ISO 27701:2025 Released

For the first time since it was initially published in 2019, ISO 27701 has been updated. The International Organization for Standardization published ISO 27701:2025 in October, making significant changes to the privacy framework. Organizations are granted a three-year transition period, meaning compliance will be required in October 2028 to achieve or maintain certification.

ISO 27701:2025 represents more than a compliance update—it marks a shift toward executive-level accountability and integrated privacy governance. Organizations that adapt early will gain efficiency, strengthen trust, and demonstrate privacy leadership.

Here’s a look at what’s new with ISO 27701.

Now a Stand-Alone Framework

This change is especially meaningful for organizations that prioritize privacy but may not yet have a full Information Security Management System (ISMS) in place. It broadens access to ISO certification and supports businesses pursuing GDPR, CCPA, or AI governance alignment.

With this update, ISO 27701 is no longer just an extension of ISO 27001. Organizations can now obtain ISO 27701 certification without holding an ISO 27001 certification. This is significant for businesses that want to implement and certify a Privacy Information Management System (PIMS) but are not ready to or do not wish to implement an ISMS.

This shift also enables privacy-first organizations to demonstrate accountability even before implementing ISO 27001.

ISO 27701 Clauses 4-10

The revision introduces mandatory requirements across Clauses 4–10, which place a stronger emphasis on organizational leadership and privacy governance.

Clause 4: Context of the Organization

This clause requires the organization to understand and define the PIMS environment. Key elements include:

• Identifying internal and external issues relevant to privacy (regulatory environment, technological advancements, stakeholder expectations, etc.).
• Determining the interested parties and their requirements.
• Defining the scope of the PIMS (boundaries, roles, and interfaces).
• Establishing the PIMS itself as a structured management system.

Clause 5: Leadership

This clause emphasizes top management’s accountability and commitment to privacy.

• Top management must demonstrate leadership and commitment to the PIMS, including embedding privacy into the organizational culture.
• Establishing a privacy policy aligned with organizational strategic direction and stakeholder expectations.
• Defining roles, responsibilities, and authorities related to privacy (data protection officer, privacy managers).

Clause 6: Planning

Clause 6 ensures that the organization has a plan to address risk and set objectives under the PIMS.

• Actions to address risks and opportunities, including privacy risk assessments.
• Defining privacy objectives and planning how to achieve them.
• Planning changes to the PIMS in a controlled manner.

Clause 7: Support

Clause 7 addresses the resources and infrastructure needed to implement and maintain the PIMS.

• Allocation of resources (personnel, tools, technology).
• Ensuring people are trained and capable in privacy-related tasks.
• Awareness and communication of privacy responsibilities and policy across the organization.

Clause 8: Operation

Clause 8 focuses on the execution of the PIMS, specifically by controllers and processors.

• Operational planning and control — implementing processes, control of changes, interfaces, etc.
• Privacy risk assessment in operations, and privacy risk treatment tied to operational controls.
• Implementation of privacy-specific controls.
• Handling of privacy incidents, data subject rights, policies for transferring, sharing, and disclosing data, monitoring, etc.

Clause 9: Performance Evaluation

Clause 9 ensures that the organization evaluates the PIMS performance.

• Monitoring, measurement, analysis & evaluation of PIMS performance against objectives and plans.
• Internal audits to determine if the PIMS conforms to requirements and is effectively implemented.
• Top management reviews of performance, issues, and risks to decide if changes or improvements are needed.

Clause 10: Improvement

The final clause mandates that the PIMS must be continuously improved.

• Corrective actions to address failures, root-cause analysis, and remedial measures.
• Continual improvement by leveraging performance data, audits, and reviews to drive enhancements in the PIMS.

ISO 27701:2025 Annex A

Annex A includes the following three parts. Security controls in Annex A are not required and can be implemented on an as-needed basis. Many GDPR requirements are covered in Annex A. Organizations must justify the inclusion or exclusion of any controls.

The 2025 update enhances alignment with modern privacy regulations, including GDPR, CCPA, and emerging AI governance frameworks. Annex A now reflects the evolving expectations of regulators, partners, and consumers around data protection and accountability.

Part 1: Controls for PII Controllers

Part 1 of Annex A defines privacy-specific controls and objectives applicable when an organization acts as a Personally Identifiable Information (PII) controller. These controls address obligations such as determining lawful bases, setting collection and processing conditions, satisfying data subject rights, ensuring transparency and notice, enabling privacy by design and by default, handling transfers and shared data, and accountability/documentation. Part 1 defines responsibilities for those who decide how and why personal data is processed by layering privacy obligations on top of core information security controls.

Part 2: Controls for PII Processors

Part 2 of Annex A identifies the controls and objectives specifically relevant to PII processors. These controls emphasize contracts and agreements, obligations to follow controller instructions, subcontractor management, security guarantees, assisting the controller with data subject requests and breach notifications, and ensuring transparency. Part 2 tailors privacy requirements to the role of processors and aligns their responsibilities with the controller’s privacy requirements.

Part 3: Shared Controls

Part 3 of Annex A covers controls that apply to both controllers and processors, focusing on overlapping responsibilities. These include foundational infosec and privacy controls (access control, encryption, logging, incident management, etc.) that support the privacy obligations outlined in the first two parts. This “shared” section ensures that both controllers and processors maintain certain baseline protections and operational rigor, preventing gaps where responsibilities overlap or where either party must uphold core security for the PIMS.

Additional Focus Areas in ISO 27701:2025

Beyond the structural updates, the 2025 revision introduces several important focus areas that reflect the growing maturity of global privacy expectations.

Organizations will now see a stronger emphasis on transparency and accountability, including clearer requirements for privacy impact assessments, third-party management, and ongoing monitoring of data processors.

ISO 27701:2025 also encourages organizations to set measurable privacy objectives—for example, tracking the timeliness of incident response or fulfillment of data subject rights requests.

These changes signal a move toward continuous privacy governance rather than point-in-time compliance.

Why ISO 27701:2025 Matters

This update elevates privacy management from a compliance exercise to an executive governance function. It demands active leadership involvement, risk-based planning, and measurable privacy outcomes—all of which reflect growing global emphasis on accountability and data stewardship. This evolution underscores that privacy protection is now a boardroom priority.

Recommended Next Steps

To prepare effectively, organizations should start by building a clear understanding of where they stand today.

1. Conduct a readiness assessment comparing your current PIMS to the new 2025 requirements.
2. Map leadership roles and responsibilities under Clauses 4–10.
3. Align privacy and information security objectives with organizational strategy.
4. Update risk assessment and monitoring processes to include privacy performance indicators.
5. Develop a transition roadmap before your next certification cycle (ideally by mid-2026).

Organizations that move early will simplify future audits and strengthen their privacy reputation. CompliancePoint recommends beginning with a gap analysis and readiness workshop to prepare for the 2028 transition deadline. Use what you learn in the assessment to design controls that will account for those gaps.

Transition Timeline

Organizations currently certified under ISO 27701:2019 should plan their transition within the next 24–30 months. Waiting until 2027 could create bottlenecks as certifying bodies and consultants face increased demand closer to the 2028 deadline.

CompliancePoint has a team of ISO experts who can prepare your organization for a successful ISO 27701 audit. We will put you on the path to certification by helping you design and implement the controls, policies, and procedures that will be the foundation of a PIMS that meets the framework’s requirements. Taking proactive steps now will ensure a smoother transition well before the 2028 certification deadline.

Contact us at connect@compliancepoint.com to learn more about our services