ISO 27701 ยท ISO 27701:2025 Transition Services

For organizations migrating from the 2019 extension to the 2025 standalone standard before the October 2028 deadline

ISO 27701:2019 is withdrawn. Organizations holding certification to the 2019 edition must transition to ISO 27701:2025 by October 2028. This isn't a simple recertification: the 2025 edition introduces 29 new information security controls, restructures the standard from extension format (Clauses 5-8) to standalone management system format (Clauses 4-10), and changes the relationship between PIMS and existing ISMS infrastructure. Organizations that treat transition as routine recertification will discover gaps during their transition audit. We provide structured transition services that identify exactly what changes for your organization, remediate gaps before they become audit findings, and prepare you for successful transition certification.

  • 2025 Transition Analysis Before planning transition activities, you need clarity on what actually changes for your organization. Our transition assessment provides detailed gap analysis between your current 2019-certified PIMS and 2025 requirements. We evaluate each of the 29 new information security controls against your existing implementation, map your current clause structure to the 2025 standalone format, and assess whether your PIMS architecture requires changes to accommodate standalone status. Assessment deliverables include prioritized gap inventory, transition effort estimate, and recommended timeline to achieve 2025 certification before the deadline.
  • Transition Implementation With gaps identified, transition implementation addresses remediation systematically. We help you implement new controls required by the 2025 edition: enhanced performance evaluation metrics, revised operational planning requirements, and updated improvement processes. We restructure documentation from extension format to standalone management system format with proper clause numbering and cross-references. We prepare your Statement of Applicability for the 2025 control structure and validate evidence generation aligns with updated requirements. Implementation concludes with transition audit preparation: internal assessment, evidence gathering, and team preparation for auditor interactions.
  • Standalone PIMS Conversion Organizations currently operating PIMS as an ISO 27001 extension may choose to convert to truly standalone operation under the 2025 edition. This is particularly relevant for organizations without ISO 27001 certification who inherited an extension-based PIMS or those choosing to separate privacy management from information security management for organizational reasons. Our conversion service extracts PIMS components from integrated ISMS+PIMS architecture, establishes independent management system infrastructure following Annex SL structure, and validates the standalone PIMS meets all 2025 requirements without dependency on external ISMS certification.

October 2028 seems distant until you account for transition assessment, remediation, implementation, and certification scheduling. Organizations starting transition planning in 2026 have comfortable runway. Those waiting until 2027 face compressed timelines and auditor availability constraints. We recommend beginning transition assessment now regardless of your target certification date.

Includes:

  • 2019-to-2025 gap analysis report
  • New control implementation roadmap
  • Clause structure migration documentation
  • Statement of Applicability update
  • Evidence generation alignment validation
  • Documentation restructuring support
  • Transition audit preparation
  • Internal assessment before transition certification
  • Auditor liaison for transition audit
  • Post-transition surveillance planning