The publication of ISO/IEC 27701:2025 marks a significant shift in how organisations approach privacy information management, and the transition process is now firmly defined through guidance from both UKAS and the International Accreditation Forum (IAF). For organisations already certified to ISO/IEC 27701:2019, this is not a routine update but a structural evolution that requires careful planning, evidenced implementation, and timely execution.
At its core, ISO/IEC 27701:2025 transforms what was previously an extension to ISO 27001 into a standalone management system standard. This change alone has practical implications: organisations must now treat their Privacy Information Management System (PIMS) with the same level of governance, leadership oversight, and performance evaluation expected of other ISO management systems. The revised standard also embeds privacy risk management more formally, strengthens accountability, and aligns with the harmonised structure used across modern ISO standards.
Read more: ISO 27701:2025 Breaks Free! Is it time to implement a PIMS?
ISO 27701:2025 Transition Deadlines
The transition process itself follows a clearly defined timeline. The new standards, ISO/IEC 27701:2025 and ISO/IEC 27706:2025 (which governs the certification of ISO 27701) were published on 14 October 2025.
Accreditation bodies, such as UKAS, became ready to assess against the new requirements by April 2026, with certification body assessments commencing from May 2026.
All accredited certification bodies must complete their transition by 31 October 2027.
More importantly for certified organisations, all clients must be fully transitioned by 31 October 2028.
| 14th October 2025 | ISO/IEC 27701:2025 and ISO/IEC 27706 Published |
| 31th April 2026 | UKAS Ready to assess Certification Bodies |
| 1st May 2026 | UKAS Begins Assessing Certification Bodies |
| 31st October 2027 | All Certification Bodies must have transitioned. |
| 31st October 2028 | All certified clients must have transitioned. |
ISO 27701:2025 Transition Process
A common misconception is that organisations can simply “upgrade” during their next audit. The transition requires a structured approach beginning with a formal gap analysis. Certification bodies themselves are required to document gaps, implement changes, and demonstrate competence and training before they can even assess clients under the new standard. This cascades down to organisations, which must also evidence how they have addressed new and revised requirements, particularly around governance, risk, and the distinction between controller and processor roles.
One of the most important, yet often overlooked, aspects of this transition is the role of ISO/IEC 27706:2025. While ISO/IEC 27701 defines the requirements for organisations, ISO/IEC 27706 sets the rules for the certification bodies auditing them. It introduces stricter competence requirements for auditors, more robust impartiality expectations, and clearer criteria for audit scope and duration. In practical terms, this means organisations should expect more rigorous and consistent audits, with greater scrutiny on how privacy risk management is implemented and evidenced.
Will transition require a full re-certification audit?
Organisations often ask whether the transition will require a full re-certification audit. The answer is: not necessarily, but do not assume it will be light-touch. UKAS guidance indicates that the level of effort depends heavily on the quality of the gap analysis and the clarity of implementation evidence. Poor preparation will result in increased audit time, findings, and potentially delays in certification. Another frequent question is when to start. The honest answer is now. Leaving transition activity until the final year introduces unnecessary risk, particularly given certification body capacity constraints as the 2028 deadline approaches.
There is also a strategic consideration that can benefit organisations. Because ISO/IEC 27701:2025 is now aligned with the harmonised structure, it integrates more effectively with standards such as ISO/IEC 27001:2022. This creates an opportunity to streamline governance, unify risk management, and improve overall management system maturity.
From a practical standpoint, a successful transition typically involves three stages:
- a detailed gap analysis against ISO/IEC 27701:2025,
- implementation of required changes (including updates to policies, risk methodologies, and governance structures), and
- an internal audit to validate readiness before engaging with a certification body. Skipping or compressing any of these steps is where most transitions fail.
This is where experienced support becomes valuable. At Assent Risk Management, we are already supporting clients through ISO transitions across multiple standards, and ISO/IEC 27701:2025 is no exception. Our approach is deliberately structured beginning with a targeted gap analysis that identifies not just compliance gaps but practical risks, follow this with hands-on implementation support tailored to your organisation, and then deliver internal audits that mirror certification expectations under ISO/IEC 27706.
If you are currently certified to ISO/IEC 27701:2019 or considering certification, the transition is not something to defer. The deadlines are fixed, the expectations are higher, and the audit landscape is becoming more rigorous. Engaging early allows you to control the process, manage risk, and extract real value from the updated standard rather than simply reacting to it.
Contact us to get started on your ISO 27701:2025 Transition!
