 PUBLISHED · ISO/IEC 27706:2025 PUBLISHED (CB requirements) 3-year transition window begins |
Late 2025 – Q1 2026 | Accreditation bodies issue formal transition rules. CBs (including Guardian Assessment) transition to ISO/IEC 27706:2025 accreditation. |
2026 onwards | Guardian offers ISO/IEC 27701:2025 transition audits combined with surveillance visits. New applicants can certify directly to standalone 2025 edition. |
October 2026 | Year 1 of transition. Most early-adopter clients complete transition. |
October 2027 | Year 2 of transition. Pace of transitions accelerates. |
October 2028 | TRANSITION DEADLINE After this date, ISO/IEC 27701:2019 certificates expire |
Plan your transition. Guardian recommends scheduling transition audits before Q3 2028 to avoid end-of-window capacity constraints.
The following organizations must complete transition before October 2028:
MAJOR OPPORTUNITY for organisations whose primary need is privacy management. ISO/IEC 27701:2025 standalone status changes the certification landscape.
Scenario | Recommended Path |
No ISO 27001, want privacy certification | ISO/IEC 27701:2025 standalone — major opportunity. No need for ISO 27001 prerequisite. |
Have SOC 2 (or equivalent), want privacy | SOC 2 + ISO/IEC 27701:2025 — viable combination. Security via SOC 2, privacy via ISO 27701. |
Already have ISO 27001, adding privacy | Either ISO/IEC 27701:2019 or 2025. New 2025 standalone may be simpler given fresh start. |
Strategic full-stack: ISMS + PIMS | ISO 27001 + ISO/IEC 27701:2025 — combined audit programmes still beneficial. |
SMB or public sector with limited resources | ISO/IEC 27701:2025 standalone — accessible privacy certification without ISMS overhead. |
EdTech or platform with minor learner data | ISO/IEC 27701:2025 standalone + ISO 21001 (educational organizations). |
Recommended for most existing clients.
Optimal for clients due for recertification within transition window.
Available where surveillance/recertification timing doesn’t align.
For 2019 extension clients considering moving to standalone PIMS.
Indicative pricing range for transition audit only: QAR 4,000 – 15,000 depending on organization size and audit option chosen. Combined audits most cost-effective. Final pricing per IAF MD 5 + ISO/IEC 27706 calculation.
Element | Impact |
Audit time | Combined: +0.5-1.5 days on surveillance · Standalone: ~50-70% of original Stage 2 |
Audit fee (Guardian) | Combined: ~10-25% premium over surveillance · Standalone: full audit fee per IAF MD 5 |
Internal preparation | Typically 150-300 person-hours · Higher for substantial architectural restructure |
Documentation revisions | Significant — full restructure into Clauses 4-10 · Annex consolidation · AI guidance integration · Title and references update |
New procedures | Performance evaluation (Clause 9) · Improvement (Clause 10) — if previously inherited from ISO 27001 |
Strategic considerations | Decision on standalone vs combined with ISO 27001 · Implications for SOC 2 + ISO 27701 strategy · AI governance integration |
Indicative pricing for Guardian transition audit only: QAR 4,000 – 15,000. Combined audits most cost-effective.
Risk: Continuing to assume privacy certification requires ISMS. Mitigation: Review whether your organization’s needs are best served by standalone ISO/IEC 27701:2025 or combined ISMS + PIMS approach. Standalone is now a viable strategic option. Organizations can still pair privacy certification with ISO 27001 information security certification where a full ISMS adds business value.
Risk: Treating transition as light update. The architectural change requires significant documentation restructure into Clauses 4-10 format. Mitigation: Plan substantial documentation effort. Consider this an opportunity to strengthen documentation quality.
Risk: Failing to map existing Annex A (Controllers) and Annex B (Processors) controls to new consolidated A.1, A.2, A.3 structure. Mitigation: Map control-by-control during gap analysis. Update Statement of Applicability accordingly.
Risk: Many organizations now process PII through AI systems without explicit governance. ISO/IEC 27701:2025 introduces requirements for these contexts. Mitigation: Inventory AI systems and digital ecosystem PII flows. Establish governance aligned with new guidance.
Risk: Continuing with a CB that hasn’t transitioned to ISO/IEC 27706:2025 accreditation. Mitigation: Verify your CB has updated accreditation to ISO/IEC 27706:2025 before scheduling transition audit. Guardian Assessment is transitioning during 2026.
Risk: Organizations holding ISO 27001 only as ISO 27701 prerequisite continue paying for ISMS they don’t strategically need. Mitigation: Review strategic value of ISO 27001 for your organisation. Standalone ISO/IEC 27701:2025 may be sufficient if security is adequately addressed by other frameworks (SOC 2, sector-specific).
For new applicants, Guardian offers direct certification to ISO/IEC 27701:2025 standalone — particularly attractive for SMBs, public-sector entities, EdTech, healthcare, and privacy-focused organisations.
Guardian Middle East LLC | Serving the Middle East
QFC Licence 03870 · Doha, Qatar
Location: Abo Hamour Area, Doha, Qatar
P.O. Box: 23277, Doha, Qatar
Mobile: +974 7770 2602 | +974 7213 7770
Email: info@guardian.qa
Website: www.guardian.qa
Explore the full ISO standards library to compare related certification and transition pages.
submit an enquiry: → Contact
October 2028 — three years from publication date of 14 October 2025. Standard ISO transition window.
No. This is the most significant change. ISO/IEC 27701:2025 is standalone — can be certified independently of ISO/IEC 27001. Major opportunity for privacy-focused organisations.
Yes during the transition window (until October 2028), but with caveats. New initial certifications can still be issued to 2019 edition. However, you would need to transition before October 2028. For most new applicants, certifying directly to ISO/IEC 27701:2025 is strongly recommended.
ISO/IEC 27706:2025 is the new standard establishing requirements for certification bodies providing ISO/IEC 27701 certification. Replaces ISO/IEC TS 27006-2:2021 (Technical Specification). Now full International Standard. Implication: Verify your CB has transitioned to ISO/IEC 27706:2025 accreditation.
Four options: (A) Combined transition + surveillance — recommended for most clients · (B) Combined transition + recertification — optimal if recertification falls within transition window · (C) Standalone transition audit — for urgent timing · (D) Decoupling — strategic option for clients moving from combined ISO 27001 + ISO 27701 to standalone ISO 27701.
Strategic decision. If ISO 27001 was obtained primarily as ISO 27701 prerequisite, standalone ISO/IEC 27701:2025 may suffice. If ISO 27001 has independent strategic value (security expectations, customer requirements), retain both. Discuss with Guardian.
ISO/IEC 27701:2025 introduces guidance on managing PII within AI systems and digital ecosystems. Pairs particularly well with ISO/IEC 42001:2023 (AI Management System) for organizations deploying AI.
Yes, throughout transition (until October 2028). Both editions valid. Towards end of window, tenders may begin specifying 2025 edition — recommend transitioning before Q3 2028.
The substantive privacy control requirements remain largely the same in content. The major changes are architectural: structural reorganization, consolidation, and standalone status. Existing privacy practices remain largely valid — primarily restructured presentation.
Guardian provides: (1) Strategic decision support (standalone vs combined) · (2) Pre-audit gap analysis · (3) Combined audit options · (4) Trained auditors with privacy sector competence · (5) Coordination with related certifications (ISO 27001, ISO 42001, ISO 21001) · (6) ISO/IEC 27706:2025 accreditation transition during 2026.
