The New ISO/IEC 27701:2025 - More Emphasis on Privacy
On 10 October 2025, the new edition of ISO/IEC 27701 was published.
As a reminder, ISO 27701 provides an internationally recognized framework. Its previous 2019 version provided an internationally recognized framework enabling organizations to manage risks related to personally identifiable information (PII) and improve their privacy practices.
Until now, ISO 27701 functioned as an extension of ISO/IEC 27001. In practical terms, it required certification under both ISO 27001 + ISO 27701 to ensure alignment thereof. The 2025 edition now establishes itself as an independent Privacy Information Management System (PIMS) under the revised title “Information security, cybersecurity and privacy protection - Privacy information management systems - Requirements and guidance.” This means ISO 27701 can be implemented as a standalone PIMS, while remaining compatible with other ISO frameworks.
Under most data protection laws, including Article 42 of the GDPR, ISO 27701 certification is not mandatory, but its adoption can add value to a business and its credibility. In practice, the need for ISO 27701 often arises when demonstrating compliance with data protection laws - such as the GDPR, CCPA, DPDPA, UAE PDPL, and LGPD - for example, during M&A due diligence or regulatory investigations following a data breach.
Key Revisions in the 2025 Standard
- Hierarchy of Standards: Privacy and PII risk management are now elevated to an equal level with general information security frameworks such as ISO 27001.
- Areas of Control: The standard introduces updated control measures, specifically addressing emerging technologies such as Artificial Intelligence (AI), cloud systems, and cross-border data transfers.
- Higher Compliance Threshold: The new standard also sets stricter governance mechanisms, requirements for privacy policy, clearly defined privacy roles (such as DPO), measurable KPIs, and ongoing performance monitoring.
- Transition Period: Organizations certified under ISO 27701:2019 will have a transition period, but should begin aligning their internal processes with the new PIMS requirements.
Conclusion and Outlook: While the new standard remains fully compatible with other ISO frameworks, the 2025 edition of ISO 27701 marks personal data protection as a distinct and critical pillar of information governance. This shift necessitates a proactive review of existing compliance practices.
Contact our experts for more details
Write to expertsAttention Journalists: Use of REVERA website materials in publications is only allowed with our written permission.