ISO 27701:2025 — Now certifiable without prior ISO 27001

·

Until October 2025, implementing ISO 27701 required having — or simultaneously implementing — ISO/IEC 27001. It was an extension, not a complete management standard. With the publication of ISO/IEC 27701:2025 on 14 October 2025, that requirement disappears: the standard becomes a standalone, independently certifiable Privacy Information Management System (PIMS). This change opens the door to clinics, law firms, digital platforms, and any organisation that processes personal data intensively but does not need — or does not wish — to take on the full cost and scope of an information security certification under ISO 27001.

What is ISO 27701 and what is it for?

ISO/IEC 27701 is the international standard that specifies the requirements for establishing, implementing, maintaining, and improving a PIMS (Privacy Information Management System). Its objective is twofold: to provide a privacy governance framework and to serve as demonstrable evidence of compliance with the GDPR (General Data Protection Regulation, EU 2016/679) and equivalent frameworks in other territories.

Unlike an internal data protection audit or a one-off GDPR consultancy, ISO 27701 certification means that an accredited external body — AENOR, Bureau Veritas, SGS, TÜV, BSI, or others — audits and certifies that your privacy management system meets the requirements of the standard. It is an objective, third-party-verified trust signal.

At Summum Calidad we support organisations in Castilla y León and the Canary Islands throughout the implementation process and preparation for that certification audit; the certificate is issued by the accredited body — we take you all the way to being ready with no surprises on audit day. You can find the details of our ISO 27701 implementation service.

Key new features of ISO 27701:2025

1. Independent standard: goodbye to the ISO 27001 dependency

The 2019 edition was technically an extension of ISO 27001 and ISO 27002: its operational clauses (formerly 6, 7, and 8) required constant cross-references to ISO 27001. That meant you could not get certified in privacy without first having — or simultaneously implementing — your Information Security Management System certified or in the process of certification.

The 2025 edition changes this fundamentally. Clauses 4 to 10 now follow the harmonised ISO structure (also called HLS, High Level Structure) and are completely autonomous. They do not require reference to ISO 27001. The former clauses 6, 7, and 8 have been transformed into Annexes A and B, reorganised as controls native to the PIMS. Annex F includes a complete correspondence table for those migrating from the 2019 version.

2. Reinforced distinction between controllers and processors

The 2025 standard more precisely aligns the GDPR distinction between controller and processor. Annex A includes specific controls for processors that manage personally identifiable information (PII) on behalf of external controllers. This is key for cloud providers, SaaS platforms, payroll outsourcing companies, or any organisation that processes data belonging to their clients' clients.

3. Increased documentation and evidence requirements

Clause 9 introduces a structured, independent approach to evaluating the effectiveness of the PIMS: it is not enough to have procedures — you must demonstrate with evidence that they work. The revised Clause 10 requires that continual improvement be based on performance data, not just non-conformities. In practical terms: privacy indicators, incident records, rights-exercise metrics, and international transfer monitoring must be systematically documented and analysed.

4. Specific controls for international transfers

The 2025 edition formalises eight controls dedicated to international data transfers: legal basis of the transfer, documentation of the destination country, disclosure records, notification of disclosure requests, procedures for legally binding disclosures, subcontractor management, and notification of changes in the subcontracting chain. This is especially relevant for corporate groups with subsidiaries outside the European Economic Area or for SMEs using cloud services hosted in the United States.

5. Easier integration with ISO 27001 for those who have it

For organisations that already hold ISO 27001, or that wish to implement both standards, the 2025 edition facilitates integration through Annex F. Joint systems are more efficient: policies, internal audit procedures, management review, and improvement cycles are shared. It is not mandatory, but it is advisable if the business also handles significant cybersecurity risks.

Comparison: ISO 27701:2019 versus ISO 27701:2025

Feature ISO 27701:2019 ISO 27701:2025
Nature Extension of ISO 27001/27002 Independent standard (standalone PIMS)
Prerequisite ISO 27001 mandatory No prerequisite
Structure Clauses 6-7-8 + ISO 27001 cross-references Clauses 4-10 HLS + own Annexes A and B
Controls Adapted from ISO 27002:2013 Own PIMS controls (Annexes A and B), independent
International transfers Limited coverage 8 dedicated specific controls
Evidence and metrics Basic evaluation Independent Clause 9 + data-driven improvement
GDPR alignment General Reinforced: controller/processor, transfers, PII lifecycle
Transition deadline (existing certifications) Until October 2028 (3 years from publication)

Who benefits most from the new ISO 27701:2025?

