ISO/IEC 27701:2025 sets requirements and provides guidance for organizations to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS), helping them manage personally identifiable information (PII) in a structured and accountable way.

The standard is now in its second edition and replaces ISO/IEC 27701:2019. While the first edition extended ISO/IEC 27001 and ISO/IEC 27002, this version is a standalone management system standard. It can be used independently or alongside ISO/IEC 27001, allowing organizations to align privacy with existing information security systems.

ISO/IEC 27701 is intended for organizations acting as PII controllers or processors, meaning those responsible for deciding how personal data is used, or for processing it on behalf of others. It applies to all types and sizes of organizations that collect, store, or use personal data and uses a management system approach with defined processes, responsibilities, and ongoing improvement.

The standard sets out how privacy should be managed in practice:

• Set up processes for collecting, using, and protecting personal data
• Identify and manage risks related to PII
• Assign roles and responsibilities for data protection
• Maintain records to demonstrate accountability
• Monitor performance and continually improve privacy practices

ISO/IEC 27701 helps organizations demonstrate accountability by showing not only that privacy policies exist, but that they are applied, measured, and improved over time. It supports compliance with privacy laws such as GDPR, strengthens data protection practices, and builds trust with customers, partners, and regulators.

The move to a standalone standard reflects growing expectations for organizations to take clear responsibility for personal data and to demonstrate this through consistent, measurable practices. Further information about ISO/IEC 27701:2025 is available on the official page on the ISO website.