ISO/IEC 27701 Has Been Updated

Transition is mandatory to maintain accredited certification.

The transition is mandatory.

ISO/IEC 27701:2019 certificates will no longer be valid after October 31, 2027.

Relationship with ISO/IEC 27001

All QMS PIMS clients are certified to ISO/IEC 27001

Continued integration between the PIMS and ISMS is expected

The Gap Analysis should demonstrate this integration

Key Changes in the New Version

Study the standard

Train your teams

Qualify internal auditors

Conduct a Gap Analysis

Receive your new certificate

Transition audit

Perform an internal audit and management review

Implement the required changes

Assessment of Changes to ISO/IEC 27701:2025

Before the transition audit, the organization shall evaluate and document, at a minimum, the following:

Review of the PIMS Scope and Boundaries

Confirm which processes, activities, systems, organizational units, third parties, and personal data processing activities are included within the Privacy Information Management System (PIMS).

Identify, for each personal data processing activity, whether the organization acts as a Controller, Processor, or both.

Review the personal data subjects included within the scope and the interested parties relevant to the PIMS, including customers, regulatory authorities, processors, sub-processors, and joint controllers.

Update the privacy risk assessment to consider potential impacts on both the organization and personal data subjects.

Review the Statement of Applicability in accordance with the new controls introduced in ISO/IEC 27701:2025, providing justification for the inclusion, exclusion, and implementation status of each applicable control.

Evaluate the controls applicable to Controllers, Processors, and the information security controls that support personal data processing.

Demonstrate how the PIMS continues to rely on the ISO/IEC 27001 Information Security Management System (ISMS) as the foundation for information security controls.

Identify personal data processing activities involving artificial intelligence (AI), automation, profiling, automated decision-making, or international personal data transfers, where applicable.

Conduct an internal audit against ISO/IEC 27701:2025 and complete a management review prior to the transition audit.

Transition Timeline

October 31, 2025

Publication of the standard

October/2025

October 31, 2026

New certifications and recertifications only under ISO/IEC 27701:2025

October/2026

September 30, 2027

Deadline to complete transition audits

September/2027

October 31, 2027

End of the transition period

October/2027

When Can the Transition Be Performed?

Additional Audit Time
  • Recertification: Minimum of 0.5 auditor-day
  • Surveillance or Special Audit: Minimum of 1.0 auditor-day

A customized proposal may be requested from QMS.

Surveillance Audit

Recertification Audit

Special Audit

What Will Be Evaluated?

Issuance of the New Certificate

  • New ISO/IEC 27701:2025 certificate
  • Available even during surveillance audits
  • No need to wait for recertification
  • Current certification cycle remains unchanged

Talk to QMS

Transition planning

Additional audit time

Special audits

Scroll to Top