Where the rest of this site covers the regulations privacy programs must comply with, ISO/IEC 27701 is something different — a voluntary certifiable standard for how a privacy program is built and run. Released in second edition on 14 October 2025, it is the international benchmark for Privacy Information Management Systems (PIMS), now standalone for the first time and no longer dependent on ISO 27001 certification. For organisations whose privacy posture needs external validation — vendor due diligence, regulator credibility, board assurance — ISO 27701 is the most widely recognised mechanism.
The most significant change in the 2025 edition isn't structural — it's strategic. ISO/IEC 27701 was originally designed in 2019 as an extension to ISO/IEC 27001, meaning organisations could only certify their PIMS if they already held ISO 27001 certification. The October 2025 second edition removes that dependency. Privacy management can now be certified as a discipline in its own right, without requiring a complete ISMS first. This dramatically widens accessibility — and changes how privacy-led organisations should think about certification.
Title: Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.
Title: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance.
Existing ISO 27701 certifications remain valid through October 2028. Organisations holding 2019-edition certificates have a three-year transition window to migrate to 2025. The migration is not a fundamental rebuild — most existing controls map across — but the structural changes (consolidated Annex A, 29 new IS controls, standalone clauses) require formal re-audit. Practitioners should plan transition work to land well before the deadline rather than at it.
Clauses 4 to 10 form the operational heart of ISO 27701. They follow the standard ISO management-system structure used across ISO 27001, ISO 9001, ISO 42001 and others — the same Plan-Do-Check-Act cycle adapted to privacy. For organisations already running an ISO 27001 ISMS, the PIMS structure is immediately familiar; for privacy-first organisations, this is the operating model the standard expects.
Understanding the organisation, its context, interested parties, scope of the PIMS, and the boundaries within which privacy obligations operate. The starting work — and the work most often done loosely.
Top management commitment, privacy policy, organisational roles, responsibilities, authorities. The DPO function and accountability ladder live here. Senior buy-in needs to be visible, not assumed.
Privacy risk assessment, risk treatment, privacy objectives, planning of changes. Privacy Impact Assessments (PIAs / DPIAs) sit here; the risk-driven nature of the entire framework is grounded in this clause.
Resources, competence, awareness, communication, documented information. The capability-building work — and the documentation discipline auditors will examine first.
Operational planning and control, privacy risk assessment, privacy risk treatment in practice. Where the controls actually run — and where the evidence of operating effectiveness gets generated.
Monitoring, measurement, analysis, evaluation, internal audit, management review. The measurement layer that makes effectiveness demonstrable. KPIs, metrics, audit cadence all live here.
Nonconformity and corrective action, continual improvement of the PIMS. New as a dedicated clause in the 2025 edition. The closing of the loop — and where most certifications stall after first audit.
The substantive heart of ISO 27701 is Annex A — the catalogue of privacy and security controls organisations select from to build their PIMS. The 2025 edition consolidates the previously separate controller and processor annexes into a single Annex A with three tables, totalling 78 controls. This is where the standard's day-to-day operational shape lives; certification audits assess implementation of selected controls against their respective objectives.
For organisations determining the purposes and means of processing personal data. The largest control set — covers consent, lawful basis, data subject rights, transparency, purpose limitation, and accountability obligations. Typical baseline for any organisation that processes its own customers' or employees' data.
For organisations processing personal data on behalf of a controller. Narrower set — focused on processor-specific obligations: documented instruction adherence, sub-processor governance, controller assistance, transparency to controllers, return / deletion at engagement end. Essential for any B2B service provider handling client personal data.
New in the 2025 edition. Replaces the prior dependency on ISO 27001's Annex A. Provides a self-contained set of information security controls calibrated for privacy contexts. Covers organisational, people, physical and technological controls — the security baseline a standalone PIMS needs.
Organisations select applicable controls based on their controller / processor status. A pure controller picks from Annex A.1 plus A.3. A pure processor picks from Annex A.2 plus A.3. Most organisations operate as both — a SaaS company is processor for its customers' data and controller for its own employee and prospect data — and selects across all three tables. The Statement of Applicability (SoA) documents which controls are in scope and why.
