Updated version of ISO/IEC 27701 standard released

Becoming a stand-alone standard, updated ISO/IEC 27701 is set to help companies improve their privacy information management.

The wait for the new version of the privacy information management system standard ISO/IEC 27701 is over. International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) announced on 14 October 2025 that the new version is approved and released.

The most significant change for this release is that ISO/IEC 27701 now becomes a stand-alone standard aimed at further strengthening privacy information management systems (PIMS) for organizations worldwide. This means that organizations can have their PIMS independently as a standalone certifiable management system standard focusing specifically on privacy risks and controls instead of an extension to an already established ISMS, increasing accessibility to a wider set of organisations.

It should be noted that the requirements and implementation guidance for the new edition are made up of existing elements from the previous ISO/IEC 27701:2019, ISO/IEC 27001:2022 & ISO/IEC 27002:2022 standards.  The new standard is structured to integrate with other existing management systems, such as ISO 9001 (quality), ISO/IEC 27001 (information security) and ISO/IEC 42001 (artificial intelligence), making it adaptable and flexible for organizations of all shapes, sizes and complexity.

Organisations are increasingly challenged to navigate the complexity of data protection from personal data controls to reducing the risks of breaches and ensuring compliance with evolving national and international regulations. It is therefore very welcome that ISO/IEC 27701 now becomes a standalone standard,” says Thomas Douglas, Global ICT Industry Manager in DNV.

Main changes

The new version of ISO/IEC 27701 introduces several significant enhancements designed to address the evolving landscape of data privacy and security. These include:

  • Now a standalone Privacy Information Management System (PIMS) and no longer dependent on ISO/IEC 27001.
  • Expanded guidance for data processors and controllers.
  • Greater clarity on managing personal data within AI and digital ecosystems.
  • Stronger focus on embedding privacy into broader organizational. leadership and governance strategies, planning, and continual improvement
  • Aligns with global regulations like GDPR, CCPA, LGPD, and more.

While the official rules for certification and transition to the revised standard have not yet been published, organisations currently certified under the 2019 version should begin preparing for a well-structured and timely transition. Proactive planning will not only support compliance but also strengthen trust among stakeholders. Guidance on transition and certification is expected to be released in the coming weeks and accreditation bodies will consequently adopt these guidelines.

Management System and Training