ISO/IEC 27701 (Privacy Information Management System)
ISO/IEC 27701 extends ISO 27001 with requirements for a Privacy Information Management System (PIMS), supporting compliance with global data protection laws.
Summary
ISO/IEC 27701 is an international standard specifying requirements for a Privacy Information Management System (PIMS). The current edition, ISO/IEC 27701:2025 (published 14 October 2025), is a standalone standard providing organizations with a structured framework for managing personal information.
- Standalone Standard: Since the 2025 edition, ISO 27701 is no longer merely an extension of ISO 27001 but an independent privacy management system.
- Two Roles: Separate requirements for controllers and processors.
- AI Privacy Controls: The 2025 edition includes new controls for AI-related privacy risks.
- Regulatory Mapping: Mappings to GDPR, ISO 29100, and other privacy frameworks.
- Certifiable: Organizations can pursue formal certification.
History
ISO/IEC 27701 has its origins in ISO/IEC 29151 (guidelines for personally identifiable information protection) and the growing demand for a certifiable privacy framework. With the applicability of the GDPR from May 2018, the need for concrete implementation guidance increased significantly. The ISO/IEC Joint Technical Committee 1 (JTC 1), Subcommittee 27 (SC 27) developed the standard, which was published in August 2019 as ISO/IEC 27701:2019. It built on the foundations of the international standard ISO/IEC 29151 and provided the first certifiable framework for privacy management. The standard allowed existing ISO 27001 certifications to be extended to cover privacy without building an entirely new management system.
On 14 October 2025, ISO/IEC 27701:2025 was published. The second edition is a standalone standard and no longer requires ISO 27001 certification as a prerequisite. It includes, among other things, new controls for AI-related privacy risks. Existing certifications under the 2019 edition must transition to the new edition by 14 October 2028.
Scope
ISO/IEC 27701 addresses all organizations – regardless of type, size, or sector – that process personal information and wish to implement or operate a privacy management system. Since the 2025 edition, the standard can be implemented independently without requiring an existing ISO 27001 certification. The standard applies to:
- Controllers: Organizations that determine the purpose and means of personal data processing.
- Processors: Organizations that act on behalf of a controller.
- Companies that need to demonstrate GDPR compliance or compliance with other data protection laws.
- Service providers seeking to demonstrate privacy credentials to customers.
- Organizations operating AI systems with personal data that require specific privacy controls.
Key Requirements
- PIMS Context: Defining the scope of the privacy information management system, including internal and external factors and requirements of relevant interested parties.
- Leadership and Accountability: Management commitment, Data Protection Officer (DPO), clear roles and responsibilities.
- Risk-Based Approach: Privacy risk assessment and treatment as a standalone process (since the 2025 edition, no longer necessarily tied to the ISO 27001 risk process).
- Controller Requirements: Consent, purpose limitation, data minimization, data subject rights (access, erasure, portability).
- Processor Requirements: Processing only on documented instruction, supporting data subject rights, sub-processor management.
- AI Privacy Controls: Specific requirements for the protection of personal data in the development and deployment of AI systems (new in the 2025 edition).
- Internal Audits and Management Reviews: Regular review of PIMS effectiveness.
Related Frameworks
Corrections & Errata
4 corrections:
- GDPR entry into force: Wrong date (25 May 2016 instead of 24 May 2016)
- ISO/IEC 29151 wrongly described as 'technical report'
- last_amended shows 2019-08-06 — standard was revised on 2025-10-14
- ISO/IEC 27701:2025 not reflected — standard was fundamentally revised in October 2025
3 updates:
- Missing key_dates: ISO 27701:2025 publication and transition deadline
- key_requirements outdated — 2025 edition has standalone structure
- official_url points to withdrawn 2019 edition
1 clarification.