ISO 27701:2025 transition
ISO 27701:2025 is the revised international standard for privacy information management systems (PIMS). Organisations currently certified against ISO/IEC 27701:2019 must transition to the new edition by 1 October 2028.
The official designation of the standard is ISO/IEC 27701:2025. The new edition contains several substantive changes and has been restructured as a standalone management system standard. This means that ISO/IEC 27701 can now be implemented and certified independently of ISO/IEC 27001.
This page explains what the ISO 27701:2025 update means for your certification, when you must complete the transition and what Brand Compliance will assess during the transition audit.
What has changed in ISO 27701:2025? #
The previous edition, ISO/IEC 27701:2019, was structured as an extension to ISO/IEC 27001 and ISO/IEC 27002. ISO/IEC 27701:2025 has been rewritten as a standalone management system standard for privacy information management.
The revised standard contains its own management system requirements and follows the harmonised structure used by other ISO management system standards. Organizations must therefore assess the differences between the 2019 and 2025 editions and determine which changes are required within their PIMS.
#
ISO 27701:2025 transition deadline #
A transition period of three years applies from the publication of ISO/IEC 27701:2025. The transition period ends on 1 October 2028.
Until this date, existing certificates based on ISO/IEC 27701:2019 remain valid, provided that the regular certification requirements continue to be met.
After 1 October 2028, certificates based on ISO/IEC 27701:2019 will no longer be valid. Organisations must therefore successfully complete the transition audit before the end of the transition period.
What does the ISO 27701 update mean for your organization? #
A transition audit is required to transfer your existing certification to ISO/IEC 27701:2025.
Brand Compliance will contact its certificate holder to schedule the transition audit. Where possible, the transition audit will be combined with a regular surveillance or recertification audit within the current certification cycle.
We recommend starting your preparations in good time. Your organization should analyse the changes to the standard, assess their impact on the PIMS and implement any necessary adjustments before the transition audit.
How can you prepare for the transition? #
Before the transition audit, your organization should be able to demonstrate that it has:
• Analysed the differences between ISO/IEC 27701:2019 and ISO/IEC 27701:2025
• Assessed whether changes to the PIMS are necessary
• Updated the Statement of Applicability
• Updated the risk treatment plan
• Implemented new or modified PIMS processes where required
• Conducted an internal audit against the new requirements
• Evaluated the transition and the effectiveness of the PIMS during the management review
These activities provide the evidence required to demonstrate that your organization has addressed the ISO 27701:2025 requirements.
What does the transition audit cover? #
During the transition audit, Brand Compliance assesses the application of ISO/IEC 27701:2025 in accordance with ISO/IEC 27706:2025.
The audit includes an assessment of:
- Your organization’s approach to the transition
- The analysis of the changes between the two editions
- The gap analysis used to determine whether changes to the PIMS are required
- The updated Statement of Applicability
- The updated risk treatment plan
- The implementation and effectiveness of new or modified PIMS processes
- The internal audit and management review relating to the new requirements
How long does the transition audit take? #
The ISO 27701:2025 transition audit takes six hours. An additional two hours are allocated for reporting and administrative processing.
Where possible, Brand Compliance will schedule these activities in conjunction with a regular audit.
Nonconformities during the transition audit #
Nonconformities may be identified during the transition audit. They are handled as follows:
- Minor nonconformities: your organization must submit an action plan for approval by Brand Compliance
- Major nonconformities: the corrective actions must be fully verified before the new certificate can be issued
Completion of the ISO 27701:2025 transition #
Once the transition audit has been successfully completed and any nonconformities have been adequately addressed, your organization will receive a new certificate based on ISO/IEC 27701:2025.
The expiry date of your current certification cycle remains unchanged. Completing the transition does not start a new certification cycle.
Frequently asked questions about ISO 27701:2025 #
When is the ISO 27701:2025 transition deadline?
The transition period ends on 1 October 2028. After this date, certificates based on ISO/IEC 27701:2019 will no longer be valid.
Does my ISO 27701:2019 certificate remain valid?
Yes. Your existing certificate remains valid during the transition period, provided that the regular certification requirements continue to be met. You must complete the transition before 1 October 2028.
Is a transition audit mandatory?
Yes. Organizations currently certified against ISO/IEC 27701:2019 must complete a transition audit to receive a certificate based on ISO/IEC 27701:2025.
Can the transition audit be combined with a regular audit?
Where possible, Brand Compliance will combine the transition audit with a regular surveillance or recertification audit.
Will the transition start a new certification cycle?
No. After successful completion of the transition, the expiry date of your current certification cycle remains unchanged.
What happens if nonconformities are identified?
For minor nonconformities, your organization must submit an action plan for approval. Major nonconformities must be fully verified before Brand Compliance can issue the new certificate.
Questions about ISO 27701:2025?
Do you have questions about ISO/IEC 27701:2025, the transition deadline or the required transition audit? Please contact Brand Compliance.

