Transition Overview

ISO/IEC 27701:2025 is the updated version of the Privacy Information Management System standard, published to align with ISO 27001:2022 and ISO 27002:2022. Organizations currently certified to ISO 27701:2019 will need to transition to the 2025 version within the defined transition period.

The 2025 revision maintains the fundamental structure of ISO 27701 while updating references, control mappings, and guidance to reflect the restructured ISO 27002:2022 control set and evolving privacy landscape.

Transition Dependency

Since ISO 27701 is an extension to ISO 27001, your ISO 27701 transition must align with your ISO 27001:2022 transition. If you haven't transitioned ISO 27001 yet, plan both transitions together.

Key Dates and Timeline

Understanding the transition timeline is critical for planning:

Milestone Date Implication
ISO 27701:2025 Published Q1 2025 New version available for certification
Transition Period Begins Publication Date CBs begin offering 2025 audits
Last 2019 Initial Audits 6 months post-publication New certifications must be to 2025
Transition Deadline 36 months post-publication All certificates must be 2025 version
2019 Certificates Expire 36 months post-publication Non-transitioned certificates invalid

Plan your transition audit at least 6 months before the deadline to allow time for any corrective actions and avoid last-minute scheduling challenges with certification bodies.

What Changed in ISO 27701:2025

The 2025 revision introduces several updates to align with ISO 27001:2022 and address evolving privacy requirements:

Structural Changes

  • Clause 6 Restructured: Privacy guidance reorganized to align with ISO 27002:2022's four themes (Organizational, People, Physical, Technological) instead of the previous 14 domains
  • Control Numbering: References updated to match new ISO 27002:2022 control numbering
  • Attributes: Privacy controls now include attribute tagging consistent with ISO 27002:2022

Content Updates

  • Threat Intelligence: New privacy guidance for threat intelligence controls
  • Cloud Services: Enhanced guidance for cloud-based PII processing
  • AI and Automated Processing: New considerations for automated decision-making
  • Data Localization: Updated guidance on cross-border transfer requirements
  • Privacy by Design: Strengthened requirements aligned with emerging regulations

Regulatory Mappings

  • Annex D Updated: GDPR mapping refreshed for regulatory developments
  • New Mappings: Additional informative annexes for other privacy frameworks

Alignment with ISO 27001:2022

The most significant driver for ISO 27701:2025 is alignment with ISO 27001:2022. Key alignment points:

Management System Clauses (4-10)

Clause 5 of ISO 27701 (PIMS requirements extending ISO 27001) is updated to reference:

  • Climate change considerations (Clause 4.1)
  • Updated planning requirements (Clause 6)
  • Operational planning terminology (Clause 8)

Control Guidance (Clause 6)

The privacy-specific guidance that extends ISO 27002 is completely restructured:

ISO 27701:2019 (aligned to ISO 27002:2013) ISO 27701:2025 (aligned to ISO 27002:2022)
14 domains, 114 controls 4 themes, 93 controls
No attributes 5 attribute types per control
Grouped by security domain Grouped by organizational function

Annex A and B Updates

The controller (Annex A) and processor (Annex B) specific controls remain structurally similar but with refinements:

Annex A (PII Controllers)

  • Enhanced data subject rights management controls
  • Updated cross-border transfer requirements
  • Stronger privacy impact assessment guidance
  • New controls for automated processing transparency

Annex B (PII Processors)

  • Clarified subprocessor management requirements
  • Enhanced data return and deletion controls
  • Updated security incident notification guidance
  • New controls for processor-specific risk management
Statement of Applicability Impact

Your PIMS Statement of Applicability will need restructuring to align with the new control numbering and themes. This is typically the most time-consuming documentation update.

Transition Action Plan

Follow this step-by-step plan to transition your PIMS:

Phase 1: Assessment (Weeks 1-4)

  1. Obtain the Standard: Purchase ISO 27701:2025 from ISO or your national standards body
  2. Gap Analysis: Compare your current PIMS against 2025 requirements
  3. ISO 27001 Status: Confirm your ISO 27001 is already transitioned to 2022 or plan joint transition
  4. Resource Planning: Estimate effort for gap closure and allocate resources

Phase 2: Documentation Update (Weeks 5-10)

  1. PIMS Policy: Update references to new standard version
  2. Statement of Applicability: Restructure to new control framework
  3. Risk Assessment: Review privacy risk assessment for new controls
  4. Procedures: Update procedures affected by changed controls

Phase 3: Implementation (Weeks 11-16)

  1. Control Updates: Implement any new or changed controls
  2. Training: Update privacy awareness for changed requirements
  3. Internal Audit: Audit against ISO 27701:2025 requirements
  4. Management Review: Review PIMS performance and transition readiness

Phase 4: Transition Audit (Weeks 17-20)

  1. Schedule Audit: Coordinate with certification body
  2. Pre-Audit Preparation: Gather evidence for changed requirements
  3. Transition Audit: Complete certification body assessment
  4. Corrective Actions: Address any findings

Documentation Updates Required

Key documents requiring updates for transition:

Mandatory Updates

  • PIMS Scope: Verify scope statement remains appropriate
  • Privacy Policy: Update standard references
  • Statement of Applicability: Complete restructuring required
  • Risk Assessment: Review against new controls
  • Risk Treatment Plan: Update control references

Likely Updates

  • Privacy Procedures: Procedures referencing specific controls
  • Third-Party Agreements: Processor and subprocessor contracts
  • Privacy Notices: If control changes affect disclosures
  • Training Materials: Privacy awareness content
  • Audit Checklists: Internal audit programs

Transition Audit Options

You have several options for completing your transition audit:

Option 1: Combined with Surveillance

Add transition assessment to a scheduled surveillance audit. Most efficient if timing aligns.

  • Pros: Cost-effective, minimal additional audit time
  • Cons: Must align with surveillance schedule

Option 2: Combined with Recertification

Include transition in your 3-year recertification audit.

  • Pros: Comprehensive review, fresh start on new cycle
  • Cons: May not align with transition deadline

Option 3: Standalone Transition Audit

Schedule a dedicated transition audit separate from regular cycle.

  • Pros: Flexible timing, focused assessment
  • Cons: Additional cost, may extend audit days
Coordinate with ISO 27001

If you're also transitioning ISO 27001 to 2022, coordinate both transitions in a single integrated audit. Most certification bodies offer combined assessments that reduce total audit time and cost.

ISO 27701 Transition Privacy