Revision of ISO/IEC 27701 – Privacy Information Management System

International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published a revised, standalone version of the privacy information management system standard ISO/IEC 27701 on 14 October 2025. This 2025-version replaces the 2019 version.

Organizations are increasingly challenged to navigate the complexity of data protection from personal data controls to reduce the risks of breaches and ensure compliance with evolving national and international regulations. The updated ISO/IEC 27701 standard will help companies manage and improve their privacy information management.

Update of ISO/IEC 27701:2019

The new version of ISO/IEC 27701 introduces several significant enhancements designed to address the evolving landscape of data privacy and security. Main changes are: 

• ISO/IEC 27701 now becomes a stand-alone standard aimed at further strengthening privacy information management systems (PIMS) for organizations worldwide rather than being an extension of ISO/IEC 27001.
• The requirements and implementation guidance for the new edition are made up of existing elements from the previous ISO/IEC 27701:2019, ISO/IEC 27001:2022 & ISO/IEC 27002:2022 standards.
• The new standard is structured to integrate with other existing management systems, such as ISO 9001, ISO/IEC 27001 & ISO 42001
• The standard now includes more comprehensive privacy controls for both Personally Identifiable Information (PII) controllers and processors, ensuring better alignment with global privacy regulations such as the GDPR.
• Enhanced guidance on implementing and maintaining a robust PIMS.
• Building on its predecessor, the updated standard continues to extend ISO/IEC 27001 by adding privacy-specific controls.

Transition rules and timelines

The transition period for ISO standards is typically a maximum of three years, but accreditation bodies will work on determining the transition timeline for already certified companies. Given that ISO/IEC 2701 is becoming a standalone standard, it is taking longer for IAF to develop the transition rules. We will publish an update here as soon as more information is available.

Preparing for implementation

For now, we are awaiting news from IAF on the transition timeline.   Therefore, it is suggested that you wait with tangible preparations to transition until the needed documents have further progressed.

Thereafter, we recommend you start preparing for the transition as early as possible and plan properly to incorporate any changes needed into your management system.

Recommended steps for the transition:

• Get to know the contents and requirements of the new standard as soon as possible now that it has been published bearing in mind that the transition time may be as little as two years. Focus on the changes implied by the revised standard.
• Ensure that relevant personnel in your organization are trained and understand the requirements and key changes.
• Identify gaps which need to be addressed to meet the new requirements and establish an implementation plan.
• Implement actions and update your management system to meet the new requirements.

How we can support

Once you start preparing to transition to the new version of ISO/IEC 27701, DNV can support your journey.
We will be able to support you with:

• Training where you learn about the revision and get a basic overview of key changes and the transition process.
• Online self-assessment tools and onsite/off-site gap assessments to measure how well your management system meets the new requirements.
• Transition audit to move your certification in line with the new version of the standard.

We can support you every step of the way.