ISO 27701 & ISO 27706 Published

Written By Dallas Bishoff

After an extended review and update process, ISO 27701 and ISO 27706 have been published together. This sets up a three year transition period for those organizations that currently hold an ISO 27701 certificate. ISO 27706 significantly revisions the audit and certification of a Privacy Information Management System, to include the qualifications for certification auditors. Here are some of the major highlights:

It also brings the standard into alignment with the Annex A security controls in ISO 27001:2022, along with a collection of privacy controls for PII controllers and processors.

In October of 2025 ISO officially published the update to ISO/IEC 27701 Privacy Information Management Systems (PIMS) - Requirements and Guidance. ISO 27701:2025 has been renamed as Information Security, Cybersecurity and Privacy Protection — Privacy Information Management Systems — Requirements and Guidance. The new edition of the PIMS establishes ISO 27701 as a stand-alone management system, and no longer requires organizations to first hold an ISO 27001 ISMS certificate. Accordingly, the privacy component of an organization does not have to align the scope of the PIMS with the IMS, and therefore different systems can exist in the scope of the two management systems. There are updates to the privacy controls for both PII controllers and PII processors. The new ISO 27706 PIMS also incorporates recent changes to ISO 29100:2024 Privacy Framework.

While the International Accreditation Forum (iaf.nu) has not provided specific guidance yet, all organizations that currently hold an ISO 27701 certificate will be required to transition not later than October 2028. Organizations should coordinate their transition with their respective certification bodies (CBs), who first need to complete internal training for their auditors, and gain approval of the accreditation body (AB) that oversees the CB.

ISO 27706:2025 replaces the prior ISO 27006-2, and is newly re-titled, Information Security, Cybersecurity and Privacy Protection — Requirements for Bodies Providing Audit and Certification of Privacy Information Management Systems. Some of the more notable changes are found in the Annexes:

  • Annex A - Audit Time

  • Annex B - Methods for Audit Time Calculations

  • Annex C - Required Knowledge and Skills

NOTE: The new required knowledge and skills in Annex C may disqualify current certification auditors who do not meet the requirements for competence identified in the new ISO 27706.

Dallas Bishoff
Previous

ISO Steering Committee 27