Why is this standard a milestone?

The new edition of ISO/IEC 27701:2025 marks a historic turning point in the way organisations manage privacy.
It is no longer an extension of ISO/IEC 27001 and becomes an independent standard, with its own structure and aligned with the latest version of Annex SL, the 2024 edition.
This change allows greater flexibility, autonomy and maturity for the Privacy Information Management System (PIMS), making it accessible to any organisation that processes personal data — even without prior certification in information security.

Main structural changes

1. An independent standard, certifiable on its own

• Before: ISO/IEC 27701:2019 was an extension of ISO/IEC 27001, requiring prior certification in information security, or certification in parallel in order to obtain both certifications.
• Now: ISO/IEC 27701:2025 is an autonomous standard, allowing direct certification in privacy, without dependency on ISO/IEC 27001, focusing not only on privacy controls but also on information security controls.

Impact: Organisations focused exclusively on privacy (such as clinics, digital platforms or data startups) can achieve certification without implementing a full ISMS.

2. Alignment with the new Annex SL (2024)

• The structure of the standard follows the high-level model of Annex SL revised in 2024, common to ISO management system standards.
• This includes standardised clauses such as context of the organisation, leadership, planning, support, operation, performance evaluation and continual improvement.

Benefit: This facilitates integration with other standards such as, for example:

• ISO 9001 (quality)
• ISO/IEC 42001 (artificial intelligence)
• ISO/IEC 27001 (information security)

3. Stronger governance and accountability

• The new version requires greater leadership involvement in defining privacy policies.
• It introduces clearer requirements for risk assessment, supplier management and compliance monitoring.

Example: A company that outsources data processing must demonstrate that it assesses and controls the risks associated with its processors.

4. New accreditation standard: ISO/IEC 27706:2025

• It replaces ISO/IEC 27006-2 as the reference for certification bodies.
• It defines specific criteria for auditing and certifying a PIMS, including auditor competences and audit scope.

Result: Greater rigour and consistency in certification processes, with an exclusive focus on privacy.

Detailed comparison: ISO/IEC 27701:2019 vs 2025

Global applicability and legal compliance

ISO/IEC 27701:2025 was designed to support compliance with personal data protection legislation across different jurisdictions:

Transition from the 2019 edition to 2025

Organisations certified under the previous version normally have 3 years to complete the transition to the 2025 edition, that is, until October 2028 to transition to the new edition. It is important to note that, at the date of this article, ISO/CASCO or the IAF had not yet published information on the official transition date and, therefore, the date presented represents the normal transition cycle for certifiable management system standards (Type A). There are many possible approaches to carrying out the transition process successfully. A common approach is presented below:

Transition stages

1. Gap analysis between the 2019 and 2025 requirements.
2. Document review based on the new Annex SL high-level structure.
3. Specialised training for technical and management teams on the advantages and new requirements of the 2025 edition.
4. Presentation of the proposed transition approach, plan and parties involved. Raise awareness and highlight the importance and role of the various interested parties in the transition process.
5. Establish and implement the transition programme for the new 2025 edition based on the identified gaps, the results of the document review, and other relevant inputs.
6. Operationalise, monitor and evaluate the implemented requirements and controls based on the objectives of the standard and of the organisation, and ensure records of the system’s operation and effectiveness (3 months are suggested, sufficient to demonstrate the operation of the new PIMS).
7. Internal audit to validate compliance and identify opportunities for improvement.
8. Review and approval by top management of the new 2025 Privacy Information Management System (PIMS), analysis of results and benefits. Approval to proceed to the certification transition audit.
9. Certification audit carried out by an Audit Team with ISO/IEC 27701:2025 Lead Auditor certified professionals, approval for the transition of the organisation’s certification by the Certification Body, accredited to the requirements of the new ISO/IEC 27706:2025, and issuance of the ISO/IEC 27701:2025 certificate.

Use case: A software company certified to ISO/IEC 27701:2019 can complete the transition in 6 months (depending on the extent of the organisation’s certification scope), with the support of training and consultancy, reducing costs and keeping its certification active.

Training and professional certification

To support the transition and adoption of the new standard, Behaviour offers specialised training courses and people certifications:

Conclusion: Privacy as a competitive advantage

ISO/IEC 27701:2025 is not just a standard — it is a strategic tool for organisations that want to lead with responsibility, transparency and compliance. Whether to complete the transition or begin certification, now is the time to act.

Author: Behaviour
Published on: 24 October 2025
Copying or reproducing this article is not authorised.