ISO/IEC 27701:2025. What’s new with the second edition of the Privacy Information Management standard?

In October 2025, ISO published the new edition of ISO/IEC 27701, the international standard for Privacy Information Management Systems (PIMS). This is the second edition of the standard, replacing the original version from 2019.

The 2025 edition introduces important updates. Organizations that have already implemented a Privacy Information Management System will need to understand these changes and their impact.

A major shift — ISO/IEC 27701 becomes a stand-alone standard

The most significant change introduced by the 2025 edition concerns the relationship between ISO/IEC 27701 and the well-known standards in its family - namely, ISO/IEC 27001 and ISO/IEC 27002, which are the reference standards for an ISMS (Information Security Management System).

When ISO/IEC 27701 was first published in 2019, it was designed as an extension for privacy to ISO/IEC 27001 and ISO/IEC 27002. That meant an organization could not implement or certify its Privacy Information Management System independently — it had to already have an Information Security Management System (ISMS) based on ISO/IEC 27001, and then extend it with ISO/IEC 27701.

With the 2025 edition, this has changed. ISO/IEC 27701 is now a stand-alone standard. Organizations can now implement and certify a Privacy Information Management System independently from their Information Security Management System.

This is a major development, especially concerning the certification for organizations. Previously, certification to ISO/IEC 27701 was always linked to an existing ISMS certification. Now, this linkage is no longer mandatory, which makes privacy certification more accessible to organizations that may not have an ISMS in place but still wish to demonstrate strong privacy governance.

Changes to the controls in ISO/IEC 27701

Another important update relates to the controls in the standard. ISO/IEC 27701:2025 has three categories of controls — those for PII controllers, those for PII processors, and information security controls selected from ISO/IEC 27001. 

In ISO/IEC 27001:2022, there are 93 information security controls, grouped into four categories: organizational, people, physical, and technological controls. The new ISO/IEC 27701:2025 includes only 29 information security controls, taken from ISO/IEC 27001 — specifically those that have a direct or potential impact on privacy.

This makes the privacy management framework more focused, reducing overlap while maintaining a strong link with information security practices where relevant.

Management system requirements remain familiar

In terms of structure, the 2025 edition of ISO/IEC 27701 remains very similar to ISO/IEC 27001. The main body of the standard continues to follow the management system framework used across all ISO management standards.

Organizations implementing the standard must still identify their context, define the scope of their Privacy Information Management System, establish a privacy policy, set and monitor privacy objectives, assess and treat privacy risks, prepare a statement of applicability, ensure competence and awareness among personnel, monitor and evaluate performance, conduct internal audits and management reviews, address nonconformities, and pursue continual improvement.

For organizations that already have a PIMS integrated with their ISMS, updating to the new edition will require some effort — particularly in reviewing and aligning the applicable controls. Each organization can decide whether to keep its ISMS and PIMS integrated, which will likely be the easier option, or to separate them into independent systems.

The path ahead

The publication of ISO/IEC 27701:2025 marks an important milestone in the global approach to privacy governance. By allowing independent implementation and certification, ISO has recognized that privacy management is now a mature discipline that can stand on its own — while still maintaining strong ties to information security principles.

At RIGCERT, we are currently updating our ISO/IEC 27701 online course to reflect the new edition while also designing certification programmes for privacy information professionals.