The publication of ISO/IEC 27701:2025 represents a fundamental shift not only for organisations implementing Privacy Information Management Systems (PIMS), but also for how certification itself is delivered, governed, and assessed. For those responsible for certification decisions, this is a structural change that will directly affect audit expectations, certification body competence, and ultimately the credibility of your certification.
The most important point to understand is that ISO/IEC 27701 is no longer simply an extension to ISO/IEC 27001 but it is now positioned as a standalone management system standard. That change alone elevates expectations around governance, leadership, risk management, and performance evaluation. However, the real transformation from a certification perspective sits alongside it: the introduction of ISO/IEC 27706:2025.
As confirmed in the transition guidance , both ISO/IEC 27701:2025 and ISO/IEC 27706:2025 were published on 14 October 2025, and must now be adopted in parallel.
The Transition Timeline: What Certification Buyers Need to Know
The transition is being tightly controlled through the accreditation framework. Key milestones are already defined and non-negotiable.
Accreditation bodies such as United Kingdom Accreditation Service (UKAS) became ready to assess certification bodies against the new requirements by 31st April 2026, with assessments beginning from May 2026. Certification bodies themselves must complete their transition by 31 October 2027, and all certified organisations must be transitioned by 31 October 2028.
On paper, there may appear to be plenty of time, but in reality, it could introduce a bottleneck risk. Certification bodies must first demonstrate competence under ISO/IEC 27706 before they are even permitted to audit clients. That means capacity constraints are inevitable as the deadline approaches.
| 14th October 2025 | ISO/IEC 27701:2025 and ISO/IEC 27706 Published |
| 31th April 2026 | UKAS Ready to assess Certification Bodies |
| 1st May 2026 | UKAS Begins Assessing Certification Bodies |
| 31st October 2027 | All Certification Bodies must have transitioned. |
| 31st October 2028 | All certified clients must have transitioned. |
ISO/IEC 27706:2025 – The Standard That Changes Certification
While certified organisations should focus on ISO/IEC 27701, it can be useful to have some understanding that ISO/IEC 27706:2025 defines how certification bodies must operate when auditing and certifying PIMS. In effect, it rewrites the rules of the certification process.
This standard introduces significantly tighter requirements in three key areas.
First, auditor competence. Certification bodies must now demonstrate that their auditors have specific, evidenced competence in privacy, not just information security. This goes beyond generic ISO 27001 knowledge and requires a deeper understanding of data protection principles, controller and processor roles, and privacy risk methodologies.
Second, audit rigour and consistency. ISO/IEC 27706 establishes clearer expectations for audit scope, duration, and methodology. Organisations should expect more detailed scrutiny of how privacy risks are identified, assessed, and managed. Superficial or template-driven implementations will be exposed far more quickly.
Third, impartiality and governance. Certification bodies must strengthen their internal controls to ensure independence and consistency in certification decisions. This reduces variability between certification bodies but also raises the bar for those that previously operated with less maturity.
In practical terms, this means the quality of your certification body matters more than ever. Two certification bodies offering “ISO 27701 certification” may deliver very different experiences depending on how well they have transitioned to ISO/IEC 27706.
Will Transition Be a Simple Upgrade?
There is a persistent assumption that organisations can transition during a routine surveillance audit. That assumption is risky.
The level of effort required will depend on how well your organisation has addressed the structural changes in ISO/IEC 27701:2025. A robust gap analysis, clear implementation, and strong internal audit programme may allow for a smoother transition. Poor preparation will almost certainly result in increased audit time, nonconformities, and delays.
More importantly, certification bodies themselves may not yet be approved to deliver ISO/IEC 27701:2025 audits. This creates a strategic question: should you wait for your existing certification body to transition, or consider moving to one that is already approved?
Choosing the Right Certification Body During Transition
This is where the transition becomes a commercial and strategic decision, not just a compliance exercise.
Organisations should be actively asking:
- Has our certification body been assessed against ISO/IEC 27706?
- Do their auditors have demonstrable privacy competence?
- What is their transition timeline, and can they support us before 2028?
- Will they require additional audit time or a re-certification approach?
If clear answers are not forthcoming, it may be time to consider alternative certification bodies. Contact us for help and support!
How Our Certification Management Team Can Support You
At certbodies.co.uk, we take a certification-first view of ISO transitions. That means we do not just look at compliance; we look at how certification will actually be achieved in practice.
Our certification management team supports organisations in two key ways.
We can help you navigate the transition with your existing certification body by reviewing their readiness, challenging their approach where necessary, and ensuring you are not exposed to unnecessary audit risk or cost.
Where appropriate, we can help you identify and engage a new certification body that is better positioned for ISO/IEC 27701:2025 under ISO/IEC 27706. This includes matching you with certification bodies that have the right accreditation status, sector experience, and auditor competence.
This is particularly valuable in a constrained market, where early engagement with the right certification body can avoid delays and give you greater control over your transition timeline.
Contact us to start your ISO 27701 Transition!
A More Demanding Certification Landscape
The reality is straightforward. ISO/IEC 27701:2025 raises the bar for organisations, and ISO/IEC 27706 raises the bar for certification bodies. The combination of the two means the certification landscape will become more demanding, more consistent, and less tolerant of weak implementations.
Organisations that plan early, choose the right certification partner, and approach the transition strategically will benefit. Those that delay or assume business-as-usual will face increased cost, pressure, and risk as the 2028 deadline approaches.
If you are currently certified to ISO/IEC 27701:2019, or considering certification, now is the time to act.