ISO/IEC 27701:2025 — Privacy Takes Center Stage
ISO/IEC 27701:2025 is the 2nd edition of the standard for Privacy Information Management Systems (PIMS). It replaces ISO/IEC 27701:2019. The standard is now officially published as of October 14, 2025.
The wait is over. The new ISO/IEC 27701:2025 is here and it’s redefining how organizations build trust, accountability, and resilience in the age of data-driven business.
The new Information security, cybersecurity and privacy protection-Privacy information management systems-Requirements and guidance International Standard was officially published today.
Unlike the 2019 version, which was just an extension of ISO 27001, the 2025 edition stands on its own as a full Privacy Information Management System (PIMS) standard.
💡 Why it matters:
Privacy is no longer a subset of security; it’s a strategic discipline that drives trust, compliance, and market advantage.
🔐 For CISOs and Security Leaders:
The new standard aligns seamlessly with ISO/IEC 27001:2022, introducing updated controls for AI, cloud environments, and cross-border data flows. Privacy risk management now sits beside security risks, not beneath it.
🧭 For Compliance & Privacy Managers:
Expect stronger governance, defined privacy roles, measurable KPIs, and ongoing performance monitoring. It’s privacy accountability you can audit, prove, and continuously improve.
🏢 For Executives:
ISO/IEC 27701:2025 isn’t just about compliance; it’s about trust as a business enabler. A standalone PIMS can strengthen your brand, accelerate deals, and demonstrate responsible data stewardship across markets.
Organizations certified to ISO 27701:2019 will have a transition window, but leaders should begin aligning governance frameworks now.
🚀 Key Updates:
- The standard has its own management system clauses (4–10) so that PIMS can be implemented independently.
- The Risk management orientation is more explicit with enriched requirements around privacy risks management & treatment, including newer threat vectors (e.g. AI, automated processing, third parties).
- The Annex A section lists control objectives for both personally identifiable information (PII) controllers and processors in addition to a set of controls with security considerations for both processors.
- The Annex B provides implementation guidance (“best practices”) for PII controllers & PII processors.
✅ Bottom line:
ISO/IEC 27701:2025 elevates privacy from a checkbox to a competitive advantage, helping organizations turn responsible data management into long-term trust and resilience.
Since initial ISO/IEC 27001 accreditation with ANSI National Accreditation Board (ANAB), we have expanded our scope of accredited audit services to ISO 9001, ISO 22301, ISO/IEC 20000-1, ISO/IEC 27701 and ISO/IEC 42001. Coalfire Certification issued the world’s first ISO 27701 certification in August 2019 and, in March 2020, was part of the first group of certification bodies in the world to be accredited for the auditing of PIMS scopes. Coalfire Certification continues to be the leader in the Global Assurance space with the most recent ISO/IEC 42001:2023 Artificial Intelligence Management System (AIMS) Standard, accounting for an important and increasing number of customers who choose and trust us as their AIMS certification body.
Coalfire Certification’s next step is to engage in aligning its existing accreditation scheme with the requirements defined in the newly published ISO/IEC 27706:2025 Information security, cybersecurity and privacy protection-Requirements for bodies providing audit and certification of privacy information management systems' International Standard. The transition implementation will not only ensure we continue to deliver high-quality, reliable stand-alone audits of ISO/IEC 27701 but will also help promote the PIMS certification credibility, consistency and most importantly its capability to continue its evolvement and global recognition.