ISO/IEC 27701 Has Been Updated
- Harmonized Structure (HS)
- Revised controls for Controllers and Processors
- Requirements reorganized into Clauses 4–10
- Greater focus on emerging risks
- AI and international data transfers
Transition is mandatory to maintain accredited certification.
The transition is mandatory.
ISO/IEC 27701:2019 certificates will no longer be valid after October 31, 2027.
Relationship with ISO/IEC 27001
All QMS PIMS clients are certified to ISO/IEC 27001
Continued integration between the PIMS and ISMS is expected
The Gap Analysis should demonstrate this integration
Key Changes in the New Version
Study the standard
Train your teams
Qualify internal auditors
Conduct a Gap Analysis
Receive your new certificate
Transition audit
Perform an internal audit and management review
Implement the required changes
Assessment of Changes to ISO/IEC 27701:2025
Before the transition audit, the organization shall evaluate and document, at a minimum, the following:
Review of the PIMS Scope and Boundaries
Confirm which processes, activities, systems, organizational units, third parties, and personal data processing activities are included within the Privacy Information Management System (PIMS).
Clear Definition of the Organization's Role
Identify, for each personal data processing activity, whether the organization acts as a Controller, Processor, or both.
Identification of Data Subjects and Interested Parties
Review the personal data subjects included within the scope and the interested parties relevant to the PIMS, including customers, regulatory authorities, processors, sub-processors, and joint controllers.
Review of the Privacy Risk Assessment
Update the privacy risk assessment to consider potential impacts on both the organization and personal data subjects.
Update of the PIMS Statement of Applicability (SoA)
Review the Statement of Applicability in accordance with the new controls introduced in ISO/IEC 27701:2025, providing justification for the inclusion, exclusion, and implementation status of each applicable control.
Review of Applicable Controls
Evaluate the controls applicable to Controllers, Processors, and the information security controls that support personal data processing.
Integration Between the PIMS and the ISMS
Demonstrate how the PIMS continues to rely on the ISO/IEC 27001 Information Security Management System (ISMS) as the foundation for information security controls.
Assessment of AI, Automated Decision-Making, and International Data Transfers
Identify personal data processing activities involving artificial intelligence (AI), automation, profiling, automated decision-making, or international personal data transfers, where applicable.
Internal Audit and Management Review
Conduct an internal audit against ISO/IEC 27701:2025 and complete a management review prior to the transition audit.
Transition Timeline
October 31, 2025
Publication of the standard
October/2025
October 31, 2026
New certifications and recertifications only under ISO/IEC 27701:2025
October/2026
September 30, 2027
Deadline to complete transition audits
September/2027
October 31, 2027
End of the transition period
October/2027
When Can the Transition Be Performed?
- Recertification: Minimum of 0.5 auditor-day
- Surveillance or Special Audit: Minimum of 1.0 auditor-day
A customized proposal may be requested from QMS.
Surveillance Audit
Recertification Audit
Special Audit
What Will Be Evaluated?
- Gap Analysis
- PIMS updates
- PIMS and ISMS integration
- AI and international data transfers
- Internal audit
- Management review
- Evidence of implementation and effectiveness
Issuance of the New Certificate
- New ISO/IEC 27701:2025 certificate
- Available even during surveillance audits
- No need to wait for recertification
- Current certification cycle remains unchanged
Talk to QMS
Transition planning
Additional audit time
Special audits
