Alert

Prepare for the ISO/IEC 27701:2025 and Its Updated Privacy Management

Bryan Schader, Principal, Cybersecurity Consulting Services

February 16, 2026
LinkedIn Share Button Twitter Share Button Other Share Button

With the release of ISO/IEC 27701:2025, the international standard for Privacy Information Management Systems (PIMS) has been updated to address emerging technologies, evolving regulatory requirements such as the EU AI Act, and the modern threat landscape.

Organizations currently certified under the 2019 version—or those looking to establish a gold standard for data privacy—should begin planning their transition.

The 2025 update to ISO/IEC 27701 marks a significant evolution, shifting the standard from being a bolt-on to a primary governance framework. While the core privacy requirements for controllers and processors remain familiar, the structural and strategic applications have changed substantially.

5 Most Critical Changes in ISO/IEC 27701:2025

  1. Shift to a standalone standard
  2. Full harmonized structure (Annex SL)
  3. Restructured and focused controls
  4. Integration of modern technology risks
  5. Climate change integration

1. Shift to a Standalone Standard

The most fundamental change is that ISO/IEC 27701:2025 is no longer an extension to ISO/IEC 27001.

  • Previous (2019). You could only be certified for ISO/IEC 27701 if you already held a valid ISO/IEC 27001 (ISMS) certificate.
  • New (2025). ISO/IEC 27701 is now a standalone PIMS. Organizations can implement and certify it independently. This lowers the barrier for privacy-focused organizations using security frameworks other than ISO/IEC 27001, such as SOC 2® or NIST.

2. Full Harmonized Structure (Annex SL)

The standard now adopts the High-Level Structure (Clauses 4–10) used by other ISO management system standards.

  • Context and leadership. Clauses 4 (Context) and 5 (Leadership) are now self-contained. Management must demonstrate commitment specifically to privacy objectives, distinct from general information security requirements.
  • Performance evaluation. Clause 9 requires explicit privacy-related KPIs and monitoring to ensure the PIMS is measurable and not just a policy-based system.

3. Restructured and Focused Controls

The standard has been reorganized to align with the ISO/IEC 27001:2022 control set while stripping away redundant security requirements.

  • Reduced security overlap. The 2025 version removes 52 security controls not related to privacy. The standard now focuses on 29 information security controls with a direct impact on personally identifiable information (PII).
  • Consolidated Annex A. Controller and processor requirements, formerly in separate annexes, are now consolidated into a more systematic Annex A with 31 controls for Controllers and 18 for Processors.
  • Normative Guidance (Annex B). The implementation guidance in Annex B is now considered normative in some contexts, meaning auditors will look more closely at whether organizations are following the specific recommendations for implementation.

4. Integration of Modern Technology Risks

The 2025 revision addresses today’s digital landscape:

  • AI. New guidance for managing privacy risks associated with AI-driven profiling, automated decision-making, and algorithmic transparency. The standard aligns with ISO/IEC 42001 (AI Management System).
  • Cloud and supply chain. Enhanced requirements for shared responsibility models in cloud environments and stricter oversight of sub-processors in complex digital supply chains.
  • Data sovereignty. Detailed focus on cross-border data transfer risk assessments, moving beyond simple checklists to living, documented processes.

5. Climate Change Integration

In line with recent ISO-wide mandates, climate change has been added to Clause 4.1. Organizations must now determine whether climate-related risks such as physical threats to data centers or transition risks affecting service providers are relevant to their PIMS.

5 Steps of a Structured Migration Path

Organizations transitioning from the 2019 version should take a structured approach aligned with the ISO/IEC 27001:2022 control set. The transition involves more than updating terminology; it requires adopting a more integrated and risk-based privacy framework.

1. Update the Statement of Applicability (SoA)

Given the adoption of the restructured 2022 controls, the SoA must be rewritten to map to the updated requirements. This is the most critical technical step.

2. Conduct a gap analysis

Evaluate your current PIMS against the new standalone standard.

  • Confirm your privacy objectives remain relevant under the 2025 structure.
  • Identify missing documentation related to AI-related processing or data sovereignty—two major areas emphasized in the update.

3. Re-evaluate risk assessments

The 2025 version adopts a more dynamic approach to risk.

  • Review Privacy Impact Assessments (PIA). Ensure PIAs reflect risks related to automated decision-making and cross-border transfers.
  • Update context. Add climate-related factors and technological shifts to Clause 4.1 to meet the revised ISO requirements.

4. Adjust KPIs

Monitoring and measurement processes must align with the updated structure.

  • Audit programs. Update internal audit checklists to reflect the four new themes: Organizational, People, Physical, and Technological.
  • Metrics. Define privacy-specific KPIs focused on the effectiveness of the 29 privacy-related security controls.

5. Training and communication

The transition requires a shift in mindset toward integrated privacy management.

  • Stakeholder briefings. Inform the board and C-suite that ISO/IEC 27701 is now a standalone standard, which may affect budgeting and resource allocation.
  • DPO and IT alignment. Ensure alignment between the data protection officer and the CISO to avoid siloed compliance efforts under the new structure.

We’re Here to Help

For guidance conducting a gap assessment or transitioning to the ISO/IEC 27701:2025 standard, contact your Baker Tilly Certifications professional.

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
Sustaining ISO/IEC 27001 Certification
See how to protect your organization by maintain the operational efficiency of your ISO/IEC 27001 certification.
Article
Article
Comparing SOC 2 and ISO/IEC 27001 FAQ
Discover how SOC 2® and ISO/IEC 27001 can enhance your organization's security landscape and build customer trust.
Article
Article
Transition to new ISO 27001 Standard
ISO/IEC 27001:2022 deals with cloud technologies, a changing threat landscape, and new rules for personal identifiable information.
Article
View More