ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance was published on 14 October 2025 by ISO/IEC JTC 1/SC 27, replacing ISO/IEC 27701:2019. The transition window closes on October 2028 (3-year window).

The most significant change is architectural: ISO/IEC 27701:2025 transforms the standard from an extension of ISO/IEC 27001 (requiring ISMS as foundation) to a standalone management system standard that can be certified independently. This fundamentally changes certification strategy and accessibility for organizations whose primary need is privacy management.

Strategic implication: Organizations without ISO/IEC 27001 — or those who do not need full information security certification — can now pursue ISO/IEC 27701:2025 alone. SOC 2 + ISO/IEC 27701:2025 becomes a viable combination. SMBs, public-sector entities, and privacy-focused organizations gain accessible privacy certification.

Cross-reference: This is the dedicated Transition Page. For ISO/IEC 27701 fundamentals, certification pathway, sector applicability, and pricing.
see → ISO 27701 Privacy Information Management System

TRANSITION AT A GLANCE

Item	Status
Previous edition	ISO/IEC 27701:2019 (extension to ISO/IEC 27001 and ISO/IEC 27002)
Current edition (NEW)	ISO/IEC 27701:2025 — published 14 October 2025 (STANDALONE)
ISO publication stage	Stage 60 (Publication) — current edition
Publication date	14 October 2025
Transition deadline	October 2028 (3-year transition window)
Existing 2019 certificates	Valid until October 2028, OR earlier expiry of 3-year cycle, whichever is sooner
Architectural change	MAJOR — Extension to ISO 27001 → STANDALONE management system
Affected organisations	All ISO/IEC 27701:2019 certificate holders globally
Issuing technical committee	ISO/IEC JTC 1/SC 27 — Information security, cybersecurity and privacy protection
Edition number	Second edition (replaces first edition 2019)
New companion CB standard	ISO/IEC 27706:2025 — replaces ISO/IEC TS 27006-2:2021 for certification bodies
Guardian transition service	Available 2026 — combined audits, standalone transition, new applicant standalone certifications
Tier	Tier 2 — UAF/IAS via Guardian Assessment under IAF MLA

KEY CHANGES IN ISO/IEC 27701:2025

ISO/IEC 27701:2025 introduces fundamental changes — most significantly the architectural shift from extension to standalone, plus structural and content updates:

Change 1: STANDALONE STATUS (Most Significant)

The most impactful change. ISO/IEC 27701:2025 is no longer an extension of ISO/IEC 27001 and ISO/IEC 27002. It is now a complete, standalone management system standard.

Old structure: “Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management”
New structure: “Privacy information management systems — Requirements and guidance”
Strategic impact: Organizations without ISO/IEC 27001 can now pursue ISO/IEC 27701 independently
Lower barrier to entry: Particularly accessible for SMBs, SaaS companies, public-sector entities, NGOs
New configurations possible: SOC 2 (security) + ISO/IEC 27701:2025 (privacy) becomes viable

Change 2: Restructured Clauses 4-10

ISO/IEC 27701:2025 adopts the standard ISO management system framework structure:

Clause 4 — Context of the organization
Clause 5 — Leadership
Clause 6 — Planning
Clause 7 — Support
Clause 8 — Operation
Clause 9 — Performance evaluation (NEW addition)
Clause 10 — Improvement (NEW addition)
Clause 11 — Further information on annexes (NEW addition)

This makes ISO/IEC 27701:2025 fully compatible with ISO 9001, ISO/IEC 27001, ISO/IEC 42001, and other ISO management system standards.

Change 3: Annex A Consolidation

Significant restructure. Controls for PII Controllers and PII Processors — previously in separate Annex A and Annex B — are now consolidated:

1 — Controls common to PII Controllers and Processors
2 — Additional controls specific to PII Controllers
3 — Additional controls specific to PII Processors

Privacy controls themselves remain substantially the same in content, but the consolidated structure reduces duplication and improves clarity.