Sectors with high personal data intensity but no need for ISO 27001

The most important development in the 2025 edition is that you no longer need to implement a full ISMS under ISO 27001 to obtain an internationally recognised privacy certification. This opens the standard to profiles that were previously excluded or found it too costly:

Organisations already certified in ISO 27001

For those who already hold ISO 27001, ISO 27701:2025 complements the ISMS with a specific privacy layer. Integration is straightforward: the existing policy, internal audit, management review, and improvement cycle are leveraged. The incremental cost is moderate and the differential value for clients and regulatory bodies is high.

Probative value before the GDPR and supervisory authorities

Article 42 of the GDPR provides for certification mechanisms formally approved by supervisory authorities; ISO 27701 has not, to date, been approved as a specific certification mechanism under that article. Nevertheless, ISO 27701:2025, once certified by an accredited body, constitutes robust evidence that the organisation has adopted appropriate technical and organisational measures (Article 24 GDPR) and can be invoked before an inspection by the Spanish Data Protection Agency (AEPD) or supervisory authorities in other Member States.

It is not an exemption from sanctions, but it is a significant mitigating factor. Supervisory authority practice recognises that adherence to acknowledged standards can be weighed positively when determining the level of any sanction under Article 83.2 GDPR. In the context of fines that can reach 4% of total annual worldwide turnover (Article 83.5 GDPR), having a certified and audited management system is a legal and reputational argument of the first order.

Furthermore, the certificate facilitates the Data Protection Impact Assessment (DPIA) process, required by Article 35 GDPR when processing is likely to result in high risk: having an operational and audited PIMS provides the methodological foundation that the DPIA requires.

What does the implementation process look like?

The ISO 27701 implementation project generally follows these phases:

  1. Baseline diagnosis: analysis of the current state of personal data management, PII flows, controller/processor roles, international transfers, and gaps against the standard's requirements.
  2. PIMS design: high-level privacy policy, Record of Processing Activities (RoPA), PII inventory, role and responsibility assignment, privacy risk assessment criteria.
  3. Control implementation: development or adaptation of operational procedures (rights exercise, breach management, impact assessments, third-party and sub-processor management, international transfers).
  4. Internal audit and management review: verification that the system operates as designed, identification of non-conformities and improvement opportunities.
  5. Certification audit: Stage 1 document review and Stage 2 on-site audit by the certification body. Summum Calidad supports you in preparation and in resolving findings.

Typical timelines for a medium-sized organisation (20-150 people) range from four to eight months, depending on the prior maturity level in data protection management and the complexity of the processing activities carried out.

Transitioning from the 2019 version: deadlines you need to know

If your organisation currently holds an ISO 27701:2019 certification, the international accreditation body (IAF) has established a three-year transition period from the publication of the new edition. This means the deadline to complete the transition audit is October 2028. After that date, certificates issued under the 2019 edition will no longer be valid.

However, waiting until the last moment is not advisable. The transition audit requires updating PIMS documentation, adapting controls to the new Annexes A and B, and demonstrating that the system has been operating in accordance with the new requirements. Planning the transition with two years to spare is the prudent approach.

Frequently asked questions

Can I get certified in ISO 27701:2025 without having or planning ISO 27001?

Yes. The 2025 edition removes this dependency. You can implement and certify the PIMS completely independently. If you later decide to implement ISO 27001, integration between the two standards is very efficient thanks to the harmonised structure they share.

Does ISO 27701 exempt me from GDPR compliance?

No. The standard does not replace the GDPR or exempt you from its obligations. What it does is provide a structured management system that helps you comply in a demonstrable and systematic way. In the event of an inspection or sanction, the certificate constitutes evidence that the organisation has adopted appropriate technical and organisational measures (Article 24 GDPR), which can be a mitigating factor.

What is the difference between ISO 27701 and implementing the GDPR with a data protection consultancy?

A standard GDPR consultancy prepares the mandatory documentation: records of processing activities, privacy notices, data processing agreements, and a privacy policy. ISO 27701 goes further: it implements a management system with a continual improvement cycle, internal audit, effectiveness evaluation, and above all an externally verifiable certification by third parties. It is the difference between having the paperwork in order and being able to objectively demonstrate that privacy is being managed.

How long is an ISO 27701 certificate valid?

The standard certification cycle is three years, with annual (or semi-annual, depending on the body) surveillance audits and a renewal audit in the third year. Maintaining the certificate requires the PIMS to remain operational and improving: it is not a one-off procedure, but a living system.