ISO/IEC 27701:2025 is out, and it changes the calculus for any organization that handles personal data. Published in late 2025, the revision modernizes the Privacy Information Management System framework and, for the first time, lets you certify privacy on its own.
If your privacy program conforms to the 2019 version, you have a deadline. Conformance to the 2025 version is required by October 2028. That is time to plan, not time to ignore. Here is what changed, who it helps, and what to do now.
What ISO 27701 Is
ISO 27701 is the privacy extension to the ISO 27000 family. It defines a Privacy Information Management System, a PIMS, that adds privacy-specific requirements and controls on top of information security. In plain terms, it is the recognized, auditable way to prove you handle personal data responsibly, mapped to the same management-system approach behind ISO 27001.
What Changed in 2025
Five updates matter most.
- Standalone privacy certification. The biggest change. You can now certify to ISO 27701 without first implementing ISO 27001. Companies that need strong privacy governance but not a full information security management system finally have a direct path.
- Modernized structure. The standard aligns with the reorganized ISO 27002:2022 layout, grouping privacy guidance into four themes: organizational, people, physical, and technological. It is easier to understand, implement, and audit.
- Clearer roles. The update sharpens the line between the responsibilities of PII controllers and processors, which makes accountability easier to demonstrate to regulators and customers.
- Stronger risk management. Privacy risk assessment is now explicit and central to the standard, in line with what modern privacy laws expect.
- Modern coverage. New guidance addresses today's realities, including cloud services, threat intelligence, and evolving regulatory expectations.
The Standalone Path: Who It Helps
Removing the ISO 27001 dependency is the headline. Organizations of any size or maturity can now pursue privacy certification directly. That is especially useful for companies that handle personal data under partial controller or processor agreements and do not need a full cybersecurity management system. A SaaS vendor that processes customer data, a marketing firm handling consumer records, a service provider acting only as a processor: all now have a proportionate route to certification.
How It Maps to GDPR and US Privacy Laws
ISO 27701 does not replace the law, but it gives you a recognized framework for demonstrating compliance with it. The standard maps to GDPR obligations and supports the accountability that US state privacy laws increasingly demand. Instead of self-attesting that you handle data responsibly, you hold an independent certification that regulators, partners, and enterprise customers accept. As verifiable accountability becomes the expectation rather than the exception, that distinction carries weight.
Controller or Processor: Know Your Role
The standard treats controllers and processors differently, and the 2025 update makes the split clearer. A controller decides why and how personal data is processed. A processor acts on a controller's instructions. Many companies are both, depending on the data. Getting this right is not academic. It determines which requirements apply to you and what you must be able to show an auditor.
Your Transition Timeline
If you already conform to the 2019 version, the move to 2025 is a planning exercise, not a fire drill, as long as you start in time. The October 2028 deadline sounds distant, but a certification cycle plus the work to close gaps eats the calendar quickly. Map your current controls to the new structure, identify what the 2025 revision adds, and schedule the transition audit with room to spare. The clause-based structure integrates cleanly with other management systems, so if you run ISO 27001 or ISO 42001, the transition reuses work you have already done.
If You Have Never Certified
The standalone path makes this the right moment to look seriously at privacy certification. A readiness assessment tells you where you stand against the 2025 standard, what the gap looks like, and whether the standalone route or a combined ISO 27001 and 27701 program fits your business. You get an honest answer before committing budget.
Frequently Asked Questions
Can I certify to ISO 27701 without ISO 27001?
Yes. The 2025 revision introduced a standalone privacy certification, so you no longer need to implement ISO 27001 first. Many companies still choose to run both, but it is no longer required.
When do I have to move from the 2019 version?
Conformance to ISO 27701:2025 is required by October 2028. Start the transition planning well ahead of that date so the audit schedule and gap remediation fit comfortably.
Does ISO 27701 make us GDPR compliant?
It does not replace the law, but it gives you a recognized, auditable framework that maps to GDPR and other privacy regulations and helps you demonstrate accountability.
If you handle personal data, the 2025 standard is worth a serious look, whether you are transitioning from the 2019 version or certifying for the first time. A readiness assessment tells you where you stand and what the move actually requires.