ISO/IEC 27701 is now a standalone standard, no longer tied to ISO 27001. What does your organization need to know about the change? Read on to learn about key changes to the framework, a new standard for certification bodies, and the timeline for compliance with a reimagined ISO 27701. 

ISO 27701:2025: Privacy management goes independent 

Historically, ISO 27701 has existed as an extension of ISO 27001, previously known as ISO/IEC 27701: 2019. However, the 2025 revision transforms it into a standalone standard, making privacy certification more accessible. New releases include:  

• ISO/IEC 27701:2025 (Edition 2): A complete overhaul of the Privacy Information Management System (PIMS) standard  

• ISO/IEC 27706:2025: Completely new guidance for certification bodies (CB) specific to Privacy Information System (PIMS) standard 

Key changes to ISO 27701 

Beyond the obvious change to an independent, standalone standard, there are a few key changes to the ISO 27001 standard including: 

• Standalone certification: Organizations can now become compliant with ISO 27701 without needing ISO 27001 

• Restructured framework: Clauses 4–10 now mirror ISO management system standards tailored for privacy 

• Annex A consolidation: Controls for PII Controllers and Processors are unified into A.1, A.2, and A.3 

• New Annex B: Implementation Guidance offers practical steps for applying privacy controls 

• Expanded scope: Includes biometric data, health data, IoT, and AI-related privacy risks 

ISO/IEC 27706:2025: Certifying the certification bodies 

The standards that ISO certification bodies must abide by have also changed with ISO 27706:2025 replacing CBs’ current standard, ISO TS 27006-2:2021. Updates include: 

• Full standard status: ISO 27706 is now a formal international standard 

• Aligned with ISO 17021-1: Ensures consistency with global certification practices 

• Annexes A, B, and C: Provide guidance for audit planning, competence requirements, and assessment methodologies 

• Improved trust & transparency: Enhances credibility and global recognition of PIMS certifications 

What does this mean for you? 

Depending on your status as a certification body or organization earning certification, these changes mean different things. 

For organizations 

If you’re an organization seeking ISO 27701 certification and it’s the only standard you need, you can now pursue it independently of ISO 27001, which will reduce costs and complexity. 

If your organization is already ISO 27701 certified, you’ll need to conduct a transition audit sometime over the next three years. This will ensure that your environment is compliant with the changes to the ISO 27701 standard ahead of the 2028 deadline. 

For certification bodies 

ISO 27706 provides a clear framework for reliable PIMS audits that your certification body can reference. CBs will need to undergo a transition audit with their accreditation bodies to ensure they are fully compliant to perform audits against the new standard. CBs should also communicate with your ISO 27701-certified clients about the transition audit process to prevent any lapses in compliance. 

ISO 27701 transition timeline 

Organizations will have time to make changes to their environment ahead of the October 2028 deadline for compliance. Here’s the complete timeline for implementing the new ISO 27701 standard: 

• Publication date: October 14, 2025  

• Transition period: Three years from publication  

• Deadline for transition: October 2028  

• Certification guidance: Official transition rules from accreditation bodies (e.g., IAF, ANAB, UKAS) are expected within 1-3 months post-publication 

Recommendations 

Don’t delay, create a plan now to ensure your organization has enough time to prepare for its transition audit. We recommend that organizations that are ISO 27701 certified take the following actions: 

• Purchase the standard: Within the ISO website, companies should purchase the standard to understand all of the clauses and annex controls that have been developed for the new standard. 

• Conduct a gap analysis: This will allow your team to identify any gaps between your current level of compliance and the new standard. Identifying and rectifying these gaps before your transition audit is key to avoiding penalties or lapses in compliance. 

• Update your PIMS documentation and controls: Make these changes sooner rather than later so your team is fully prepared for your organization’s transition audit. Remaining gaps could become an issue as the deadline for compliance approaches. 

• Perform an internal audit and management review: After implementing the necessary changes, ensure compliance with the new requirements through an internal audit and a management review as scheduled by your organization. 

• Consult your certification body for specific transition procedures: Your CB should be a resource for you during this time of transition. Their auditors can help your organization plan an effective, efficient transition audit process. 

Ready to learn more? Contact A-LIGN today to get started on your compliance journey.