ISO 27701: International Privacy Certification

Reports13 November 2025
On 14 October 2025, the second edition of ISO/IEC 27701, the international standard that sets out the requirements for implementing, maintaining and improving an Information Privacy Management System (IPMS), was published.

Privacy with an international seal of approval

On 14 October 2025, the second edition of ISO/IEC 27701, an international standard that sets out the requirements for implementing, maintaining and improving an Information Privacy Management System (IPMS), was published. This standard, designed for controllers and processors of personal data, is applicable to organisations of any size or sector. Its objective remains the same: to provide a robust framework for ensuring the protection of personal information, but the new version introduces substantial changes.


Until now, many companies have focused their efforts on complying with the General Data Protection Regulation (GDPR) and other local or sectoral regulations. However, certification to ISO/IEC 27701 brings added value beyond mere legal compliance. It is not only about ensuring regulatory compliance, but also about demonstrating, with an internationally recognised seal, that the organisation manages privacy in a systematic, measurable and auditable way. This approach strengthens the trust of customers, partners and authorities, and translates into tangible competitive advantages.


Beyond compliance: the strategic value of ISO/IEC 27701

Compliance with the GDPR is mandatory, but not always sufficient to build trust in a globalised and highly digitised market. ISO/IEC 27701 certification enables organisations to demonstrate proactive accountability through verifiable evidence: policies, records, risk analysis, metrics and continuous improvement plans. This reduces exposure to sanctions and makes it easier to defend against inspections or complaints by having a robust system in place that demonstrates due diligence.


In addition, certification acts as a competitive differentiator. More and more customers and partners are demanding additional assurances in procurement processes, tenders or supplier audits. Having a certified IPMS in place streamlines these processes, shortens business cycles and improves negotiating position, especially in sectors where privacy is critical, such as finance, healthcare or technology.


A key aspect of the standard is the comprehensive management of privacy in complex environments, such as global supply chains and cloud services. ISO/IEC 27701:2025 establishes specific controls for the relationship with processors and sub-processors, requiring clear contracts, oversight mechanisms and transparency throughout the chain. It also requires an up-to-date register of sub-processors and prior authorisations, which is particularly relevant in SaaS or multi-tenant environments, where data segregation is critical.


It also strengthens the management of international transfers, imposing the documentation of locations, the application of legal safeguards and the performance of risk assessments. This is coupled with controls for the secure return or deletion of data at the end of the service, with verifiable evidence.


This approach reduces contractual frictions and provides consistency in requirements, which is essential in interconnected digital ecosystems. In practice, it demonstrates that the organisation not only manages its own privacy, but also oversees that of its suppliers, minimising regulatory and reputational risks.


Finally, the structure of the standard, based on the High Level Structure (HLS) common to all ISO standards, forces the integration of privacy in the continuous improvement cycle and facilitates its integration with other management systems of the organisation. In this way, privacy ceases to be a one-off project and becomes a living process, aligned with corporate strategy.


Key new features and differences of the 2025 edition

The second edition of ISO/IEC 27701 is not a simple update, but a profound transformation. The 2019 version was intended as an extension of ISO/IEC 27001 and relied on the requirements defined in ISO/IEC 27001, which meant incorporating security controls that were not always directly related to privacy. In contrast, the 2025 edition makes the standard a stand-alone standard, removing the obligation to have a certified ISMS in order to certify the IPMS. This opens the door for organisations without a previous security management system to qualify for certification.


The new structure, aligned with the HLS, introduces its own clauses (4 to 10) that strengthen governance, leadership and performance measurement. This change places privacy on the same level as other management systems, such as quality or information security, and facilitates integration with them.


The standard eliminates the need to implement the security controls specific to the ISMS that appeared in the previous edition, limiting in the current version the need to implement only a limited subset of these controls and with requirements aligned with privacy protection. The current Annex A is composed of :

  • 31 specific controls for controllers,
  • 18 for controllers, and
  • 29 security controls

This reorganisation simplifies implementation, reduces complexity and concentrates efforts on ensuring privacy and the proper management of personal information.


The guidance for controllers and processors is expanded and clarified, with special attention to critical aspects such as the management of sub-processors, cooperation in the exercise of rights, the return and deletion of data, and contractual traceability. In addition, the standard incorporates specific recommendations to address new risks and technological environments, including cloud services, SaaS models, international transfers and scenarios involving artificial intelligence. All of this responds to the need to manage privacy in increasingly complex and dynamic contexts.


Finally, the 2025 edition aligns with the most recent versions of ISO/IEC 27001 and 27002 (2022), eliminating redundancies and adapting the SGPI guidance to the new structure of security controls. This allows for a more efficient integration with information security management systems, where they exist, and ensures consistency with global regulatory frameworks such as GDPR, CCPA or LGPD.


Transition timelines

Organisations certified to ISO/IEC 27701:2019 will have up to three years to adapt to the 2025 version. The official rules, to be defined by ISO (International Organization for Standardization) and IAF (International Accreditation Forum), have not yet been published, although the timeframe is expected to be similar to other recent ISO standards.


Initiating a gap analysis between the requirements of the 2019 version and those of the new version as soon as possible, as well as drawing up a transition plan, are key aspects to avoid concentrating efforts at the end of the period and to ensure an orderly migration.


Conclusion

ISO/IEC 27701:2025 represents a decisive step in the maturity of privacy management. For companies already compliant with the GDPR, this certification not only enhances trust and reputation, but also provides a structured framework for continuous improvement, reduces risks and facilitates integration with other management systems. In an environment where privacy has become a strategic factor and a differentiating element, having a certified GDPR is an investment in legal certainty and a competitive advantage in contracting and tendering processes.


Information note prepared by the Data Protection Area of ECIJA Madrid.


Una vista panorámica en blanco y negro de montañas cubiertas de niebla y neblina.

Related partners

LATEST FROM #ECIJA