In October 2025, the second edition of ISO/IEC 27701 – Information security, cybersecurity and privacy – Privacy information management systems – Requirements and guidance was published.
The major change is that the new edition of ISO/IEC 27701 has been revised as a separate standard for management systems.
The standard sets out the requirements for establishing, implementing, maintaining and continuously improving a privacy information management system (PIMS). It contains a set of control measures for both controllers and processors of personal data (PII) who have responsibility for processing PII. The document also provides guidance to support organisations in putting these requirements into practice.
Why is ISO/IEC 27701 important?
Personal data is one of the most valuable and sensitive assets that organisations work with today. Given the growing expectations of individuals, regulators and business partners, it’s not enough to simply state that you care about privacy – you must also prove it. ISO/IEC 27701 provides a structured, internationally recognized framework to help organizations demonstrate accountability, manage the risks associated with personal information (PII), and continuously improve their privacy practices.
Structure of the standard
As mentioned above, the new ISO/IEC 27701 has been revised as a separate standard for management systems. Similarly to other management system standards, normative chapters 4-10 can be found here.
- Context of the organisation (Chapter 4): addresses understanding external and internal issues, including applicable data protection legislation and other stakeholder needs and expectations.
- Leadership roles (Chapter 5): specifies requirements for senior leadership, privacy policy, and the establishment of roles and responsibilities.
- Planning (Chapter 6): addresses the assessment and treatment of privacy risks. The organization must identify and document all necessary control measures to implement the risk treatment plan and compare them to the control measures listed in Annex A. The chapter establishes requirements for managing privacy objectives and properly planning for changes.
- Support, operation, performance evaluation and improvement (Chapters 7, 8, 9, 10): these chapters cover standard elements of management systems such as competence assurance, communication, monitoring and measurement, internal audits or non-conformance management.
Annex A of the standard also sets out specific reference control measures, broken down according to whether they are intended for the data controller, the data processor or both.
Integration and compatibility with ISO/IEC 27001
The document enables an organization to align and integrate PIMS with the requirements of other management system standards, especially the Information Security Management System (ISMS) specified in ISO/IEC 27001.
Specifically, Article 6.1 requires that information security-related privacy risks be identified and an information security program be in place to include, at a minimum, information security risk management; information security policies; information security organization; information security human resources; asset management; access management; operations security; network security management; development security; vendor management; incident management; information security continuity; information security review; cryptography; and physical and environmental security.
GDPR integration and compatibility
Table D.1 in Annex D provides an indicative comparison between the provisions of the Standard and Articles 5 to 49, with the exception of Article 43 of the General Data Protection Regulation (GDPR). Table D.1 shows how the requirements and control measures of the Standard relate to the obligations under the GDPR.