Change 4: Focused Information Security Controls

Significant simplification. ISO/IEC 27701:2025 includes only 29 information security controls taken from ISO/IEC 27001:2022 — specifically those with direct or potential privacy impact:

Old approach: Reference all 93 ISO/IEC 27001:2022 controls (or 114 from 2013 edition originally)
New approach: 29 focused controls selected for privacy relevance
Benefit: Privacy-focused organizations don’t carry full ISMS control burden
Maintained alignment: Where organizations operate full ISMS via ISO 27001, integration remains straightforward

Change 5: AI and Digital Ecosystem Guidance

Recognizing rapid evolution of digital ecosystems and AI:

Greater clarity on managing PII within AI systems
Digital ecosystem considerations — platform privacy, third-party APIs, data flows
Alignment with ISO/IEC 42001 (AI Management System)
Modern data ecosystem consideration in privacy risk assessment

Change 6: Stronger Leadership and Governance Focus

ISO/IEC 27701:2025 strengthens privacy as a leadership and governance topic:

Embedding privacy into broader organizational strategy
Privacy by design and default integrated throughout
Continual improvement explicit (Clause 10)
Performance evaluation explicit (Clause 9 — internal audit, management review)

Change 7: Enhanced Global Privacy Regulation Alignment

ISO/IEC 27701:2025 explicitly aligns with global privacy regulatory landscape:

EU GDPR — refined alignment with regulatory expectations
California CCPA/CPRA — alignment with US state privacy laws
Brazil LGPD — alignment with Latin American privacy laws
Qatar NDPL, UAE Federal Data Protection Law, Saudi PDPL — Gulf region alignment
APAC privacy regulations — alignment with regional frameworks

Change 8: New Companion Standard ISO/IEC 27706:2025

For certification bodies, not organizations directly. ISO/IEC 27706:2025 — “Requirements for bodies providing audit and certification of privacy information management systems” — replaces ISO/IEC TS 27006-2:2021:

Full standard status (was previously a Technical Specification)
Aligned with ISO/IEC 17021-1
Annexes A, B, C — audit planning, competence, assessment methodologies
Implication for clients: Verify your CB has transitioned to ISO/IEC 27706:2025

SIDE-BY-SIDE COMPARISON — 2019 vs 2025

Element	ISO/IEC 27701:2019 (previous)	ISO/IEC 27701:2025 (current)
Title	“Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines”	“Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance”
Architecture	Extension of ISO/IEC 27001 — required ISMS as prerequisite	STANDALONE management system standard
ISO 27001 prerequisite?	YES — required ISO/IEC 27001 certification	NO — can be certified independently
Clause structure	Sections 5-8 (extension structure with PIMS-specific guidance)	Clauses 4-10 (standard ISO management system structure) + Clause 11
Annex structure	Annex A (31 controls for PII Controllers) + Annex B (18 controls for PII Processors)	Consolidated A.1 (common) + A.2 (Controllers) + A.3 (Processors)
Information security controls	References all 114 controls of ISO/IEC 27002:2013	29 focused controls selected for direct privacy impact
AI / digital ecosystems	Limited explicit guidance	Explicit guidance on AI and digital ecosystem PII management
Performance evaluation	Inherited from ISO 27001 (no separate clause)	Explicit Clause 9 (internal audit, management review)
Improvement	Inherited from ISO 27001 (no separate clause)	Explicit Clause 10 (continual improvement, corrective action)
CB requirements	ISO/IEC TS 27006-2:2021 (Technical Specification)	ISO/IEC 27706:2025 (full International Standard)
Privacy controls (substance)	Privacy controls and requirements	Substantially same content, restructured presentation

TRANSITION TIMELINE

Date	Milestone
14 October 2025	ISO/IEC 27701:2025 PUBLISHED · ISO/IEC 27706:2025 PUBLISHED (CB requirements) 3-year transition window begins
Late 2025 – Q1 2026	Accreditation bodies issue formal transition rules. CBs (including Guardian Assessment) transition to ISO/IEC 27706:2025 accreditation.
2026 onwards	Guardian offers ISO/IEC 27701:2025 transition audits combined with surveillance visits. New applicants can certify directly to standalone 2025 edition.
October 2026	Year 1 of transition. Most early-adopter clients complete transition.
October 2027	Year 2 of transition. Pace of transitions accelerates.
October 2028	TRANSITION DEADLINE After this date, ISO/IEC 27701:2019 certificates expire

Plan your transition. Guardian recommends scheduling transition audits before Q3 2028 to avoid end-of-window capacity constraints.

WHO MUST TRANSITION?

