ISO 27701:2025 Transition Guide
ISO/IEC 27701 was republished in October 2025 as a standalone certifiable standard — and every certificate issued against the 2019 edition must transition by 31 October 2028. Here is what changed, what it means for your organisation, and how to plan the move.
The 2025 Edition Is a Different Kind of Standard
The second edition cancels and replaces ISO/IEC 27701:2019, which was an extension you could only certify on top of ISO/IEC 27001. The 2025 edition has been redrafted as a stand-alone management system standard.
Standalone certification
ISO/IEC 27001 is no longer required as a foundation. Your Privacy Information Management System (PIMS) can now be certified on its own — or integrated with an existing ISMS if you have one.
Its own requirements, clauses 4–10
The 2025 edition carries a complete set of management-system requirements in the ISO harmonised structure — including dedicated privacy risk assessment and privacy risk treatment requirements.
Restructured annexes
Annex A is now one normative control set covering both PII controllers and PII processors. Annex B provides implementation guidance for those controls. Mappings to ISO/IEC 29100, the GDPR and ISO/IEC 27018/29151 follow in Annexes C–E.
At a Glance: What Moved Where
| Aspect | 2019 edition | 2025 edition |
|---|---|---|
| Nature | Extension to ISO/IEC 27001 and ISO/IEC 27002 | Stand-alone management system standard |
| ISO 27001 required? | Yes — mandatory foundation | No — optional; full compatibility retained for integrated certification |
| Requirements | PIMS-specific additions to ISMS clauses | Complete own clauses 4–10 (harmonised structure), incl. privacy risk assessment & treatment |
| Controls | Annex A = PII controllers · Annex B = PII processors | Annex A = one control set for controllers and processors · Annex B = implementation guidance |
| Mappings | ISO/IEC 29100, GDPR, 27018, 29151 | Retained — Annex C (29100), Annex D (GDPR), Annex E (27018/29151), plus Annex F correspondence to 2019 |
| Audit time rules | Derived from ISO/IEC 27006 (ISMS) practice | Dedicated ISO/IEC 27706:2025 — role-based audit time (controller / processor / both) |
Two Situations, Two Paths
Transition before 31 October 2028
Your current certificate remains valid during the transition period. Your organisation updates its PIMS to the 2025 requirements, and the transition is then assessed — most efficiently combined with an upcoming surveillance or recertification audit. If you hold an integrated ISO 27001 + 27701 certification, it stays integrated; the two standards remain fully compatible.
Certify standalone — no ISO 27001 needed
For the first time, organisations whose priority is privacy can achieve accredited PIMS certification without first building an ISMS. If you already hold ISO 27001, an integrated audit of both standards remains the most efficient route and typically reduces combined audit time.
Six Steps to ISO 27701:2025
A practical sequence your organisation can follow — and where Cianaa, as independent auditors for certification, fits in.
Map with Annex F
Use the 2025 edition’s correspondence table to see where every 2019 requirement and control now sits — your existing PIMS work carries across.
Review the gaps
Identify what is new or changed for your organisation: the clause 4–10 requirements, privacy risk assessment and treatment, and the restructured Annex A controls.
Update your PIMS
Revise policies, procedures, the privacy risk assessment and your Statement of Applicability to reference the 2025 requirements and control set.
Run your internal cycle
Complete an internal audit and management review against the 2025 edition so there is objective evidence the updated PIMS is operating.
Transition assessment
We assess your PIMS against ISO/IEC 27701:2025 — usually combined with your scheduled surveillance or recertification audit to minimise cost and disruption.
Certificate reissued
On a successful assessment your certificate is reissued against ISO/IEC 27701:2025 — well ahead of the 31 October 2028 deadline.
How Long Will the Audit Take?
Audit duration for ISO 27701:2025 is set by ISO/IEC 27706:2025 and depends on your PII role (controller, processor or both) and the number of people who handle or access PII. Our free calculator uses the official Table A.1 figures.
Estimate your audit duration →Ready to Plan Your Transition?
Cianaa provides independent auditors for certification across New Zealand and Australia. We assess and certify — impartially, without consulting — and we can schedule your ISO 27701:2025 transition alongside your existing audit programme.
Book a Scoping Call →