Guide · ISO/IEC 27701:2025

ISO 27701:2025 Transition Guide

ISO/IEC 27701 was republished in October 2025 as a standalone certifiable standard — and every certificate issued against the 2019 edition must transition by 31 October 2028. Here is what changed, what it means for your organisation, and how to plan the move.

October 2025
ISO/IEC 27701:2025 published (2nd edition)
2026 – 2027
Certification bodies transition their accreditation
31 October 2028
Deadline: all 2019-edition certificates must transition
What changed

The 2025 Edition Is a Different Kind of Standard

The second edition cancels and replaces ISO/IEC 27701:2019, which was an extension you could only certify on top of ISO/IEC 27001. The 2025 edition has been redrafted as a stand-alone management system standard.

Standalone certification

ISO/IEC 27001 is no longer required as a foundation. Your Privacy Information Management System (PIMS) can now be certified on its own — or integrated with an existing ISMS if you have one.

Its own requirements, clauses 4–10

The 2025 edition carries a complete set of management-system requirements in the ISO harmonised structure — including dedicated privacy risk assessment and privacy risk treatment requirements.

Restructured annexes

Annex A is now one normative control set covering both PII controllers and PII processors. Annex B provides implementation guidance for those controls. Mappings to ISO/IEC 29100, the GDPR and ISO/IEC 27018/29151 follow in Annexes C–E.

Helpful detail: Annex F of the 2025 edition contains a clause-by-clause correspondence table back to ISO/IEC 27701:2019 — it is the fastest way to see exactly where each of your existing PIMS elements now lives.
2019 vs 2025

At a Glance: What Moved Where

ISO/IEC 27701 — 2019 edition vs 2025 edition
Aspect2019 edition2025 edition
NatureExtension to ISO/IEC 27001 and ISO/IEC 27002Stand-alone management system standard
ISO 27001 required?Yes — mandatory foundationNo — optional; full compatibility retained for integrated certification
RequirementsPIMS-specific additions to ISMS clausesComplete own clauses 4–10 (harmonised structure), incl. privacy risk assessment & treatment
ControlsAnnex A = PII controllers · Annex B = PII processorsAnnex A = one control set for controllers and processors · Annex B = implementation guidance
MappingsISO/IEC 29100, GDPR, 27018, 29151Retained — Annex C (29100), Annex D (GDPR), Annex E (27018/29151), plus Annex F correspondence to 2019
Audit time rulesDerived from ISO/IEC 27006 (ISMS) practiceDedicated ISO/IEC 27706:2025 — role-based audit time (controller / processor / both)
What it means for you

Two Situations, Two Paths

Already certified to 27701:2019

Transition before 31 October 2028

Your current certificate remains valid during the transition period. Your organisation updates its PIMS to the 2025 requirements, and the transition is then assessed — most efficiently combined with an upcoming surveillance or recertification audit. If you hold an integrated ISO 27001 + 27701 certification, it stays integrated; the two standards remain fully compatible.

New to ISO 27701

Certify standalone — no ISO 27001 needed

For the first time, organisations whose priority is privacy can achieve accredited PIMS certification without first building an ISMS. If you already hold ISO 27001, an integrated audit of both standards remains the most efficient route and typically reduces combined audit time.

Transition plan

Six Steps to ISO 27701:2025

A practical sequence your organisation can follow — and where Cianaa, as independent auditors for certification, fits in.

Step 1

Map with Annex F

Use the 2025 edition’s correspondence table to see where every 2019 requirement and control now sits — your existing PIMS work carries across.

Step 2

Review the gaps

Identify what is new or changed for your organisation: the clause 4–10 requirements, privacy risk assessment and treatment, and the restructured Annex A controls.

Step 3

Update your PIMS

Revise policies, procedures, the privacy risk assessment and your Statement of Applicability to reference the 2025 requirements and control set.

Step 4

Run your internal cycle

Complete an internal audit and management review against the 2025 edition so there is objective evidence the updated PIMS is operating.

Step 5

Transition assessment

We assess your PIMS against ISO/IEC 27701:2025 — usually combined with your scheduled surveillance or recertification audit to minimise cost and disruption.

Step 6

Certificate reissued

On a successful assessment your certificate is reissued against ISO/IEC 27701:2025 — well ahead of the 31 October 2028 deadline.

Plan your audit time

How Long Will the Audit Take?

Audit duration for ISO 27701:2025 is set by ISO/IEC 27706:2025 and depends on your PII role (controller, processor or both) and the number of people who handle or access PII. Our free calculator uses the official Table A.1 figures.

Estimate your audit duration →

Ready to Plan Your Transition?

Cianaa provides independent auditors for certification across New Zealand and Australia. We assess and certify — impartially, without consulting — and we can schedule your ISO 27701:2025 transition alongside your existing audit programme.

Book a Scoping Call →
FAQ

ISO 27701:2025 Transition — Common Questions

When is the ISO 27701 transition deadline?
Certificates issued against ISO/IEC 27701:2019 must transition to the 2025 edition by 31 October 2028 — three years from publication of the new edition. Certification bodies complete their own accreditation transitions during 2026–2027, so transition audits are available now.
Is my ISO 27701:2019 certificate still valid?
Yes. 2019-edition certificates remain valid during the transition period. After 31 October 2028, certificates against the 2019 edition expire — plan your transition assessment well before then, ideally at a scheduled surveillance or recertification audit.
Do we still need ISO 27001 to get ISO 27701 certified?
No. Since the 2025 edition, ISO/IEC 27701 is a standalone standard — ISO 27001 is no longer a prerequisite. Organisations that do hold ISO 27001 can continue with an integrated audit of both standards, which is usually the most efficient option.
Can the transition be done during a surveillance audit?
Yes — that is the most common and cost-effective route. The transition assessment is combined with your scheduled surveillance or recertification audit. It can also be arranged as a separate assessment if your timeline requires it.
How much audit time should we budget?
Audit time is determined under ISO/IEC 27706:2025 and depends on your PII role (controller, processor or both) and how many people handle or access PII. Use our audit duration calculator for an indicative figure, then request a formal quote.
What are the biggest changes we need to address?
For most organisations: adopting the 2025 edition’s own clause 4–10 requirements (including privacy risk assessment and treatment), updating the Statement of Applicability to the restructured Annex A control set (one set covering controllers and processors), and refreshing document references from 27701:2019 to 27701:2025. Annex F’s correspondence table makes the mapping straightforward.