ISO 27701, the standard for a Privacy Information Management System (PIMS), has officially been updated for 2025.
The new version:
Can now be used as a standalone certification
Adds more structure, accountability, and privacy-specific expectations
Will not be required immediately — certification bodies are waiting for formal guidance from the IAF
Your existing 2019 certification remains valid
Vanta will launch full support in February 2026, and all your current privacy evidence will carry over automatically
What’s Changing?
The 2025 edition of ISO 27701 is now a standalone standard, meaning you can certify without ISO 27001. However, most companies will still integrate it for a unified security and privacy program.
Key updates:
A new Annex structure with clearer delineation between controller, processor, and shared controls
Stronger emphasis on leadership, accountability, and measurable performance
New guidance on AI, vendor oversight, and data protection impact assessments (DPIAs)
Continued reliance on 29 core information security controls for integrated ISMS alignment
Formal IAF transition timelines aren’t published yet, but past ISO changes have typically allowed three years to transition.
What’s Not Currently Changing
A few things aren’t changing yet:
No new audit yet: Auditors can’t certify against ISO 27701:2025 until the IAF releases formal transition guidance.
Your certification stays valid: 2019 certificates remain active during the transition window.
You don’t need to rebuild your ISMS: 29 information security controls still map directly to privacy, keeping your existing control evidence useful.
No rework in Vanta: When Vanta launches the new framework, all your related evidence will carry forward automatically.
With that in mind, here’s what actually changes in the new 2025 version.
What’s New in Privacy Expectations
ISO 27701:2025 introduces a sharper focus on governance, measurable privacy performance, and processor accountability. Expect updates in these areas:
Risk and Accountability: You’ll now track privacy harms and risk treatments alongside security risks.
Privacy and AI: DPIAs must consider AI models and algorithmic decision-making that use PII.
Vendor Oversight: You’ll need evidence of DPAs, vendor reviews, and transfer assessments.
Measurement and Improvement: KPIs like DSR turnaround time, retention coverage, and training completion are now expected artifacts.
Leadership Accountability: The framework calls for designated privacy roles and performance reporting to management.
Choosing your Path: Integrated or Standalone PIMS
Most Vanta customers will choose the integrated path to streamline audits, reuse existing evidence, and manage privacy and security risks within a single management system.
Option | What it means | Best for | In Vanta you’ll… |
Integrated ISMS + PIMS | This path combines privacy and security under one governance model, and reuses ISO 27001 evidence, risk registers, and incident workflows. | Established or growing organizations that already have (or are pursuing) ISO 27001 certification. Ideal for teams that manage privacy and security under one compliance program and want unified reporting, fewer duplicated controls, and a single audit cycle. | View and manage both frameworks together, leverage cross-mapped evidence across both sets of controls, and report on combined risks. |
Standalone PIMS | Operates independently from ISO 27001. Focuses on privacy-only governance, risk, and data processing controls. | Privacy-first organizations - such as SaaS, healthcare, or marketing-tech companies - that handle large volumes of personal data and want to prove strong privacy compliance without taking on the full ISO 27001 program. | Enable only the ISO 27701:2025 framework, assign privacy-specific tasks, and track metrics independently. |
What you can do to Prepare
As Vanta builds out the new ISO 27701:2025 framework, here are five steps you can start today. Everything you do now will automatically map to your updated framework once it’s live.
Set privacy governance
Designate someone to lead your Privacy Information Management System (PIMS).
Create a simple RACI that defines who owns DPIAs, DSR handling, vendor reviews, and incident coordination.
Store it using Custom Documents in Vanta.
Refresh your scope and data inventory
Define what’s in scope: products, regions, and types of PII you process.
Update your records of processing and identify relevant data flows and vendors
Use the Assets page in Vanta to tag systems handling PII and link your data inventory.
Extend your Risk Register
Begin thinking about privacy-related risk scenarios around areas like cross-border transfers, retention issues, or AI processing.
Add these risk scenarios to your Vanta Risk Register so you can start tracking early.
Check your vendor privacy coverage
Use your Vendors page in Vanta to list all your third-party processors and confirm you have DPAs and TIAs in place.
Start measuring performance
Pick a few KPIs you can maintain quarterly:
DSR volume and closure times
DPIAs completed versus triggered
% of processors with valid DPAs/TIAs
% of systems with active retention schedules
% of staff with recent privacy training
Upload your metrics in Vanta as Evidence for internal review.
What’s Coming in Vanta
Vanta’s full ISO 27701:2025 framework will launch in February 2026. Here’s what you can expect:
Complete framework support: A full ISO 27701:2025 framework mapped to Clauses 4-10 and the new Annex structure.
Integrated or standalone setup: Choose between an integrated 27k suite (27001 + 27701) or a standalone PIMS when setting up frameworks.
Controller/processor filtering: Filter controls, evidence requirements, and policies by role type - controller, processor, or shared.
Pre-built Tests and Documents: Templates for DSRs, DPIAs, DPAs/TIAs, deletion checks, and related security requirements.Automatic evidence mapping: Your existing ISO 27001 evidence will automatically align to shared controls.
Migration helper: A guided transition tool to move your evidence from ISO 27701:2019 to 2025.
Updated templates: Refreshed policy and role definition templates aligned with the new standard.
There’s no rush to re-certify. You’ll have time to prepare and Vanta will support you through a smooth transition to ISO 27701:2025.. By setting governance early, refreshing your inventory, and starting privacy KPIs now, you’ll hit the ground running when Vanta’s 27701:2025 framework launches.