ISO/IEC 27701:2025 Is Here: Privacy Stands Alone
Summary
- ISO/IEC 27701:2025 published 14 October 2025 as a standalone Privacy Information Management System standard
- No longer requires ISO/IEC 27001 certification first, which changes your certification strategy and budget
- New path available: pair SOC 2 with ISO/IEC 27701:2025 for privacy certification without duplicating security audit work
Privacy compliance just became simpler and faster for North American software companies. ISO/IEC 27701:2025 is now a standalone standard, which means you can certify privacy without first certifying ISO/IEC 27001. For teams already pursuing or holding SOC 2, this opens a cleaner path: use SOC 2 to prove security, add ISO/IEC 27701:2025 to prove privacy, and skip the ISO 27001 requirement entirely.
On 14 October 2025, ISO published the 2025 edition as an independent, certifiable Privacy Information Management System (PIMS). The 2019 version required ISO/IEC 27001 as a foundation. The 2025 edition does not. That structural change matters if you need to prove privacy practices to global buyers without adding a third security framework to your compliance stack.
Most software buyers in North America already recognize SOC 2. Adding ISO/IEC 27001 on top can feel like audit duplication, especially when your team is already maintaining SOC 2 controls year-round. Now you can meet privacy requirements with ISO/IEC 27701:2025 while keeping SOC 2 as your security baseline. The two frameworks complement each other without overlapping audit scope.
What Changed and Why It Matters
ISO/IEC 27701:2025 is now a full management system standard, not an extension. The 2025 edition follows the ISO high-level structure from Context through Improvement, which lets certification bodies audit privacy independently.
The impact shows up in three areas:
Strategy - You can certify ISO/IEC 27701:2025 on its own, or stack it with SOC 2. Privacy no longer requires a prerequisite information security management system (ISMS) certificate.
Scope - You define PIMS scope aligned to how you process personally identifiable information (PII) as controller, processor, or both. The standard includes requirements tailored to each role.
Cost - Audit time and evidence collection focus on PIMS scope, not a prerequisite ISMS certificate. For teams without ISO/IEC 27001, this reduces total certification effort and timeline.
How the 2025 Edition Is Structured
The standard uses Clauses 4 through 10 that mirror other ISO management system standards: Context of the organization, Leadership, Planning, Support, Operation, Performance evaluation, and Improvement.
Annexes include control objectives and controls for PII controllers and processors, implementation guidance, and mappings to key privacy frameworks. ISO included correspondence with the 2019 edition to support transition planning.
This structure aligns with how certification bodies conduct stage 1 and stage 2 audits. Auditors sample evidence across all seven clauses, not just the control annexes.
Risk Management Updates You Should Plan For
The 2025 edition sharpens expectations around risk management. Plan for explicit treatment of:
- AI and automated decision-making in processing activities
- Third-party and supply chain risk for processors and sub-processors
- Cross-border data transfers and data residency requirements
- Records of processing, data protection impact assessments (DPIAs), and lawful basis alignment under data protection law
This aligns with what regulators already check and what auditors will sample. Map these topics into your risk assessment, risk treatment plan, and vendor due diligence now. The standard ISO approach to risk management applies: identify, analyze, evaluate, treat, monitor.
Why Pair SOC 2 with ISO 27701 Instead of ISO 27001
SOC 2 already covers the security controls most North American buyers require. Trust Services Criteria address security, availability, processing integrity, confidentiality, and privacy. If your team maintains SOC 2, you have documented controls, annual audits, and a framework buyers trust.
Adding ISO/IEC 27001 on top means maintaining a second security management system with overlapping requirements but different documentation, risk treatment plans, and audit cycles. For many teams, that duplication drains time without adding commercial value.
ISO/IEC 27701:2025 solves a different problem. It addresses privacy practices, data subject rights, processing agreements, cross-border transfers, and lawful basis for PII processing. These requirements sit adjacent to security, not inside it. Pairing SOC 2 for security with ISO/IEC 27701:2025 for privacy keeps your compliance stack focused and avoids redundant audit work.
If you already maintain ISO/IEC 27001, adding ISO/IEC 27701 makes sense because of shared clauses and combined audit cycles. If you do not, SOC 2 plus ISO/IEC 27701 provides a simpler path to both security and privacy certification.
A Word from Our COO
"Privacy is no longer subordinate to information security. It is now an equal governance discipline."
Brian Kline posted his full analysis of the 2025 edition on LinkedIn the day it published. The takeaway: privacy has earned its seat at the governance table, and the new structure reflects that shift.
Transition Guidance for ISO/IEC 27701:2019 Certificate Holders
Most certification bodies expect a 2 to 3 year transition window. Your 2019 certificate remains valid during this period. Start planning now to avoid deadline pressure at the end.
Transition checklist:
- Ask your certification body for their published transition plan and audit approach
- Run a readiness gap assessment against the 2025 edition
- Update scope statements for your PIMS (controller, processor, or both)
- Refresh risk assessment to address AI, automated processing, and cross-border data flows
- Update vendor management and data processing agreements for new controls
- Schedule internal audits and management review against 2025 clauses
- Confirm your records of processing and DPIA inventory are current
Certification bodies will issue guidance on how they handle surveillance audits during the transition period. Ask early.
