866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
ENS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

ISO 27701:2025 Standard Frequently Asked Questions (FAQs)
Kathryn Young

By: Kathryn Young

Print/Save as PDF

ISO 27701:2025 Standard Frequently Asked Questions (FAQs)

ISO Certifications

Published: May 4, 2026

Privacy is evolving as organizations now need to navigate expanding data protection laws, cross-border data transfers, and growing expectations from customers and regulators. Having a credible, internationally recognized framework to guide privacy practices is critical.

ISO 27701:2019 established that framework by extending the widely adopted ISO 27001 information security standard to encompass a Privacy Information Management System (PIMS). Now, with the release of ISO 27701:2025, the standard has been significantly updated to reflect the realities of today’s privacy landscape.

ISO 27701:2025 now features stronger alignment with global regulations, clearer security guidance for both data controllers and processors, and a more risk-based approach to protecting personal data.

In this FAQ blog, we’ll answer the most pressing questions about ISO 27701:2025 to help privacy professionals, compliance teams, and business leaders better understand what has changed, what it means in practice, and how to navigate certification or recertification under the updated standard.

ISO 27701:2025 Background Information

Q. What is a PIMS?

A. A PIMS is a management system comprised of requirements and guidance to support the protection of the personally identifiable information (PII) that organizations process. First introduced as an optional extension to an established ISO 27001:2013 (now ISO 27001:2022) information security management system (ISMS), the latest version of the ISO 27701 standard positions the PIMS as a standalone management system.

Q. What are the benefits of ISO 27701 certification?

A. ISO 27701 is a globally recognized standard for establishing a PIMS that demonstrates an organization’s ability and commitment to manage risks related to data privacy and safeguard the processing of personal information. In addition to the increased trust this certification helps establish with customers, other benefits of becoming 27701 certified include:

  • Increased operational readiness for incoming privacy inquiries and requests
  • Enhanced preparedness of people, processes, and technology to effectively respond to new privacy requirements
  • Centralized framework for protecting personal information across the organization

Learn more about the ISO 27701 standard in the Schellman Learning Center.

Q. Who is impacted by the updated standard?

A. Certification bodies (like Schellman) and clients certified under 27701:2019 are directly impacted by this change; though other interested parties, including client’s customers and PII principals will be indirectly impacted, as they will benefit from the improved PIMS structure safeguarding their personal information.

This change is also relevant for organizations with ISO 27701 on their compliance roadmap that are planning to adopt the standard soon, as it may impact the timing of when you pursue certification, and which version you'll be validated against.

ISO 27701:2025 Transition & Timeline

Q. When do organizations certified under 27701:2019 need to transition to ISO 27701:2025? Do I need to transition during my next audit?

A. Per ANAB’s Heads Up #550 notice, certification bodies are required to transition to ISO 27701:2025 by October 31, 2026, or one year following the revised standard’s publication. As of the date of this FAQ, Schellman’s accreditation has already officially been transferred by ANAB.

Organizations currently certified under ISO 27701:2019 must formally transition their certifications to ISO 27701:2025 by October 31, 2028. In other words, ISO 27701 certified clients will not automatically be assessed against 27701:2025 in their next audit with Schellman, unless it has been designated as a transition review.

Notably, transition reviews can occur concurrently with surveillance or recertification reviews, or separately as a standalone audit. Since Schellman has already been accredited against ISO 27701:2025, organizations may schedule transition reviews anytime from now through July 2028.

Q. What's the ISO 27701:2025 transition audit process?

A. The process to transition from ISO 27701:2019 to ISO 27701:2025 will mirror the process organizations followed when transitioning from ISO 27001:2013 to 27001:2022. Clients will be required to complete a transition plan during the audit planning phase to identify any scope changes to covered products, functions, locations, and in-scope personnel.

In addition, clients will need to perform a gap analysis to identify downstream impacts to the management system(s) related to the transition to ISO 27701:2025. If the organization has opted to include the transition review as a component of a pre-existing surveillance or recertification review, additional time will be added to the audit to account for this transition.

ISO 27701:2025 Structural Changes

Q. What's the biggest difference between the 2019 and 2025 versions of ISO 27701?

A. The most significant change between ISO 27701:2019 and ISO 27701:2025 is that the latest version of the standard positions the PIMS as a standalone management system, rather than an extension to an established ISMS. As global data protection regulations continue to evolve, establishing a PIMS and understanding the changes to the standard has become crucial for organizations aiming to enhance their privacy governance.

In addition, ISO 27701:2025 has modified the structure of the standard. Rather than consisting of clauses 5 – 8, the PIMS framework is now comprised of clauses 4-10 (mirroring the ISMS framework in 27001:2022 and Artificial Intelligence Management System (AIMS) framework in ISO 42001:2023) and a revised Annex A speaking to the privacy controls for controllers and processors, as well as the required security controls.