The following organizations must complete transition before October 2028:

All current ISO/IEC 27701:2019 certificate holders globally
Guardian’s Tier 2 ISO 27701 clients in Qatar
Organizations with ISO 27701 referenced in customer/B2B contracts
Organizations referencing ISO 27701 in privacy compliance disclosures

If you do NOT transition before October 2028:

Your ISO/IEC 27701:2019 certificate will be withdrawn
You will need to undergo a full new initial certification audit to ISO/IEC 27701:2025
Continuity of certification status will be lost
Cost of late transition is significantly higher than planned transition

NEW APPLICANT GUIDANCE — STANDALONE PATH NOW AVAILABLE

MAJOR OPPORTUNITY for organisations whose primary need is privacy management. ISO/IEC 27701:2025 standalone status changes the certification landscape.

Scenario	Recommended Path
No ISO 27001, want privacy certification	ISO/IEC 27701:2025 standalone — major opportunity. No need for ISO 27001 prerequisite.
Have SOC 2 (or equivalent), want privacy	SOC 2 + ISO/IEC 27701:2025 — viable combination. Security via SOC 2, privacy via ISO 27701.
Already have ISO 27001, adding privacy	Either ISO/IEC 27701:2019 or 2025. New 2025 standalone may be simpler given fresh start.
Strategic full-stack: ISMS + PIMS	ISO 27001 + ISO/IEC 27701:2025 — combined audit programmes still beneficial.
SMB or public sector with limited resources	ISO/IEC 27701:2025 standalone — accessible privacy certification without ISMS overhead.
EdTech or platform with minor learner data	ISO/IEC 27701:2025 standalone + ISO 21001 (educational organizations).

TRANSITION AUDIT OPTIONS

Option A: Combined Transition + Surveillance Audit

Recommended for most existing clients.

Single audit covers normal surveillance scope AND transition assessment
Additional audit time: typically 0.5-1.5 days on top of standard surveillance
Cost: significantly lower than standalone transition audit
Outcome: certificate revised to ISO/IEC 27701:2025
Option B: Combined Transition + Recertification Audit

Optimal for clients due for recertification within transition window.

Recertification audit conducted entirely against ISO/IEC 27701:2025
Most efficient path
Outcome: new 3-year certificate to ISO/IEC 27701:2025

Option C: Standalone Transition Audit

Available where surveillance/recertification timing doesn’t align.

Dedicated audit assessing conformance to 2025 changes
Audit duration: typically 50-70% of original Stage 2 duration (the architectural change is significant)

Option D: Decoupling from ISO 27001 (Strategic)

For 2019 extension clients considering moving to standalone PIMS.

Existing ISO 27001 + ISO 27701:2019 → standalone ISO 27701:2025 (without ISO 27001)
Useful for organizations that obtained ISO 27001 only as ISO 27701 prerequisite
Allows organizations to retain ISO 27001 OR move to standalone privacy certification

Indicative pricing range for transition audit only: QAR 4,000 – 15,000 depending on organization size and audit option chosen. Combined audits most cost-effective. Final pricing per IAF MD 5 + ISO/IEC 27706 calculation.

IMPLEMENTATION PLAN — 6-PHASE APPROACH

Phase 1: Strategic Decision (Month 1)

Decide: continue with combined ISO 27001 + ISO 27701, OR move to standalone ISO 27701
Brief leadership on architectural change implications
Identify any business case for decoupling (Option D above)

Phase 2: Gap Analysis (Months 2-3)

Compare existing PIMS against ISO/IEC 27701:2025 requirements
Map current implementation to new Clauses 4-10 structure
Identify gaps in: AI/digital ecosystem provisions, standalone Clauses 9 (Performance Evaluation) and 10 (Improvement)
Assess whether 29 focused security controls vs broader ISO 27001 reference is sufficient

Phase 3: Documentation Updates (Months 3-5)

Restructure PIMS Manual into Clauses 4-10 format
Consolidate Annex A controls (Controllers + Processors → A.1, A.2, A.3)
Update title and references
Add AI / digital ecosystem privacy considerations
Strengthen leadership and governance documentation

Phase 4: Implementation & Training (Months 4-6)

Roll out updated processes
Conduct staff awareness on architectural change
Update internal auditor training to ISO/IEC 27701:2025
Engage AI/data science teams (if applicable) on privacy in AI systems

Phase 5: Internal Audit & Management Review (Month 6-7)

Conduct internal audit to ISO/IEC 27701:2025
Hold management review with transition readiness focus
Address findings

Phase 6: Transition Audit (Month 7-9)

Schedule transition audit (combined with surveillance/recertification where possible)
Verify CB has transitioned to ISO/IEC 27706:2025 accreditation
Address any nonconformities
Certificate revised to ISO/IEC 27701:2025