Need a fast path to ISO/IEC 27701:2025 readiness?
Book a 30-minute consult to map your timeline, scope, and certification options.
A Practical Implementation Roadmap
What auditors expect to see and what we help you deliver:
- Scope your PIMS - Legal entities, sites, products, and processing roles (controller, processor, or both)
- Define roles and governance - Privacy officer, ownership for controllers and processors, escalation paths
- Inventory PII and data flows - Include cross-border routes, processors, and sub-processors
- Establish lawful bases, consent patterns, and retention rules - Align with data protection law in each jurisdiction
- Run DPIAs on high-risk processing - Include AI uses, profiling, and automated decision-making
- Formalize third-party risk management - Due diligence, contracts, monitoring, and breach notification clauses
- Operationalize data subject request handling and breach response - Documented procedures, timelines, and testing
- Implement controls for controllers and processors - Per ISO/IEC 27701:2025 implementation guidance
- Collect evidence year-round - Records of processing, risk treatment, training completion, and control tests
- Perform internal audits and management review - Fix gaps before the certification audit
Typical Timing and Effort
Most teams complete readiness in 8 to 16 weeks depending on organization size, data complexity, and whether an information security management system already exists. Certification timelines vary by certification body and scope.
Stage 1 audits typically occur 2 to 4 weeks after readiness. Stage 2 follows 4 to 8 weeks later. Plan for a 3 to 6 month total timeline from kickoff to certificate issuance.
We structure evidence the way auditors expect, which cuts back-and-forth. Since 2017, we have maintained a 100% audit pass rate across more than 700 successful audits.
How SOC 2, ISO 27001, and ISO 27701 Fit Together
| Framework | What It Proves | Best For | Can Stand Alone? |
|---|---|---|---|
| SOC 2 | Security, availability, confidentiality aligned to Trust Services Criteria | North American software buyers; required by most enterprise procurement teams | Yes |
| ISO/IEC 27001:2022 | Information security management system (ISMS) with global recognition | Global buyers, regulated industries, European procurement requirements | Yes |
| ISO/IEC 27701:2025 | Privacy Information Management System (PIMS) for PII processing as controller or processor | Global privacy compliance, GDPR/CCPA alignment, enterprise buyers with strict data protection requirements | Yes (new in 2025) |
Common pairing strategies:
- SOC 2 + ISO/IEC 27701:2025: Covers security and privacy without duplication. Strong path for North American software companies expanding globally.
- ISO/IEC 27001:2022 + ISO/IEC 27701:2025: Shared clauses reduce audit effort. Ideal if buyers already require ISO 27001 or you operate in heavily regulated industries.
- SOC 2 + ISO/IEC 27001:2022 + ISO/IEC 27701:2025: Full coverage for buyers with diverse compliance requirements. Higher audit burden but maximum market reach.
Frequently Asked Questions
Is ISO/IEC 27701:2025 an international standard?
Yes. ISO and IEC published it as the global standard for privacy information management systems. It applies worldwide and maps to major data protection law frameworks including GDPR, CCPA, and LGPD.
Does it still reference ISO/IEC 27001 and 27002?
Yes. It aligns with ISO/IEC 27001:2022 for security controls and remains compatible with the ISO family. The 2019 edition was published as an extension to ISO/IEC 27001 and ISO/IEC 27002. The 2025 edition stands alone while maintaining alignment.
Will it help with GDPR, CCPA, and LGPD compliance?
Yes. The standard maps to major data protection law requirements and includes implementation guidance for controllers and processors. It does not replace legal compliance, but it provides a structured framework auditors and regulators recognize.
Can processors certify, or only controllers?
Both can certify. The standard includes specific control objectives and guidance for PII controllers and processors. You define your role in scope.
How does this affect my existing ISO/IEC 27001:2022 certification?
It does not. Your ISMS certificate remains valid. If you add ISO/IEC 27701:2025, you maintain two certificates with overlapping but distinct scopes. Many certification bodies offer integrated audit cycles to reduce total effort.
Can I certify ISO/IEC 27701:2025 if I only have SOC 2?
Yes. That is the new path the 2025 edition enables. Certification bodies are preparing programs that allow ISO/IEC 27701:2025 certification without ISO/IEC 27001. You use SOC 2 to demonstrate security practices and ISO/IEC 27701:2025 to demonstrate privacy practices.
Conclusion and Next Steps
Privacy now stands alongside security as an equal governance discipline. With ISO/IEC 27701:2025, you can certify a PIMS that matches how your business processes personal data, whether you operate as a controller, processor, or both.
If you hold ISO/IEC 27701:2019, start your transition plan now. If you are new to privacy certification, decide whether to pair ISO/IEC 27701 with SOC 2 or ISO/IEC 27001. Both paths work. The right choice depends on your buyer requirements, existing certifications, and internal governance maturity.
For teams already maintaining SOC 2, adding ISO/IEC 27701:2025 provides global privacy coverage without duplicating security audit work. You keep the framework North American buyers trust and add the privacy standard global buyers require.
We test your controls, structure the evidence, and guide you through the audit with fewer surprises. Since 2017, we have maintained a 100% audit pass rate.
Next step: Schedule a consultation and get your readiness on the calendar.
