The International Organization for Standardization has released an updated version of ISO/IEC 27701, marking the first revision since 2019. The standard, titled Information security, cybersecurity and privacy protection, Privacy information management systems, Requirements and guidance, provides a global framework for establishing and managing privacy compliance programs.
The updated ISO 27701 is now a standalone management system. Organizations no longer require ISO 27001 certification to adopt it, though integration with existing Information Security Management Systems is possible.
The standard establishes high-level requirements for a Privacy Information Management System (PIMS) through Clauses 4 to 10.
- Clause 4 addresses organizational context, requiring an understanding of internal and external issues, interested parties, and the organization’s role as a PII controller or processor.
- Clause 5 covers leadership, including setting the tone at the top, defining roles and responsibilities, and establishing an internal privacy policy.
- Clause 6 focuses on planning, risk assessment, privacy risk treatment, and setting measurable privacy objectives.
- Clause 7 deals with support, including resource allocation, competency evaluation, awareness, communication, and control of required documentation.
- Clause 8 specifies operational requirements for risk assessment and treatment processes.
- Clause 9 outlines performance evaluation, internal audits, and management reviews.
- Clause 10 emphasizes continual improvement and corrective action for non-conformities.
Annex A provides controls divided into three tables.
Table A.1 addresses PII controllers, covering conditions for collection and processing, obligations to data subjects, privacy by design, and lawful data sharing.
Table A.2 focuses on PII processors, ensuring adherence to controller instructions, supporting data subject rights, and managing PII appropriately.
Table A.3 adapts ISO 27001 security controls to PII protection for both controllers and processors.
ISO 27701:2025 aligns with GDPR principles and is jurisdiction-neutral, enabling multinational organizations to implement a unified privacy management framework.
Certification is available through accredited bodies, and the standard can integrate with other ISO management systems. It provides a structured privacy framework but does not replace compliance with local privacy laws.
