The new PIMS (privacy information management system) standard ISO/IEC 27701:2025 was published in October 2025, superseding ISO/IEC 27701:2019.
Where the 2019 iteration of the Standard was an extension to ISO 27001, the 2025 iteration is now a standalone standard, which means you no longer need to implement it alongside ISO 27001.
This lowers the entry barrier for organisations that want auditable privacy governance, but don’t want or need to start with an ISO 27001-compliant ISMS (information security management system).
It also gives ISO 27001-certified organisations a clearer route to integrating privacy governance into their management systems without running two disconnected programmes.
Below, we explain what ISO 27701:2025 is, what’s changed and what the Standard means for organisations working to meet their data privacy obligations under laws such as the GDPR (General Data Protection Regulation) or DPA (Data Protection Act) 2018.
What’s changed in ISO/IEC 27701:2025
ISO 27701 is now a standalone standard
ISO 27701 can now be implemented without an ISO 27001-compliant ISMS and can be audited independently. This makes it much easier for organisations that are driven primarily by the need for strong privacy practices but have a limited need or capacity for an ISMS.
Structure is simpler to integrate with other ISO management systems
ISO 27701 follows ISO’s standard management system structure. This supports a familiar implementation path and integration with other ISO management systems. In practice, this helps you avoid duplicating work by ensuring privacy management is part of your governance activities.
Mapping to the GDPR and related frameworks
ISO 27701:2025 includes annexes mapping it to the GDPR, and to ISO 29100, ISO 27018 and ISO 29151, as well as an annex showing how the new standard corresponds to the 2019 iteration, to help organisation migrate their practices.
What this means for businesses
Easier adoption without ISO 27001
ISO 27701:2025 removes a common blocker. Under the 2019 version, PIMS implementation was something you did alongside – or after – an ISO 27001-compliant ISMS. This made it harder for privacy-led organisations to justify using the Standard.
However, with the 2025 version, you can build a certifiable management system focused on personal data processing without having to implement extra information security measures – you can add ISO 7001 later if your risk profile or customer expectations change.
This is particularly relevant for organisations that are primarily data processors, including SaaS (software as a service) providers and outsourced service partners. These organisations often need to demonstrate privacy assurance quickly, because their customers must justify supplier selection.
Continued suitability for organisations that already have an ISMS
Although it can be implemented on its own, ISO 27701:2025 doesn’t reduce the value of integrating with ISO 27001.
An ISMS already gives you a working management cycle. It typically includes:
- Governance and leadership oversight.
- A risk methodology and risk treatment approach.
- Document control.
- Internal audit and management review.
- Corrective action and continual improvement.
A PIMS adds privacy-specific governance and operational controls. The best outcome is usually a single operating rhythm that covers both security and privacy, with clear ownership and evidence.
Auditable evidence of accountability
Most privacy laws, including the GDPR, require data controllers and processors to implement appropriate organisational measures to protect personal data and to be able to demonstrable accountability.
A well-run PIMS turns privacy governance into a managed system rather than a series of isolated tasks, producing evidence as part of routine operations, including:
- Defined scope and processing boundaries.
- Clear controller and processor responsibilities.
- Risk assessment decisions tied to processing activities.
- Procedures that support data subject rights.
- Supplier and processor oversight records.
- Monitoring results, audit findings, and corrective actions.
The global relevance of ISO 27701
Many organisations operate across multiple privacy regimes, even if they have one main market. Customers also impose privacy requirements through contracts, procurement and audit programmes. Keeping up to date with multiple regimes’ requirements can be onerous.
ISO 27701 standardises the management approach, supporting consistent governance, control operation and evidence, even when legal requirements differ across jurisdictions.
This supports compliance with:
- The UK GDPR and DPA 2018.
- The EU GDPR.
- US state privacy laws, including CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act).
- Other emerging privacy regimes that follow similar accountability expectations.
Ready to implement an ISO 27701-compliant PIMS?
Start with a structured review against ISO/IEC 27701:2025
Begin by comparing your current privacy governance to the Standard’s management system requirements. Focus first on what drives audit readiness and operational control:
- Scope and context
Define what processing is in scope, where the data flows, and which suppliers and Cloud services are involved. - Leadership and accountability
Assign clear roles for privacy risk, rights handling, processor management, and privacy incident response. - Privacy risk management
Use a consistent, repeatable method that links risk decisions to processing activities and controls. - Operational processes
Ensure the basics work and leave evidence, including rights requests, retention, deletion, incident handling and third-party oversight. - Performance and improvement
Build internal audit, management review and corrective action into normal work.
If you previously used ISO/IEC 27701:2019
If you built a PIMS using ISO/IEC 27701:2019, it would have been assessed as part of an ISO 27001 certification audit programme. Your transition work should be treated as a structured update, not a simple document refresh.
A practical approach usually includes:
- Mapping existing PIMS documentation and evidence to the 2025 structure.
- Re-checking controller and processor responsibilities across your processing activities.
- Updating internal audit checklists and sampling plans.
- Running an internal audit against the new Standard before a certification audit.
Engage specialists where you need pace or assurance
ISO 27701 is a management system standard. Implementation work often stalls when organisations treat it as a policy project. Specialist support can help with scope decisions, control design, evidence planning and audit preparation.
How GRC Solutions can help you
If you want to understand what ISO/IEC 27701:2025 means for your organisation, we can help you plan a practical implementation or transition. We can also advise on integrating privacy governance with an existing ISO 27001 ISMS. Talk to one of our experts today to see how we can help you.
