Blog October 28, 2025 10 Minutes

ISO/IEC 27701:2025 – Updates You Need to Know for Managing Privacy Compliance Programs

The ISO 27701 standard – used globally to manage privacy information – is undergoing significant updates, with a draft version of ISO/IEC 27701:2024 introducing new guidelines and major shifts in how organizations approach and manage privacy, specifically looking at artificial intelligence (AI) as well as data protection.

Key Updates & Changes of ISO 27701

  • A Focus on Privacy & AI
    • The updated ISO standard presents specific controls to address privacy risks related to AI systems. This change reflects the increasing need to manage how AI impacts personal data and individual rights of privacy.
  • A Stronger Emphasis on Risk Management
    • Organizations will be expected to conduct AI impact assessments, evaluating the effects of AI systems on individuals and society, aligning closely with the guidelines provided in ISO 42001.
  • Removing Non-Privacy Controls
    • The ISO update removes 52 non-privacy-related controls, allowing the standard to focus solely on privacy-related requirements. This simplifies the certification process and broadens its relevance to a wide range of organizations, especially ones that focus purely on data privacy.
  • Emphasis on Cross-Border Data Transfers
    • The new version adds more guidance around managing privacy risks from cross-border data transfers and third-party providers, particularly in cloud services and environments.
  • Timeline for Publication
    • The final voting process for ISO/IEC 27701:2025 is currently ongoing with publication expected in the second half of 2025, pending approval by ISO member countries.

What This Means for Organizations

Organizations currently certified to ISO/IEC 27701:2019 should actively monitor the revision process and begin planning for a smooth transition to align with the new standard. The forthcoming changes are designed to better improve guidance for managing personal information in today’s digital environment and support continued compliance with evolving data protection laws.

While the proposed changes to ISO/IEC 27701:2019 will enable organizations to focus solely on privacy concerns as it relates to this standard, it is important to remember that privacy cannot exist without security. Therefore, regular cybersecurity assessments (e.g., via assessments based on ISO 27001) or even certifications are recommended to help ensure the confidentiality of personal information.

Organizations are encouraged to remain connected with relevant certification bodies and industry resources to stay informed as well as best prepare for the upcoming latest updates.

Implications for Privacy Office:

  • Privacy Program Strategy: A Data Privacy first approach focusing on data privacy risks and program maturity can be pursued with the PIMS independence.
  • Increased Accountability: With the PIMS independence comes greater responsibility for the CPO to ensure the PIMS integrates with other management systems.
  • Compliance: The PIMS can support the CPO in demonstrating certifiable proof of a robust privacy program, increasing trust with consumers and third parties, creating a competitive advantage.
  • Evolving Risks: With rapidly developing technologies that impact personal data; AI, digital ecosystems, the CPO’s role is expanding, and they will need to actively manage how they handle privacy risks associated with these technologies.
  • Resourcing: The CPO may be able to secure additional funding and resources for the PIMS, justified as a core, certifiable management system for the privacy program.
  • Advocacy: The CPO will need to champion the transition, and reinforce the need for privacy-by-design and by default (PbDD) to be built into the origination and the SDLC 

Next Steps for the CPO:

  1. Obtain and Review a Copy of the New Standard Once published, obtain a copy and perform a gap analysis between PIMS and your current framework.
  2. Determine PIMS Strategy Decide if you will pursue PIMS certification.
  3. Update Policies and Procedures Revise documentation to align to the new standard and modify controls (specifically AI, cloud and cross border data transfers).
  4. Engage Leadership Communicate and secure senior leadership buy-in for supporting the transition.
  5. Plan the Transition Develop a transition plan and allocate resources to complete required updates within the given timeframe.

NEED MORE GUIDANCE? Our Myna privacy experts can help you understand the upcoming ISO/IEC 27701:2205 changes and what they mean for your organization. Contact us today to begin aligning your privacy program with the new standard!

Contact Us

Name(Required)
Please let us know what's on your mind. Have a question for us? Ask away.
Consent
Myna Partners is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. By clicking submit below, you consent to allow Myna Partners to store and process the personal information submitted above to provide you the content requested. You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit below, you consent to allow levelupconsult.com to store and process the personal information submitted above to provide you the content requested.

Meet the Authors

Corey Gant
Director
Wills Catling
Director

Share Post

We speak your language. 

Our team is available to assist you with any of your risk management needs, reach out to us.

Contact Us

View our Related Insights.

Cybersecurity
Blog

Leveraging Best Practices for an Effective Cybersecurity Awareness Month

Read More
GRC
Blog

Choosing the Right Tool for Your GRC Needs: Practical Insights to Guide Your Selection

Read More
OWASP
Blog

Understanding OWASP’s Gen AI Threat Defense COMPASS: What You Need to Know

Read More
All Insights