Since Risk Evolves became one of the first UK companies to certify to ISO 27701:2019, much has changed in the world of data privacy. This article explores the upcoming ISO 27701 update and what it means for privacy management systems.

What’s Changing in the ISO 27701 Update?

Like all ISO standards, ISO 27701 is subject to periodic review. Later this year, a new version will be published, making the standard more relevant to a broader group of organisations. Currently, ISO 27701 certification requires a certified information management system (ISO 27001). However, from this autumn, this prerequisite will be removed, allowing organisations to achieve ISO 27701 as a standalone management system.

To facilitate this, the ‘tight’ connection to the statement of applicability managed by ISO 27001 is also removed. Furthermore, 52 non-privacy-related controls are removed, leaving the remaining controls—and an additional 10 controls—to focus solely on privacy.

New Focus in the Update: AI, Cloud, and Cross-Border Data

The revised standard will remove 52 non-privacy-related controls, focusing instead on privacy-specific requirements. Additionally, new controls will require organisations to manage risks associated with AI and the use of personal information. This includes considering the impact of AI on individuals, groups, and society—aligning with guidance from the ICO.

Similarly, the updated standard will require data controllers to address privacy risks posed by cloud services and demonstrate threat intelligence. Organisations must also look beyond internal threats to consider risks from third-party actors, especially in the context of cross-border data transfers and SaaS providers.

Data requires no passport to travel the globe, and therefore the new standard will place greater emphasis on cross-border transfers and the role that third-party providers—especially SaaS provision—have on the flow of data.

Leadership and Governance in the ISO 27701 Update

While ISO 27701:2019 was aligned with Annex SL, the revised standard places greater emphasis on leadership, planning, support, and continual improvement. As a result, privacy management is now embedded at all levels of the organisation.

Transition and Opportunities with the ISO 27701 Update

ISO 27701 Annex D provides a mapping to GDPR, helping organisations demonstrate regulatory compliance. For those already certified, a three-year transition period is expected. For others, the new standard—alongside revised guidance—represents an exciting opportunity to demonstrate commitment to privacy.

Final thoughts

The ISO 27701 update brings significant changes to privacy management, with a stronger focus on AI, cloud services, and cross-border data. These updates make the standard more relevant and accessible for a wider range of organisations. Whether you are already certified or considering ISO 27701 for the first time, now is the time to review your privacy management system and prepare for the future.

Ready to prepare for the ISO 27701 update?

Don’t wait for the changes to take effect.

Reach out now for tailored support on the ISO 27701 update and secure your privacy management system’s future.

Helen Barge

MD for Risk Evolves, Helen has worked in the IT industry since 1986. Helen is a leader in the areas of risk management and operational improvement, and works with companies in senior governance, risk and compliance roles. She is a member of the British Standards Institute and is a member of the BSI Committee creating a new guidance standard to assist organisations on how to become cyber resilient. Helen and the team at Risk Evolves work with organisations to improve their resilience through stronger process implementation and better communication and education of staff.

June 5, 2025
Data Protection and GDPR
AI, cloud services, cross-border data transfers, GDPR, governance, ISO 27701 update, leadership, privacy management system, standalone management system, transition period