ISO 27701 doesn't guarantee regulatory compliance — no framework does. But its control library maps directly onto the substantive obligations imposed by GDPR, KSA PDPL, UAE PDPL, India DPDP and other regimes. For organisations needing to demonstrate compliance to regulators, customers or auditors, ISO 27701 provides the structured evidence layer. The matrix below shows the practical mapping for the most enforcement-sensitive obligations.
| Regulatory obligation | ISO 27701:2025 control mapping |
|---|---|
| Lawful basis for processing GDPR Art. 6 · KSA PDPL Art. 5 · UAE PDPL Art. 4 · DPDP s.4-7 |
Identification, documentation and demonstration of legal basis for each processing activity. Consent management mechanics included.
A.1 — Conditions for collection
Purposes & lawful basis
Consent management
|
| Data subject rights GDPR Arts. 12-22 · KSA PDPL Arts. 4, 9-10 · UAE PDPL Arts. 13-18 |
Operational mechanisms to honour rights of access, rectification, erasure, objection, portability, automated-decision restrictions. Channel infrastructure plus response governance.
A.1 — Obligations to PII principals
Rights handling
|
| Records of Processing (RoPA) GDPR Art. 30 · KSA PDPL Art. 31 · UAE PDPL Arts. 7, 8 · DPDP s.8(8) |
Records of processing activities for both controller and processor roles. Meta-data structure, retention, accessibility for regulator inspection.
A.1 / A.2 — Documentation
Processing register
|
| Privacy by design & by default GDPR Art. 25 · UAE Child Safety · DPDP s.8(4) |
Embedded privacy considerations across product lifecycle. Default settings configured for minimum data exposure. Engineering-side controls.
A.1 / A.2 — Privacy by design
Default settings
|
| Processor governance GDPR Art. 28 · KSA PDPL Art. 7 · UAE PDPL Art. 8 |
Documented processing instructions, sub-processor consent regime, controller assistance obligations, audit cooperation, deletion / return.
A.2 — Processor obligations
Sub-processor governance
|
| Security of processing GDPR Art. 32 · KSA PDPL Art. 19 · UAE PDPL Arts. 19-20 · DPDP s.8(5) |
Technical and organisational measures appropriate to risk. Annex A.3's 29 information security controls cover encryption, access control, monitoring, incident response, secure development.
A.3 — Org. security
A.3 — Tech. security
A.3 — Physical security
|
| Personal data breach response GDPR Arts. 33-34 · KSA PDPL Art. 20 · UAE PDPL Art. 9 · DPDP s.8(6) |
Incident detection, classification, notification protocol to supervisory authority and affected individuals, root cause and corrective action discipline.
A.1 — Breach notification
A.3 — Incident response
|
| Privacy / Data Protection Impact Assessment GDPR Art. 35 · UAE PDPL Art. 21 · DPDP s.10 |
PIA / DPIA methodology, trigger identification, assessment workflow, sign-off governance, DPIA library maintenance.
A.1 — Privacy impact assessment
Risk assessment
|
| DPO function GDPR Art. 37 · KSA PDPL Art. 32 · UAE PDPL Arts. 10-11 |
Designated privacy function with appropriate independence, expertise, reporting line. Notification to regulator. Defined responsibilities.
Clause 5 — Leadership
Roles & responsibilities
|
| International / cross-border transfer GDPR Ch. V · KSA PDPL Art. 29 · UAE PDPL Arts. 22-23 · DPDP s.16 |
Transfer mechanism inventory, adequacy assessment, contractual safeguards (SCCs / equivalent), Transfer Impact Assessment where required, sub-processor location governance.
A.1 / A.2 — PII transfer
Transfer governance
|
ISO 27701 certification doesn't make an organisation GDPR-compliant on its own. It demonstrates that the organisation runs a structured PIMS aligned to the relevant control objectives — which is materially different from substantive regulatory compliance. The regulator still assesses whether obligations are met under their specific framework. But certification provides defensible evidence of program maturity, accelerates vendor due diligence, and gives boards an external assurance signal that pure self-attestation cannot.
The path from an unplanned PIMS to a certified one runs through five distinct phases. Total elapsed time depends on starting maturity — organisations with an existing ISO 27001 ISMS and a functioning DPO typically reach Stage 2 audit in 6 — 9 months; organisations starting from scratch typically take 9 — 14 months. Surveillance audits then run annually, with re-certification every three years.
Define PIMS scope. Diagnostic against the standard. Gap report and remediation plan.
PIMS documentation, control implementation, Statement of Applicability, evidence cadence.
Independent internal audit against the standard. Management review. Pre-certification readiness.
Documentation review by certification body; on-site Stage 2 effectiveness audit; nonconformity remediation.
