BSI brings forward updated Privacy Information Management Systems guidance

The newly revised international standard for PIMS, information security, cyber security and privacy protection marks a major milestone in the evolution of privacy standards. Crucially, it’s no longer an extension of Information Security Management Systems (ISO/IEC 27001) and its controls (ISO/IEC 27002), but is now standalone guidance, in turn broadening its relevance.

Certification to the standard will no longer require ISO/IEC 27001, making it relevant beyond traditional IT and security teams to include legal, compliance and privacy professionals, and potentially reducing the costs of compliance.

The updated approach aims to address today’s complex privacy challenges and increasingly diverse regulatory requirements, including maintained mappings to the European Union’s General Data Protection Regulation, as well as growing public demand for stronger data protection by offering organisations in industries including technology, healthcare, finance, retail and the public sector a dedicated and certifiable privacy standard.

Building on its standalone status, the revision focuses on usability: a cleaner control structure, clearer responsibilities and easier conformity assessment. As privacy concerns grow alongside digital transformation, cloud adoption and Artificial Intelligence (AI) integration, BS EN ISO/IEC 27701:2025 is designed to provide practical and globally aligned guidance for managing Personally Identifiable Information across complex cross-border environments.

The standard offers a simplified route to privacy certification that supports legal compliance, enhances governance and strengthens trust with customers, partners and regulators.

Digital transformation

David Cuckow, director of digital at BSI, said: “Every day, concerns around privacy and protecting data grow against a backdrop of rapid digital transformation, cloud adoption and AI integration. This updated standard offers organisations a streamlined and effective approach to privacy management, simplifying compliance with key regulations. The standalone certification option also has the potential to reduce both the cost and complexity traditionally associated with privacy certification.”

Cuckow continued: “This updated standard aims to strengthen governance and accountability by clarifying roles and responsibilities, helping organisations not only to meet legal requirements, but also build a competitive advantage and enhance their reputation in today’s privacy-conscious marketplace.”

Annex B has been expanded to provide more detailed and actionable implementation guidance for each control. Additionally, the standard features improved global alignment through mappings to the General Data Protection Regulation and related standards including ISO/IEC 29100, 27018 and 29151.

It also supports ISO/IEC 27706, enabling certification bodies to offer direct Privacy Information Management System certification.

*For further information on BS EN ISO/IEC 27701:2025 visit https://knowledge.bsigroup.com/products/information-security-cybersecurity-and-privacy-protection-privacy-information-management-systems-requirements-and-guidance-1