ISO/IEC 27701:2025

Privacy Information Management System (PIMS) standard. The 2025 revision (published 14 October 2025) is a fully standalone management system standard — no longer an extension to ISO/IEC 27001. Adopts ISO HLS clauses 4-10 aligned with ISO/IEC 27001:2022. Annex A consolidated into three normative tables: A.1 PII Controller controls (~34), A.2 PII Processor controls (~21), A.3 Shared Security controls (~29 — info-sec controls retained from 2019 Clause 6 with PII-specific implementation guidance, aligned to ISO/IEC 27002:2022). Annex B provides normative implementation guidance per control. Annex F maps 2025 ↔ 2019 controls. Expanded scope explicitly covers biometric, health, IoT, and AI-related privacy risks. Aligns with GDPR, DPDPA + Rules 2025, LGPD, CCPA, ISO/IEC 29100, ISO/IEC 27018, ISO/IEC 29151. Three-year transition period; legacy 27701:2019 certifications must transition by October 2028. Companion standard ISO/IEC 27706:2025 governs certification bodies.

Composition

55 controls currently indexed; participates in 28 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI data governance — provenance, preparation, external reporting
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Cloud data privacy lifecycle — CSA CCM v4 DSP control family
• Comprehensive asset inventory with classification and ownership
• Consent management — capture, modify, withdraw across jurisdictions
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data subject / Data Principal rights — operational rights mechanism
• Data-in-transit protection and physical media handling
• GDPR Articles 44-49 international transfers
• GDPR accountability principle — Art 5(2) demonstrate compliance
• GDPR data subject rights — Articles 12-22 operational implementation
• Incident response execution — detection through eradication, recovery, and lessons learned
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-regulator incident notification with coordinated submission timelines
• PII principal rights — comprehensive ISO 27701-anchored programme
• PIMS context — Clauses 4-5 management system context and leadership
• PIMS cross-border PII transfers
• Personal data erasure — trigger-driven with propagation
• Privacy governance — legal, regulatory, contractual, and algorithmic obligations
• Processor (PII Processor) obligations — ISO 27701 controller relationship
• Processor / service provider contract requirements across jurisdictions
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• Sensitive personal information — heightened protection across jurisdictions
• Workforce security awareness, role-based training, and human-factor controls