Three-year certificate. Annual surveillance audits. Continual improvement discipline.
Organisations holding 2019-edition certificates must migrate to the 2025 edition by October 2028. The good news: the migration is not a fundamental rebuild — most existing controls map across — but the structural changes (Annex A consolidation, 29 new IS controls if not previously running ISO 27001, standalone clauses) require formal re-audit. Plan transition work to land at least six months before the deadline, not at it.
ISO/IEC 27701:2025 published as Edition 2. Companion ISO/IEC 27706:2025 (certification body guidance) released alongside. Three-year transition window opens.
2019-edition certified organisations conduct gap analysis, update PIMS documentation, complete transition audit. Accreditation body guidance from IAF, UKAS, ANAB published during early 2026.
Existing 2019-edition certificates expire. Continued certification requires successful migration audit before this date. Certifications not migrated lapse.
The path to ISO 27701 certification splits into eleven workstreams. Some are universal — every organisation needs them; others are scope-dependent (controller-only vs processor-only vs both). The sequencing matters: scoping first, then build, then audit; trying to compress the sequence typically extends the timeline rather than shortening it.
Definition of organisational and processing scope for the PIMS. Boundary decisions: which entities, which processing activities, which products. Scope decisions made here drive every subsequent workstream.
Diagnostic against ISO 27701:2025 clauses 4 — 10 and Annex A controls. Maturity scoring, gap inventory, remediation prioritisation. The map of what's already in place vs what needs building.
Selection and justification of in-scope Annex A controls. Controller / processor / dual-status determination per processing activity. Documented rationale for excluded controls.
Privacy policy, processing register (RoPA), risk register, treatment plan, control documentation. The document set auditors will work through; needs to be both auditable and operationally meaningful.
Implementation of selected Annex A controls. Operational mechanism build for rights handling, breach response, transfer governance, vendor / sub-processor management. The largest workstream by effort.
Annex A.3's 29 information security controls. For organisations without ISO 27001, this is the substantive security build; for ISO 27001-certified organisations, alignment work and documentation reuse.
Privacy risk methodology, identification, assessment, treatment, residual risk acceptance. PIA / DPIA library aligned to the methodology. Continuous re-assessment cycle defined.
Training plan, role-specific competence requirements, evidence of awareness. Frequently underestimated workstream — auditors specifically test whether staff understand the privacy obligations relevant to their roles.
Internal audit methodology, programme schedule, auditor independence and competence, audit evidence retention. Required by the standard; certification body will examine internal audit findings as part of Stage 2.
Top-management review cadence, agenda content, decision documentation. The clause 9.3 requirement that demonstrates leadership engagement with the PIMS — a regular failure point for organisations without strong management discipline.
Selection of accredited certification body, Stage 1 and Stage 2 audit scheduling, nonconformity response, ongoing surveillance audit cadence. The external-facing workstream that runs in parallel with implementation.
ISO 27701 work is delivered through one of three engagement shapes — depending on whether the organisation is starting from scratch, transitioning from the 2019 edition, or maintaining post-certification. Most full implementations run as substantial project engagements; transition work is typically lighter; ongoing surveillance maintenance fits well into a retainer.
For organisations targeting first-time ISO 27701 certification. End-to-end build: scoping, gap assessment, PIMS documentation, control implementation, internal audit, management review, certification-body engagement. Most projects run alongside an internal program owner.
For organisations holding 2019-edition certificates needing to migrate before October 2028. Targeted gap assessment against the new structure, Annex A consolidation, 29 new IS controls scoping, documentation update plan, transition audit preparation.
For organisations holding ISO 27701 certification needing senior backup on harder questions — surveillance audit preparation, scope expansion, scope-of-applicability changes, transition work, integration with ISO 27001 / ISO 42001 / SOC 2. Block-hour retainer model.
Common questions on ISO 27701 in late 2025 / early 2026 — particularly around the 2025 edition's standalone status, the transition implications, and whether certification is worth pursuing for organisations whose primary driver is regulatory compliance rather than external assurance.
ISO 27701 is the most widely recognised privacy management standard in the world — but it is a discipline, not a guarantee. The right question is whether the discipline matches your needs: vendor due diligence, regulator credibility, board assurance, multi-regime evidence. A 30-minute scoping call costs nothing — we will tell you honestly whether ISO 27701 makes sense for your situation, what the build looks like, and how the 2025 transition affects your timing.
Schedule a call