ISO 27701 (ISO/IEC 27701:2025)

What is ISO 27701?

ISO/IEC 27701:2025 is the international standard for a PIMS (privacy information management system).

A PIMS is a best-practice framework to enable data controllers and processors to use PII (personally identifiable information) responsibly and securely, in line with data privacy laws and standards such as the GDPR (General Data Protection Regulation) and DPA (Data Protection Act 2018).

Originally created as an extension to the information security management system standard ISO 27001, ISO 27701 can now be implemented as a standalone standard or integrated into other management system standards.

What changed in ISO/IEC 27701:2025?

The 2019 iteration of ISO 27701 has now been withdrawn. Key changes introduced by the 2025 version include:

• A standalone management system standard
  ISO 27701:2025 is no longer an extension to ISO 27001 and ISO 27002, so you can implement a PIMS without implementing an ISMS. This reduces the burden on organisations that want to follow data privacy best practice without having to implement a complex information security framework.

• Aligned with ISO 27001 and ISO 27001
  Although ISO 27701:2025 is now a standalone standard, it is still aligned with, and uses the same terminology as, ISO 27001 and ISO 27002. If you already operate an ISMS, you can align governance, risk assessment, internal audits and continual improvement across both systems.

• New annexes and mappings
  The Standard also includes updated mappings to relevant privacy and information security standards and laws, including ISO 27018 (Protection of PII in Cloud Services), ISO 29100 (Privacy Framework), ISO 29151 (Code of Practice for PII Protection) and the GDPR.

Who needs ISO 27701?

ISO 27701 is designed for organisations that act as personal data controllers and/or processors and need a structured, auditable approach to privacy governance. Its risk-based approach helps you prioritise controls based on your processing activities and privacy risks.

It is commonly used where:

• Personal data processing is central to the organisation’s services.
• The organisation works across multiple privacy regimes.
• Customers expect formal assurance for privacy controls.

Why was ISO 27701 developed?

Privacy laws set outcomes and obligations, but don’t usually provide guidance on delivering those outcomes.

For instance, the UK GDPR and DPA 2018, and the EU GDPR all require organisations to implement and maintain appropriate controls and accountable governance to protect the personal data they process and uphold data subjects’ rights.

ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) developed ISO 27701 to provide that guidance.

ISO 27701 and ISO 27001: how they work together

ISO 27001 sets requirements for an ISMS – a risk-based approach to information security management covering organisational, people, physical and technological controls. Certification to ISO 27001 provides stakeholders with assurance that data is being secured appropriately.

ISO 27701 focuses on privacy governance for PII processing. It helps you define and manage privacy requirements for controllers and processors, including operational controls and accountability measures.

How to approach implementation:

• If you already have an ISO 27001-compliant ISMS, you can integrate ISO 27701 into the same management cycle. This reduces duplicated policies, risk assessment effort and audit activity.
• If you do not have an ISMS, you can implement ISO 27701 as a standalone PIMS. You can add ISO 27001 later if you need broader information security certification.

ISO 27002:2022 remains a useful control reference for information security controls where you run an ISMS. Your privacy controls and security controls should align where they cover the same processing risks.

ISO 27701 control and regulation mappings

ISO 27701:2025 includes a set of annexes that support implementation and assurance.

• Annex A: PIMS reference control objectives and controls for PII controllers and PII processors
• Annex B: Implementation guidance for PII controllers and PII processors
• Annex C: Mapping to ISO 29100
• Annex D: Mapping to the GDPR
• Annex E: Mapping to ISO 27018 and ISO 29151
• Annex F: Correspondence with ISO 27701:2019

These mappings can help you:

• Build an implementation plan that links privacy controls to recognised frameworks.
• Explain control coverage to auditors, customers and stakeholders.
• Identify gaps where legal requirements demand organisation-specific measures.

Demonstrate GDPR compliance with ISO 27701

ISO 27701 supports GDPR programmes by helping you formalise privacy governance. It strengthens accountability by requiring consistent controls, documented processes and continual improvement.

Where ISO 27701 can help:

• Defining privacy roles and responsibilities.
• Establishing processes to support data subject rights.
• Managing PII processing risk and privacy impact.
• Controlling processors and sub-processors through governance and assurance.
• Producing audit-ready evidence of privacy controls.

Article 42 of the GDPR discusses certification mechanisms and seals. Independently accredited certification to ISO 27701 can provide assurance to customers and regulators that your privacy management system aligns with an international standard.

ISO 27701 FAQs

Can we implement ISO 27701 without ISO 27001?

Yes. ISO/IEC 27701:2025 can be implemented as a standalone PIMS. You can also integrate it with an ISMS if you have one.

What is a PIMS?

A PIMS (privacy information management system) is a set of policies, processes and controls that governs how you manage privacy risk and PII processing. It operates as a continual improvement system, with defined scope, roles, risk assessment and internal audit.

Is ISO 27701 only for data controllers?

No. ISO 27701 includes requirements and guidance for both PII controllers and PII processors.

Does ISO 27701 make us GDPR compliant?

No. ISO 27701 supports GDPR compliance by providing a structured management system approach. You still need to interpret and meet legal requirements based on your processing activities and organisational context. Learn more about GDPR compliance.

What is the difference between ISO 27701 and BS 10012?

Both standards address privacy management. ISO 27701 is an international ISO/IEC standard. BS 10012 is a British Standard with a similar purpose. The best choice depends on your assurance needs, customer expectations and certification approach. If you need help selecting the right approach, speak to an expert.