ISO/IEC 27701:2025 has been published. After years of development and months of anticipation from the privacy management community, the revised standard is live — and it represents the most significant structural change to privacy information management certification since the standard first launched in 2019.

If you hold ISO 27701:2019 certification, your certificate remains valid — but you now have a transition to plan. If you have been waiting for the right moment to pursue PIMS certification, that moment has arrived. And if you have been deterred by the ISO 27001 prerequisite that existed in the 2019 version, the new standard has removed that barrier entirely.

Here is what has changed, what it means, and what you should do next.

The Defining Change: ISO 27701:2025 Is Now Standalone

In ISO 27701:2019, organisations pursuing PIMS certification were required to already hold — or simultaneously implement — ISO 27001 certification. The 2019 standard was explicitly an extension to ISO 27001 and ISO 27002, inheriting their clause structure, risk assessment methodology, and management system infrastructure.

ISO 27701:2025 breaks that dependency. It is now a fully standalone standard — capable of being implemented and certified independently of an ISO 27001 ISMS. Organisations can pursue PIMS certification based solely on their privacy management practices, without a parallel information security certification requirement.

This is not a minor revision. It opens ISO 27701 certification to a significantly broader range of organisations — data processors whose clients require evidence of privacy controls, public sector bodies subject to data protection legislation, healthcare organisations processing sensitive personal data, and any organisation for whom privacy accountability is the primary driver rather than information security more broadly.

At the same time, the 2025 standard remains fully aligned with ISO 27001:2022 and ISO 27002:2022. Organisations that hold both certifications can still run an integrated management system with shared policies, risk assessments, and audit cycles — with the additional benefit that the updated clause structure now aligns more cleanly with ISO 42001 (AI Management Systems) as well, making a three-standard integrated programme coherent and manageable.

The Updated Control Structure

ISO 27701:2025 restructures the Annex A and B controls and provides enhanced implementation guidance throughout. The new control counts reflect the more granular guidance the 2025 version offers:

The enhanced implementation guidance is a genuine improvement for practitioners. The 2019 version’s guidance was at times sparse — leaving organisations to interpret how controls should be applied in practice. The 2025 version provides more detailed implementation notes, which reduces ambiguity and helps organisations build controls that will satisfy auditors.

New Guidance for AI and Digital Ecosystems

One of the most practically significant additions in ISO 27701:2025 is the expanded guidance for managing personal data in AI systems and complex digital supply chains. As automated decision-making and AI-driven processing have become standard across industries, the 2019 version’s silence on these areas had become an increasingly visible gap.

The 2025 version addresses this directly. Organisations using AI systems that process personal data will find specific guidance on how PIMS controls apply in that context — covering transparency requirements, human oversight of automated decisions, and the management of personal data in AI training datasets and inference pipelines.

This matters because regulators are increasingly paying attention to AI-driven processing. The EU AI Act, which entered into force in 2024, places obligations on organisations deploying AI systems that intersect with GDPR’s requirements for automated decision-making. An ISO 27701:2025-certified PIMS that explicitly addresses AI processing provides meaningful evidence of responsible data governance in this environment.

The Transition: What You Need to Know

The transition deadline for ISO 27701:2019 certificates is October 2028 — a three-year window from the 2025 publication date. Here is what that means in practice:

If you are currently certified under ISO 27701:2019: Your certificate remains valid until October 2028 or your next recertification, whichever comes first. You do not need to transition immediately. However, you should:

If you are implementing ISO 27701 for the first time: Certify against ISO 27701:2025. There is no reason to implement a standard that will require transition work within three years. The 2025 version is what auditors and clients will reference going forward.

If the ISO 27001 prerequisite was the barrier: It is gone. The 2025 standard’s standalone structure means you can now build and certify your PIMS without a parallel ISMS programme. For organisations whose primary compliance driver is privacy rather than information security, this removes the most significant obstacle to certification.

Where ISO 27701:2025 Fits in the Broader Compliance Picture

ISO 27701:2025 lands in a regulatory environment that has become substantially more demanding for privacy since the 2019 version was published. GDPR enforcement has matured — fines are larger, investigations more frequent, and the evidential standard expected by supervisory authorities higher. The EU AI Act is now in force. Contractual privacy requirements from enterprise clients have intensified as data breaches continue to generate reputational damage for organisations across the supply chain.

In this environment, ISO 27701:2025 certification provides something that self-assessment and policy documentation cannot: independent, third-party-verified evidence that your organisation has a functioning Privacy Information Management System that meets an internationally recognised standard.

Privacy is not optional. ISO 27701:2025 makes it certifiable.

At Bitsecura, we implement ISO 27701:2025 as a standalone PIMS, as an extension to ISO 27001:2022, or as part of a broader management system programme including ISO 42001. Our five-step methodology — Map, Design, Implement, Certify, Sustain — is built for the 2025 standard. Whether you are transitioning from the 2019 version or starting fresh, we will give you a clear picture of what it requires for your specific context.

If you want to understand what ISO 27701:2025 means for your organisation, start a conversation with us here. No strings, no agenda — just clarity on where you stand and what comes next.


Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.