COST & EFFORT INDICATORS

Element	Impact
Audit time	Combined: +0.5-1.5 days on surveillance · Standalone: ~50-70% of original Stage 2
Audit fee (Guardian)	Combined: ~10-25% premium over surveillance · Standalone: full audit fee per IAF MD 5
Internal preparation	Typically 150-300 person-hours · Higher for substantial architectural restructure
Documentation revisions	Significant — full restructure into Clauses 4-10 · Annex consolidation · AI guidance integration · Title and references update
New procedures	Performance evaluation (Clause 9) · Improvement (Clause 10) — if previously inherited from ISO 27001
Strategic considerations	Decision on standalone vs combined with ISO 27001 · Implications for SOC 2 + ISO 27701 strategy · AI governance integration

Indicative pricing for Guardian transition audit only: QAR 4,000 – 15,000. Combined audits most cost-effective.

COMMON TRANSITION PITFALLS

Pitfall 1: Assuming ISO 27001 Is Still Required

Risk: Continuing to assume privacy certification requires ISMS. Mitigation: Review whether your organization’s needs are best served by standalone ISO/IEC 27701:2025 or combined ISMS + PIMS approach. Standalone is now a viable strategic option. Organizations can still pair privacy certification with ISO 27001 information security certification where a full ISMS adds business value.

Pitfall 2: Underestimating Documentation Restructure Effort

Risk: Treating transition as light update. The architectural change requires significant documentation restructure into Clauses 4-10 format. Mitigation: Plan substantial documentation effort. Consider this an opportunity to strengthen documentation quality.

Pitfall 3: Missing Annex Consolidation Impact

Risk: Failing to map existing Annex A (Controllers) and Annex B (Processors) controls to new consolidated A.1, A.2, A.3 structure. Mitigation: Map control-by-control during gap analysis. Update Statement of Applicability accordingly.

Pitfall 4: Ignoring AI/Digital Ecosystem Guidance

Risk: Many organizations now process PII through AI systems without explicit governance. ISO/IEC 27701:2025 introduces requirements for these contexts. Mitigation: Inventory AI systems and digital ecosystem PII flows. Establish governance aligned with new guidance.

Pitfall 5: Verifying CB Accreditation Status

Risk: Continuing with a CB that hasn’t transitioned to ISO/IEC 27706:2025 accreditation. Mitigation: Verify your CB has updated accreditation to ISO/IEC 27706:2025 before scheduling transition audit. Guardian Assessment is transitioning during 2026.

Pitfall 6: Missed Strategic Opportunity (Decoupling)

Risk: Organizations holding ISO 27001 only as ISO 27701 prerequisite continue paying for ISMS they don’t strategically need. Mitigation: Review strategic value of ISO 27001 for your organisation. Standalone ISO/IEC 27701:2025 may be sufficient if security is adequately addressed by other frameworks (SOC 2, sector-specific).

GUARDIAN'S ISO/IEC 27701:2025 TRANSITION SERVICE

Pre-Transition Phase:

Strategic decision support — standalone vs combined with ISO 27001 evaluation
Transition readiness assessment — gap analysis against ISO/IEC 27701:2025
Transition project planning — roadmap, timeline, resource estimation
Leadership briefing — strategic implications and architectural change
Documentation review — verification of PIMS restructure

Transition Audit Phase:

Combined transition + surveillance audit
Combined transition + recertification audit
Standalone transition audit
Decoupling audit (move from combined to standalone)
Trained auditors — Guardian Assessment auditors complete ISO/IEC 27701:2025 + ISO/IEC 27706:2025 transition training

Post-Transition Phase:

Updated certificate issuance — reflecting ISO/IEC 27701:2025 conformance
Revised certification programme — surveillance and recertification timing
Ongoing surveillance — annual audits against new edition

For new applicants, Guardian offers direct certification to ISO/IEC 27701:2025 standalone — particularly attractive for SMBs, public-sector entities, EdTech, healthcare, and privacy-focused organisations.

GET STARTED — CONTACT GUARDIAN

Guardian Middle East LLC | Serving the Middle East
QFC Licence 03870 · Doha, Qatar

Location: Abo Hamour Area, Doha, Qatar
P.O. Box: 23277, Doha, Qatar
Mobile: +974 7770 2602 | +974 7213 7770
Email: info@guardian.qa
Website: www.guardian.qa

Explore the full ISO standards library to compare related certification and transition pages.
submit an enquiry: → Contact

ISO/IEC 27701:2025 Transition — Standalone Privacy Standard