ISO 27701:2025 Control & Documentation Updates

Q. Which controls have changed in the new version?

A. While a good portion of controls remain the same, all control references have changed, due to the revised structure of the standard. As mentioned previously, the PIMS framework (formerly clause 5) is now comprised of clauses 4-10 and aligns with the ISMS framework clauses established in ISO 27001:2022 and ISO 42001:2023.

Notably, ISO 27701:2025 now includes information security controls in Annex A.3. While this is a new change with the 2025 version, all specified security controls in A.3 already existed in some form under ISO 27701:2019 and/or ISO 27002:2022. In other words, there are no net-new controls introduced with this standard as there were with ISO 27001:2022.

Q. What management system documentation needs to be updated?

A. The extent of management system documentation updates will be dependent on changes concerning the scope of a PIMS. However, expected documentation impacts include, but are not limited to:

  • Revision of any specific references to 27701:2019 to reflect 27701:2025 throughout management system documented information (such as the scope document, ISMS manual, SOA, in-scope policies and procedures).
  • Updates to management system documentation described above to reflect any changes in scope and/or role, and the updated inclusion or exclusion of controls. For example, this could include new internal or external factors, interested parties and requirements, business units, or objectives, among other areas.
  • Specific to the SOA, we would expect any PIMS clause references from 27701:2019 to be removed and, where applicable, be replaced with clause references from 27701:2025.
  • Internal audit completed against ISO 27701:2025 and management review documentation where the transition documentation and internal audit results were discussed and approved by management.

ISO 27701:2025 Transition Implementation

Q. What factors should I consider when scoping my PIMS? Should I keep the scope of my PIMS aligned with my established ISMS?

A. There are many considerations that organizations should keep in mind when determining your scope. While you can choose to keep the scope of your PIMS aligned with an existing ISMS, there is flexibility for organizations to cast a wider net with their PIMS to align with their broader privacy program under the new standard. Key factors to consider when scoping a PIMS under ISO 27701:2025 include, but are not limited to:

  • Processing activities relevant to privacy concerns applicable to the context of your organization
  • Opportunities to build trust with interested parties
  • Focus areas that will mature your privacy program over time

Refer to Scoping a Privacy Information Management System Under ISO 27701:2025 for more information.

Q. I have a surveillance/recertification review coming up. Should I transition during my upcoming review?

A. Organizations currently certified under ISO 27701:2019 have until October 31, 2028, to transition to the newest version of the standard. As such, there is no requirement to transition in the upcoming surveillance/recertification review, unless it is important to your team to do so (for example, if your organization had been waiting for the new standard to be released before updating the scope of the PIMS).

Surveillance and recertification reviews can be good opportunity to transition, as the management framework and a portion of controls will already be reviewed (with all controls being reviewed during recertifications). Those reviews, specifically recertification reviews, would allow the organization to audit the security controls in 27701:2025 A.3 more efficiently.

However, organizations should remain cognizant of audit timing and be sure that they have completed their gap analysis and other planning activities ahead of the scheduled review. It is important to note that transition reviews can occur anytime, either in-band as part of an upcoming surveillance review or recertification, or out-of-band as a special audit.

Moving Forward with ISO 27701:2025

The release of ISO 27701:2025 marks a significant evolution in how organizations can demonstrate their commitment to privacy as a foundational element of how they operate and build trust.

For organizations already certified under the 2019 version, the transition timeline offers reasonable runway to plan thoughtfully. With the October 31, 2028, deadline for certified organizations and Schellman already accredited to perform ISO 27701:2025 audits, there is flexibility in how and when you make the move.

For those considering ISO 27701 certification for the first time, now is an opportune time to adopt the standard in its updated form, avoiding the need to transition down the road and building your PIMS on the most current framework from the outset.

If you have questions about how the transition applies to your specific situation or want to explore what certification could look like for your organization, contact us today. We’re available to help you navigate what comes next with confidence.

About Kathryn Young

Kathryn Young is a Privacy Technical Lead with Schellman based in Providence, Rhode Island. She currently performs privacy assessments and certifications related to ISO 27701, GDPR, SOC 2, and Microsoft DPR, among others. Prior to joining Schellman, Kathryn worked in a variety of privacy compliance and cybersecurity-focused roles in the information technology and healthcare sectors. She has her master's degree in cybersecurity and international cyber law from Norwich University, and is an active member of the International Association of Privacy Professionals (IAPP), and has obtained her CIPM, CCSK, and CISSP certifications.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

 

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.