A New Chapter for Privacy Management
The world of data privacy doesn’t stand still and neither do the standards that help organisations protect personal information.
On 14th October 2025, ISO and the IEC released ISO/IEC 27701:2025, the latest version of the global Privacy Information Management System (PIMS) standard.
This update is a major step forward. For the first time, ISO/IEC 27701 is now a standalone standard, no longer just an extension of ISO/IEC 27001. That means organisations can now achieve privacy certification in their own right, without first certifying to ISO/IEC 27001.
Why the Update Matters
When ISO/IEC 27701 was first published in 2019, it helped bridge information security and privacy management, supporting compliance with the GDPR and other data protection laws.
But in the years since, the world has changed dramatically, from the rise of AI and machine-learning technologies to evolving cross-border data regulations and cloud-based processing.
The 2025 edition reflects this new reality. It’s designed to help organisations build trust and accountability into every aspect of how they manage personal data.
“ISO/IEC 27701:2025 empowers organisations to manage privacy risks confidently – whether they’re a small tech start-up or a global enterprise.”
Victoria Kliche, Product Scheme Manager, British Assessment Bureau.
What’s New in ISO/IEC 27701:2025
1. A standalone framework for privacy
Organisations can now implement and certify a full Privacy Information Management System (PIMS) without needing ISO/IEC 27001 certification first.
Of course, the two standards remain compatible for those who want an integrated approach to security and privacy.
2. A modern approach to privacy risk
The new version directly addresses emerging challenges like:
- AI-driven data processing
- Cross-border data transfers
- Cloud and SaaS environments
- Third-party data processors
3. Stronger governance and leadership
Privacy is now clearly linked to corporate governance.
Leaders must set privacy objectives, track performance (KPIs), and embed privacy risk management into wider business strategy.
4. Updated structure and controls
Controls have been reorganised and simplified:
- Annex A: Controls for PII Controllers
- Annex B: Guidance for Controllers and Processors
- Annex C: Aligned security controls (ISO/IEC 27001:2022)
A New Accreditation Framework
Alongside the standard, ISO also released ISO/IEC 27706:2025 – the accreditation framework for certification bodies like British Assessment Bureau. It defines the competence and conformity requirements we must meet to assess Privacy Information Management Systems (PIMS).
In practice, this means:
- Updating audit frameworks and methodologies
- Ensuring auditors have enhanced privacy-specific expertise
- Aligning systems and documentation with the 2025 requirements
What This Means for Certified Organisations
If your organisation is already certified to ISO/IEC 27701:2019, don’t worry – your certification remains valid for now. A formal transition period (expected to last 2–3 years) will allow you to move to the 2025 standard once accreditation guidance is released.
Here are some steps you can take now:
- Carry out a gap analysis between 2019 and 2025 requirements
- Review privacy roles and responsibilities
- Update your supplier and processor contracts
- Start engaging with your certification body to plan your transition
How British Assessment Bureau is Preparing
At British Assessment Bureau, we’re already taking steps to align with ISO/IEC 27701:2025. Our audit and training programmes are being updated to reflect the new requirements, and enhancements are being made to our systems to support the revised framework.
Looking Ahead
ISO/IEC 27701:2025 isn’t just a technical update, it’s an opportunity for organisations to take a proactive, transparent approach to data privacy.
As technology evolves, so too must our commitment to protecting personal information. At British Assessment Bureau, we’ll continue to help our clients stay compliant, stay trusted, and stay ahead in the ever-changing privacy landscape.
