ISO 27701:2025 Is Now a Standalone Standard — Here’s What You Need to Know 

ISO 27701 has been updated, and for organizations that rely on it to demonstrate privacy compliance, the changes are worth understanding. In this webinar, A-LIGN’s Zeb Downing and Alex Welsh walk through what’s new, what it means for your certification, and how to prepare. 

Watch the full webinar above, and read on for a quick overview of the key takeaways. 

What changed in ISO 27701:2025 

The biggest change is structural: ISO 27701 is no longer an extension of ISO 27001. It’s now a standalone standard. That shift clarifies who owns privacy risk, reduces confusion between security and privacy responsibilities, and makes it easier to explain your compliance posture to regulators and customers. 

Beyond that, the 2025 update modernizes the standard in several meaningful ways. The structure has been realigned with the modern Harmonized Structure, bringing clearer separation of governance, risk, and operations — and sharper controller vs. processor responsibilities. Privacy risk is now treated as a first-class risk domain, with explicit focus on impact to individuals and more central use of Privacy Impact Assessments and DPIAs. This improves alignment with GDPR, CCPA, and similar regulations, and strengthens your audit evidence. 

Control language has also been updated to be more direct and easier to test, reducing interpretation risk and audit debate. And documentation expectations have been refined — not expanded — with a focus on quality over quantity and clear linkage between risks, controls, and evidence. 

The net result: a more modern, more defensible privacy management standard that doesn’t increase audit burden. 

What this means for your organization 

This update applies to organizations already certified to ISO 27701, clients transferring certificates, and organizations pursuing ISO 27701 for the first time. 

For existing certified organizations, a one-day transition audit is required to maintain certification. That’s a 3–4 hour session with an auditor, completed either as a standalone audit mid-cycle or combined with your next ISO 27001 audit — whichever fits your schedule. The audit focuses on reviewing and updating four key items: your Statement of Applicability, Internal Audit, Privacy Impact Assessment, and Risk Assessment. This is about refinement and alignment, not rebuilding your program from scratch. 

For organizations pursuing ISO 27701 for the first time, the standalone status opens a door that wasn’t previously available — you no longer need to hold ISO 27001 certification first. 

Key dates to know 

The standard was published on October 14, 2025, and the transition period runs three years from that date, with an industry deadline of October 2028. To ensure A-LIGN can complete all documentation requirements by October 31, 2028, transition audits must be completed with A-LIGN by June 30, 2028. Organizations that don’t complete the transition audit within the allowed timeframe will be subject to certification withdrawal. 

How much work is the transition? 

The workload is less than you might expect. If your organization already has a documented PIMS, a current Statement of Applicability, a Privacy Impact Assessment, a privacy-focused risk assessment, a completed internal audit covering privacy controls, and clear privacy governance — your changes will be minimal. 

What typically needs adjustment: clearer privacy-specific risk mapping, updated documentation structure, and clarified controller vs. processor responsibilities. What you typically don’t need to do is rebuild your program, add major new controls, or increase audit time. 

Steps to take now 

Start by reviewing available resources on the updated standard and purchasing the ISO 27701:2025 standard. Then conduct a gap analysis against your existing documentation, begin preparing any updates needed, and coordinate your transition audit scheduling early to ensure availability before the June 2028 deadline.