The next version of ISO 27701 is in its final development stages and expected to publish in early 2025. For privacy professionals and organisations currently implementing or maintaining a PIMS, this is not a distant abstraction. The changes being made to the standard are substantive — particularly one change that will fundamentally alter who can pursue ISO 27701 certification and how.

This post summarises what is confirmed, what can be reasonably anticipated, and what you should be doing now to prepare — whether you are already certified, mid-implementation, or yet to begin.

The Change That Changes Everything: A Standalone Standard

The most significant structural change in ISO 27701:2025 is that it will no longer be an extension of ISO 27001 and ISO 27002. It is being rewritten as a standalone standard — one that can be implemented and certified independently, without requiring an underlying ISO 27001 ISMS.

This is a major shift from the 2019 version, which was explicitly structured as an extension and required ISO 27001 certification as a prerequisite.

What does this mean in practice? Organisations that have privacy management as a primary concern — data processors, professional services firms, healthcare organisations, public sector bodies — will no longer need to implement a full information security management system before pursuing PIMS certification. Privacy certification becomes a standalone achievement, accessible to organisations whose primary regulatory driver is data protection rather than information security.

This will substantially expand the pool of organisations for whom ISO 27701 is a realistic and relevant certification target. It removes the most common objection we hear from organisations exploring PIMS certification: “We’re not ready for ISO 27001.”

What Else Is Changing

Beyond the standalone structure, ISO 27701:2025 is expected to bring several other significant updates:

Updated control structure. The standard is being restructured to align with ISO 27001:2022 and ISO 27002:2022, which means the control numbering, language, and themes will be updated. The new version is expected to include approximately 31 privacy controls for PII Controllers, 18 for PII Processors, and 29 information security controls — with enhanced implementation guidance for each.

Expanded AI and digital ecosystem guidance. ISO 27701:2025 is expected to include enhanced guidance for managing personal data in AI systems and complex digital supply chains — reflecting the reality that personal data increasingly flows through automated decision-making systems and multi-party processing arrangements that the 2019 version did not fully address.

New clause structure. The standard will introduce a restructured clause framework (Clauses 4.1–10.2) aligned with the Annex SL high-level structure used by ISO 27001, ISO 42001, and other management system standards. This makes ISO 27701:2025 more compatible with integrated management system approaches — organisations running ISO 27001, ISO 27701, and ISO 42001 together will benefit from a more coherent shared framework.

Transition deadline: October 2028. ISO is expected to provide a three-year transition window following publication — meaning organisations currently certified under ISO 27701:2019 will have until approximately October 2028 to transition to the new version. This gives organisations meaningful time to plan, but the clock starts when the standard publishes.

What This Means for Organisations Currently Certified Under ISO 27701:2019

If you hold ISO 27701:2019 certification, your certificate remains valid through the transition period. You do not need to act immediately. But there are three things you should be planning now:

Understand the gap. When ISO 27701:2025 publishes, conduct a gap analysis comparing your current PIMS against the new control structure. The updated controls, new guidance on AI processing, and restructured clause framework will require documentation updates, risk assessment reviews, and potentially new or modified controls — particularly if your organisation processes personal data through AI systems or complex supplier chains.

Consider the standalone opportunity. If your organisation only holds ISO 27701 because of its relationship with ISO 27001, the new standalone structure may change your certification approach. If you were considering dropping ISO 27001 maintenance while retaining PIMS certification, the 2025 version will make this viable in a way the 2019 version did not.

Plan your transition audit timing. With a 2028 transition deadline, you have time — but certification body audit capacity will tighten as the deadline approaches. Planning your transition audit for 2026 or 2027 gives you the best combination of preparation time and audit availability.

What This Means for Organisations Planning to Certify for the First Time

If you have been considering ISO 27701 but were deterred by the ISO 27001 prerequisite, the publication of ISO 27701:2025 changes the calculus significantly. You will be able to certify your PIMS without a parallel information security certification — which removes the most common barrier to entry.

Our recommendation: begin your PIMS implementation now, against the 2019 standard, with your control design informed by the anticipated 2025 changes. An implementation that reflects where the standard is going will require less rework at transition than one designed purely for the 2019 version. The foundations — data flow mapping, privacy risk assessment, data subject rights procedures, consent management — are the same in both versions.

At Bitsecura, we are tracking the ISO 27701:2025 development closely. Our implementations are already designed with the anticipated 2025 structure in mind — so that organisations certifying now under the 2019 standard are not building something they will need to significantly redesign in 2025. If you want to understand what the new version means for your specific situation, we are happy to walk through it.

Get in touch here — no obligation, no commitment, just a straightforward conversation about where ISO 27701:2025 leaves you.


Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.