In a world where data privacy laws and regulations are rapidly changing, the new ISO 27701:2024 standard has finally arrived and is bringing fresh challenges – and opportunities – for businesses trying to navigate privacy compliance. ISO 27701 is one of several internationally recognized standards in the ISO 27000 family that contain requirements and guidance for information security and privacy management.
Before we dive into the details of ISO 27701:2024, it’s important to understand how we got here, and simplify the relationship between ISO 27001 and 27701. In this article, we’ll provide a deep dive into the history of ISO 27001:2013 and ISO 27701:2019, the benefits and structure of ISO 27701, and an overview of the clauses and what has changed. This way, you can be well prepared for a seamless transition moving forward in your ISO 27701 compliance journey.
How We Got Here: The History of ISO 27001:2013 and ISO 27701:2019
ISO 27001 was introduced in 2013, and like many other ISO standards, was comprised of requirements and guidance for the establishment and maintenance of a management system – more specifically – an information security management system (ISMS). Part of what makes the ISO family of standards so relevant is the consideration for the context in which each certified organization operates. This includes the size and structure of an organization, as well as the organization’s unique needs, objectives, requirements, and processes that are expected to change over time.
Structurally, ISO 27001:2013 contained an ISMS framework of Clauses 4-10 and control objectives A.5–A.18, also referred to as “ISO 27001 Annex A”. Notably, ISO 27002:2013 was published alongside ISO 27001 to further describe the objectives of each Annex A control and provide implementation guidance for organizations to consider when determining their applicability.
ISO 27701 was introduced in 2019 as an extension to ISO 27001, for the establishment and maintenance of a privacy information management system (PIMS) for the protection of personally identifiable information (PII) processed within the scope and boundaries of an existing ISMS.
Structurally, ISO 27701:2019 was comprised of Clauses 5, 6, 7, and 8, described as follows:
- Clause 5 functioned as the PIMS framework and contained sub-clauses that aligned with the ISO 27001 Clauses 4-10, with added privacy-specific requirements.
- Clause 6 contained additional privacy implementation guidance for the ISO 27001 Annex A controls, relevant for the establishment and maintenance of a PIMS.
- Clause 7, also referred to as “ISO 27701 Annex A”, contained privacy requirements for organizations operating in the role of a data controller for in-scope PII processing activities.
- Clause 8, also referred to as “ISO 27701 Annex B”, contained privacy requirements for organizations operating in the role of a data processor for in-scope PII processing activities.
How ISO 27001:2022 Paved the Path for ISO 27701:2024
When ISO 27001 (and 27002) updated in 2022, the structure of the ISO 27001 Annex A controls changed significantly. The 2013 version of the Annex A controls were restructured into four domains and introduced 11 net-new controls for certified organizations to adopt into their ISMS.
Figure 1 ISO 27001:2013 Annex A controls A.5 - A.18
Figure 2 ISO 27001:2022 Annex A Domains
With the majority of ISO 27001 certified organizations transitioning to the 2022 version of the standard by the end of 2025, it’s only natural that the ISO 27701 standard was due for an update as well. The most significant change being that ISO 27701:2024 opens the door for the PIMS to act as a standalone management system, rather than an extension to an established ISMS. As global data protection regulations continue to evolve, establishing a PIMS and understanding the changes to the standard has become crucial for organizations aiming to enhance their privacy governance.
Understanding the Benefits of ISO 27701
As an internationally recognized standard, the requirements of ISO 27701 are modeled after industry-standard best practices for the protection of PII and share themes with comprehensive privacy and data protection laws, including the European Union’s (EU) General Data Protection Regulation (GDPR). Implementing a PIMS serves as a foundation for building trust with customers and stakeholders alike. By adhering to ISO 27701, organizations demonstrate their commitment to safeguarding personal data, thereby enhancing their reputation in the market. Moreover, compliance with ISO 27701 can streamline business processes and reduce the risk of mishandling PII, which is not only costly but can also lead to significant legal repercussions and damaging reputational harm.
In today's digital environment, organizations that prioritize data privacy can distinguish themselves from competitors. This separation from competitors can often translate into customer loyalty, as individuals and organizations are more likely to engage with companies who actively protect PII. The proactive stance of adopting ISO 27701:2024 can also serve as a competitive advantage, setting the standard for your privacy program at the highest level.
