ISO updates global privacy standard ISO 27701: Stronger guidance, more flexibility

For the first time in six years, the International Organization for Standardization (ISO) has updated ISO 27701 – the international benchmark for privacy information management. The revised standard, titled Information security, cybersecurity and privacy protection – Privacy information management systems (PIMS) – Requirements and guidance, establishes new requirements and guidance for organisations to develop, maintain, and continually improve their privacy compliance systems.

ISO 27701 helps organisations demonstrate accountability in handling personally identifiable information (PII) by building structured privacy management processes. It aligns closely with data protection laws such as the EU General Data Protection Regulation (GDPR) and the UK GDPR.

A standalone privacy management framework
One of the most notable changes is that ISO 27701 is now a standalone management system. Previously, organisations needed an ISO 27001-certified Information Security Management System (ISMS) before pursuing ISO 27701 certification. Under the new version, companies can now implement ISO 27701 independently, while still retaining the option to integrate it with ISO 27001 or other standards such as ISO 42001 (for AI management).

This change opens certification to smaller or newer organisations that may not have a full ISMS in place but still want to demonstrate strong privacy practices.

Structure and key clauses
The updated standard sets out ten core clauses that guide the design of a Privacy Information Management System:

• Clause 4: Context of the organisation – requires organisations to define their operational context, roles, and responsibilities regarding PII, whether as data controllers or processors.
• Clause 5: Leadership – calls for a clear privacy policy and governance structure, ensuring top management commitment.
• Clause 6: Planning – outlines risk identification, assessment, and mitigation processes, and introduces the requirement for a documented statement of applicability listing the controls used.
• Clause 7: Support – covers staffing, training, awareness, and documentation.
• Clauses 8–10 – deal with operations, performance evaluation (including internal audits), and continual improvement, ensuring that organisations monitor their privacy practices and correct any weaknesses.

Annexe A: Privacy controls
Annexe A remains one of ISO 27701’s most practical sections. It lists control objectives for both PII controllers and PII processors, entities that determine and execute data processing, respectively. These controls address:

• Lawful data collection and consent management.
• Privacy rights such as access, correction, and erasure.
• Privacy by design and by default.
• Secure data sharing, transfer, and disclosure.

For both controllers and processors, Annexe A also integrates adapted security controls from ISO 27001 to ensure the protection of PII.

Why this matters
The update provides a harmonised, jurisdiction-neutral framework suitable for multinational organisations operating across varying privacy regimes. Many of the controls mirror GDPR principles, including lawfulness, fairness, transparency, and data minimisation, but the standard avoids prescribing specific legal obligations, making it adaptable to local contexts.

For civil society and privacy advocates, the revision matters because ISO 27701 sets the benchmark that corporations and public institutions may use to demonstrate responsible data practices. This influences how privacy compliance is interpreted globally.

Certification and integration
ISO 27701 remains a Type A management system standard, meaning organisations can seek external certification through accredited bodies. However, ISO emphasises that certification should not be mistaken for full legal compliance. National laws still apply independently.

For organisations, the new ISO 27701 update offers a flexible way to show accountability and align technical privacy management with evolving regulations. But experts caution that while the standard strengthens consistency and structure, it cannot replace robust privacy-by-design practices or ethical oversight.