ISO IEC 27701-2025 PDF

Full title and description

ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance. This edition (Edition 2) provides requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) applicable to PII controllers, PII processors and other organisations that process personally identifiable information.

Abstract

ISO/IEC 27701:2025 updates the original 2019 privacy extension to provide a full, standalone management-system standard for privacy information management. It defines management-system clauses, privacy-specific requirements and guidance, and an annex of privacy controls mapped for controllers, processors and shared responsibilities. The 2019 edition has been withdrawn and replaced by the 2025 publication.

General information

• Status: Published.
• Publication date: October 2025 (2025-10).
• Publisher: ISO/IEC (ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (Information security, cybersecurity and privacy protection).
• Edition / version: Edition 2 (2025).
• Number of pages: 64 pages (Edition 2, 2025).

Scope

This standard specifies PIMS-related requirements and provides guidance to support organisations in establishing, implementing, maintaining and continually improving privacy controls and governance. It is intended for any organisation that processes personally identifiable information (PII), whether acting as a controller, a processor or both, and may be applied by organisations of all sizes and sectors. The 2025 edition reorganises the standard to function as a stand‑alone management system standard while remaining interoperable with ISO/IEC 27001 and ISO/IEC 27002.

Key topics and requirements

• Stand‑alone PIMS management‑system clauses (Clauses 4–10) that establish governance, planning, support, operation, performance evaluation and continual improvement specific to privacy.
• Consolidated annex of privacy controls and clearer delineation of controller, processor and shared controls.
• Stronger emphasis on leadership, accountability, measurable privacy performance (privacy KPIs) and documented roles and responsibilities.
• Expanded guidance on privacy risk assessments, Data Protection Impact Assessments (DPIAs), retention and deletion, vendor/processor oversight, and contractual expectations.
• Updated coverage for modern processing contexts such as cloud services, AI/ML-related processing, IoT and certain high-risk data types (e.g., health and biometric data).
• Alignment and mapping options with ISO/IEC 27001 and ISO/IEC 27002 controls to support integrated implementation or independent certification.

Typical use and users

Organisations that collect, hold or process personal data (public, private and not‑for‑profit) will use this standard to design a privacy management system or to demonstrate accountability to regulators, customers and partners. Typical users include privacy and data protection officers, information security managers, compliance teams, internal and external auditors, certification bodies, and organisations preparing for or maintaining certification to ISO/IEC 27701. Certification and audit requirements for bodies assessing PIMS implementations are addressed in companion guidance/standards for certification bodies.

Related standards

Commonly used alongside or referenced with: ISO/IEC 27001 (Information security management systems) and ISO/IEC 27002 (security controls) — both updated in 2022 and aligned with the harmonized structure; standards and guidance for certification bodies and auditors of PIMS (e.g., ISO/IEC 27706:2025 and relevant accreditation documents); applicable national and regional data protection regulations (for example GDPR, CCPA) and sectoral privacy guidance.

Keywords

Privacy Information Management System (PIMS), personal data, PII, controller, processor, privacy controls, DPIA, privacy risk assessment, data protection, certification, ISO/IEC 27701, privacy governance, KPIs.

FAQ

Q: What is this standard?

A: ISO/IEC 27701:2025 is an international standard that specifies requirements and guidance for establishing and operating a Privacy Information Management System (PIMS). It replaces the 2019 extension and is published as a standalone management‑system standard.

Q: What does it cover?

A: It covers governance and management‑system requirements for privacy, a consolidated set of privacy controls for controllers/processors, guidance on privacy risk management, DPIAs, vendor oversight, performance measurement and continual improvement, with applicability across industries and organisation sizes.

Q: Who typically uses it?

A: Privacy officers, security and compliance teams, auditors, certification bodies and any organisation that processes PII and wants a formal, auditable privacy management system or proof of accountable privacy practices.

Q: Is it current or superseded?

A: ISO/IEC 27701:2025 is the current published edition (October 2025). It supersedes and replaces ISO/IEC 27701:2019, which has been withdrawn. Organisations certified to the 2019 edition should follow transition guidance from their certification/accreditation bodies.

Q: Is it part of a series?

A: Yes — it belongs to the family of information security and privacy management standards maintained by ISO/IEC JTC 1/SC 27 and is designed to align with ISO/IEC 27001 and ISO/IEC 27002; companion and supporting documents (including certification requirements for bodies) have been published to support PIMS auditing and accreditation.

Q: What are the key keywords?

A: PIMS, personal data, privacy controls, DPIA, controller, processor, privacy governance, ISO/IEC 27701:2025, certification, privacy KPIs.