The Structure of ISO 27701:2024
If your organization is already familiar with the ISO 27001:2022 and ISO 27701:2019 standards, you will notice minimal changes in ISO 27701:2024. ISO 27701:2024 is structured to seamlessly integrate with existing management systems, making it adaptable and flexible for organizations of all shapes, sizes, and levels of complexity. The framework is divided into several key components that align with both the ISO 27001:2022 and ISO 27701:2019 standards:
Management framework clauses
ISO 27701:2024 lays out the foundation for a PIMS within the framework. Clauses 4-10 focus on the key elements every organization needs to have in place, from understanding their own context and setting up the right leadership, to planning effectively, providing the necessary support, running day-to-day operations, and continuous improvement. These framework clauses no longer expand the framework clauses of the ISO 27001 standard as an extension but now stand alone as the core requirements for setting up the PIMS.
More specifically, Clauses 4-10 cover:
- 4: Context of the organization
- 5: Leadership
- 6: Planning
- 7: Support
- 8: Operation
- 9: Performance
- 10: Improvement
ISO 27701:2024 Annex A Overview
Whether your organization operates as a PII controller or processor, Annex A will be applicable in one way or another as it addresses both privacy and security controls. This section provides a detailed set of privacy-specific controls for controllers, as well as for processors, allowing organizations to apply the standard as it matches their role when handling personal data.
The PIMS requirements for controllers and processors are unchanged, and are still comprised of the following subsections:
- Conditions for collection and processing
- Obligations to PII principals
- Privacy by design and by default
- PII sharing, transfer, and disclosure
Rather than separating the controller and processor requirements into two annexes (formerly Annex A for controllers and Annex B for processors, as described above), ISO 27701:2024 consolidates these requirements as well as required security controls into a new “Annex A”:
- A.1 applies to PII controllers (equivalent to ISO 27701:2019 Annex A / Clause 7)
- A.2 applies to PII processors (equivalent to ISO 27701:2019 Annex B / Clause 8)
- A.3 relates to information security controls for both PII controllers and PII processors (equivalent to ISO 27701:2019 Clause 6, with updates to reflect the ISO 27001:2022 Annex A controls)
ISO 27701:2024 Annex B Implementation Guidance Overview
The additional implementation guidance of ISO 27701:2024 Annex B offers practical direction to help organizations implement the new 27701 Annex A privacy and security controls. This annex addresses how organizations can apply the controls of the standard in real world settings. Specifically, this annex helps organizations understand how to tailor their privacy and security practices to their specific context and responsibilities. The guidance is broken down based on what controls are unique to PII controllers, processors, and the requirements applicable regardless of role, as described below (note the similarity in structure with A.1–A.3 above):
- B.1 Implementation guidance for PII controllers
- B.2 implementation guidance for PII processors
- B.3 Implementation guidance related to information security controls for both PII controllers and PII processors
What Has Changed and How to Move Forward with ISO 27701 Compliance
Do you recognize those control titles? That’s because they are almost identical to those of the 27001:2022 and 27701:2019 standards. The absorption of the ISO 27001 Clauses 4-10 (or “the framework”) has perfectly integrated to allow 27701-certified PIMS to operate as a standalone management system, or to seamlessly harmonize with other similar standards, such as ISO 27001, 9001 (quality management systems), and 42001 (artificial intelligence management systems), among others.
The clauses within the ISO 27701:2024 standard are designed to offer comprehensive guidelines for the establishment of a PIMS, relevant to both controllers and processors alike. Unlike the transition from ISO 27001:2013 to ISO 27001:2022, this standard includes no “net-new” requirements; the requirements and implementation guidance within the standard are comprised of existing elements from the ISO 27701:2019, ISO 27001:2022, and ISO 27002:2022 standards. If your organization has already established an ISMS in accordance with ISO 27001:2022 extended to include a PIMS in accordance with ISO 27701:2019, this transition should be seamless.
In contrast, if ISO 27701 is on your compliance roadmap but you haven’t gotten around to implementing it, we would love to work with you! Contact us at Schellman today to learn about ISO 27701 readiness and the path to certification.
And in the meantime, discover other helpful ISO 27701 insights in these additional resources: