The Release of ISO/IEC 27701:2025

ISO/IEC 27701:2025 is nearly finalised.

Currently in its Final Draft stage, the updated privacy standard is expected to launch in the coming weeks. We’ve broken down what’s changing - and what it means for you.

In the next few weeks of August, it is expected that the new 2025 version of ISO/IEC 27701 will be released. But what changes can we expect - and what should companies bear in mind?

What is ISO/IEC 27701?

ISO/IEC 27701 is a standard that is closely related to ISO/IEC 27001 and ISO/IEC 27002. It has a specific focus on Privacy of Information and establishes a Privacy Information Management System (PIMS).

As defined on the ISO website:

“ISO/IEC 27701 is an international standard that specifies requirements and provides guidance for establishing, implementing, maintaining and continuously improving a privacy information management system (PIMS). It extends ISO/IEC 27001 to specifically address privacy and the protection of personally identifiable information (PII), making it highly relevant for organisations acting as PII controllers or processors.”

In short, the standard expands on the privacy and PII protection components of ISO/IEC 27001 - hence it being a standard that is added onto an organization’s already existing ISO/IEC 27001 certification. It provides organizations with a structured set of operational checklists to guide companies in documenting their policies, procedures, protocols, and practices in line with privacy obligations.

The standard acts as practical guidance to help organizations meet privacy regulations, regardless of which jurisdiction they operate in.

What changes are expected?

From the SGS whitepaper on the Final Draft International Standard (FDIS), several key updates of note are anticipated in the upcoming ISO/IEC 27701:2025 release:

Structural Redesign: Toward a “standalone” document.

The standard has been restructured and rewritten to follow ISO’s high-level management system structure, similar to how ISO 9001, ISO/IEC 27001, ISO/IEC 42001, etc. are formatted. The current FDIS version suggests that ISO/IEC 27701 will no longer require an ISO/IEC 27001 certification as a prerequisite for certification.

However, it is important to note and be aware that the ISO website for the new standard still states the following:

“It is an extension of ISO/IEC 27001 and must be implemented in conjunction with it.”

This could be an oversight or simply reflect the fact that the standard is still in its FDIS stage and not yet finalized. Nonetheless, until the final version is released, organizations should be aware that the change is still only noted in the draft version.

Clauses 4 - 10 now contain mandatory requirements.

In the current 2019 version, only clause 5 includes formal requirements. The rest of the clauses are considered guidance. The new 2025 revision expands these mandatory clauses to be 4 through 10 - making the standard more aligned with how other ISO standards structure their core requirements.

Privacy risk assessment & treatment now formalized.

The updated standard now introduces clearer expectations around risk management.

There is a formal requirement to identify privacy and information security risks relevant to the organizations PIMS, and to address them through a documented information security program. This change brings privacy management more in line with ISO 27001’s security-first risk treatment methodology.

Climate change added to risk context

As with ISO/IEC 27001:2022, the updated 27701 standard will require organizations to consider climate change as a contextual factor during risk assessments, and when identifying stakeholder expectations.

Annex A controls now separated by role

Annex A has been reorganized into three distinct sections:

  • 31 controls for PII controllers,

  • 18 controls for PII processors,

  • 29 information security controls applicable to both roles,

This makes it easier for organizations to identify what applies to them based on roles specifically and supports privacy-by-role more clearly than ever.

Summary

While we still wait for the full release of ISO/IEC 27701:2025, organizations should be aware of and prepare for these upcoming changes - particularly around the formalization of privacy risk management, new clause structure, and possible upcoming changes in the certification dependancies.

 

  • This Privacy Collection Notice describes how 59 Degrees North Pty Ltd (ABN 85 665 008 597)  (we, us or our) collects and handles your personal information when you make an enquiry with us. We collect personal information from you so that we can respond to your enquiry and for related purposes set out in our Privacy Policy, available on our website (or on request).  

    We may disclose this personal information to third parties, including our personnel, related entities, any third parties engaged by us and acting on our behalf and as otherwise set out in our Privacy Policy.  

    We store personal information in Australia. Where we disclose your personal information to third parties, those third parties may store, transfer or access personal information outside of Australia. 

    If you do not provide your personal information to us, it may affect our ability to do business with you. For example, if you do not provide your email address, we may not be able to respond to your inquiries or provide you with our services. 

    Please see our Privacy Policy for more information about how we collect, store, use and disclose your personal information, including details about overseas disclosure, access, correction, how you can make a privacy-related complaint and our complaint-handling process.  

    If you have questions about our privacy practices, please contact us by email at: contact@59n.com.au By providing your personal information to us, you agree to the collection, use, storage and disclosure of that information as described in this privacy collection notice. 

    Privacy Policy