A new edition of ISO/IEC 27701 for Privacy Information Mangement Systems

What is new in the 2025 edition of ISO/IEC 27701

ISO certification, accredited certification body, international standards, ISO management systems, ISO auditor, ISO consulting, ISO certificates, ISO training, conformity assessment, accredited ISO certification, third-party certification, ISO certification services, ISO audit process, ISO registration, ISO compliance

18 October 2025

On 14 October 2025 ISO published a new edition of ISO/IEC 27701, the international standard for Privacy Information Management Systems (PIMS).

This 2025 edition replaces the original 2019 version and brings several important updates that reflect the growing complexity of data protection and the evolving global privacy landscape.

Organizations certified to ISO/IEC 27701 — or planning to obtain certification — should be aware of these changes and prepare for the transition.

A stand-alone standard

The most significant change is that ISO/IEC 27701 is now a stand-alone standard. The 2019 edition of ISO/IEC 27701, it was an extension for privacy to ISO/IEC 27001 and ISO/IEC 27002, meaning that a certified Privacy Information Management System could not exist without an Information Security Management System (ISMS).

With the 2025 edition, this is no longer the case. Organizations can now implement and certify a Privacy Information Management System independently from their ISMS. This change makes ISO/IEC 27701 certification more accessible, especially for companies that may not yet have an ISMS but wish to demonstrate strong privacy governance.

Of course, privacy and information security remain closely related. Many organizations will still choose to maintain integrated systems, but the key difference is that this is now optional, not mandatory.

Updated controls

The revised ISO/IEC 27701 builds on existing elements from ISO/IEC 27701:2019, ISO/IEC 27001:2022 and ISO/IEC 27002:2022. It remains fully compatible with other management system standards such as ISO 9001, ISO/IEC 27001 and ISO/IEC 42001.

The standard now includes more comprehensive privacy controls for both PII controllers and processors, ensuring stronger alignment with global privacy frameworks such as the GDPR. It also refines the information security controls derived from ISO/IEC 27001, narrowing them down to 29 controls that have a direct impact on privacy — a more focused approach compared to the 93 controls in ISO/IEC 27001.

In short, the updated standard provides clearer guidance for implementing and maintaining a robust, auditable Privacy Information Management System.

Transition process

As with other ISO standards, the transition period is expected to be up to three years, but the exact timeline will be confirmed later.

For now, certified organizations are advised to wait for the official transition guidelines before starting formal changes to their systems. However, familiarizing yourself with the new standard and planning the update early will help ensure a smooth transition once the rules are published.

Organizations currently certified to ISO/IEC 27701:2019 — or preparing for certification — should begin by reviewing the new edition to understand the changes. Identify which elements of your existing PIMS may need to be updated and ensure that your team is trained on the revised requirements.

Once transition details are available, establish a plan to update your documentation, controls and processes in line with the 2025 edition.

We hope to be able to provide accredited ISO/IEC 27701 certification in 2026.

The release of ISO/IEC 27701:2025 marks an important milestone. Privacy management has matured into a discipline strong enough to stand on its own, while still maintaining its connection to information security. The new edition provides organizations with greater flexibility and a clearer path to demonstrating accountability, compliance and trustworthiness in how they manage personal data.

What is the process for obtaining a management system certification?

The certification process for management systems involves an initial audit conducted in two stages. The purpose is to verify whether the management system conforms to the applicable requirements.

If the results of the audit are positive, certification is granted. A management system certification is typically valid for three years, during which annual surveillance audits are carried out to ensure continued compliance.

How can I be sure that my certificate will be accepted?

For a management system certification to be recognized and accepted by authorities or business partners, it must be issued by a certification body accredited in accordance with the provisions of Regulation (EC) No. 765/2008.

RIGCERT provides accredited management system certification in accordance with European legislation and the requirements of the International Accreditation Forum (IAF)

What is accreditation and why it matters?

Accreditation is the formal recognition of a certification body’s competence to perform audits and issue certifications. In other words, accreditation applies to certification bodies, while certification is the process applicable to organizations seeking to demonstrate conformity with a specific standard (e.g. ISO 9001).

Accreditation provides confidence that a certification is credible and will be accepted by relevant stakeholders, such as clients, regulatory authorities, or business partners.

Within the European Union, the accreditation of certification bodies is carried out exclusively by national accreditation bodies.

A complete list of recognized accreditation bodies in Europe can be found here.

For how long is my certification valid?

Management system certifications (e.g., ISO 9001, ISO 14001, ISO/IEC 27001) are typically valid for three years.

During this period, the organization must undergo annual surveillance audits to confirm that its management system continues to meet the requirements and that the certification remains valid.

At the end of the three-year cycle, the organization may apply for recertification of its management system.

Can I transfer my certification to RIGCERT?

Yes, management system certifications can be transferred provided that certain conditions are met.

Only certifications issued under accreditation by an IAF member body are eligible for transfer, and the certification must be valid at the time of transfer.

RIGCERT performs a pre-transfer evaluation and reserves the right to accept or decline the transfer request.

How can I make a complaint, or formulate an appeal?

Any interested party may submit a complaint regarding a certification issued by RIGCERT or lodge an appeal against a certification decision.

Complaints and appeals can be submitted in various forms (e.g., by email or in writing) and should include sufficient details to allow proper identification of the case.

RIGCERT will investigate the matter and provide a response to the complainant. Depending on the outcome of the investigation, additional actions may be taken.

More information on how complaints and appeals are managed is available in the Rules for Certification.

Contact Us

What is new in the 2025 edition of ISO/IEC 27701

Services

Interested in a recognized ISO certification?

Frequently Asked Questions