This Technical Bulletin provides information on the transition arrangements for ISO/IEC 27701:2025 Information security, cybersecurity and privacy protection – Privacy information management systems – Requirements and guidance and ISO/IEC 27706:2025 Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of privacy information management systems.
Introduction
This Technical Bulletin is applicable to all Privacy Information Management Systems (PIMS) Certification Bodies.
Following the publication of ISO/IEC 27701:2025 & ISO/IEC 27706:2025, this bulletin has been produced to update Certification Bodies and other relevant stakeholders on the UKAS assessment process and overall timelines for assessment, transition and migration to these new standards.
ISO/IEC 27701:2025
Compared with the previous ISO/IEC 27701:2019 standard, which was an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, the new ISO/IEC 27701:2025 standard has mainly:
- Converted PIMS into a standalone management system standard
- Incorporated the latest harmonized structure for management system standards
- Strengthened leadership, governance, and performance evaluation requirements
- Introduced climate change considerations
- Formally embedded privacy risk management within the management system
- Restructured and clarified controller and processor controls
ISO/IEC 27706:2025
Additionally, compared with the previous ISO/IEC TS 27006-2:2021 standard requirements for bodies providing audit and certification of information security management systems, the new ISO/IEC 27706:2026 standard has mainly:
- Established a dedicated, certifiable framework specifically for bodies auditing and certifying PIMS against ISO/IEC 27701:2025
- Introduced defined competence requirements for PIMS auditors, technical experts, and certification decision-makers
- Strengthened impartiality, independence, and governance expectations for certification bodies conducting PIMS audits
- Required structured evaluation of privacy risk management, leadership, and performance monitoring during PIMS assessments
- Provided specific audit duration and scope determination criteria tailored to controller and processor roles
Transition Plan
UKAS has developed a transition plan in line with consensus reached by IAF ICT and Data Security (ICTDS) working group and is now ready to assess against the requirements of the new standards. This will be classed as transition to ISO/IEC 27701:2025 and a migration to ISO/IEC 27706:2025.
To enable the transition to progress in a timely manner, UKAS accredited Certification Bodies are requested to complete a documented gap analysis, F659 Transition Requirements and Gap Analysis – ISO/IEC 27701:2025 & F660 Transition Requirements and Gap Analysis – ISO/IEC 27706:2025, with supporting evidence to confirm have implemented the required changes introduced by ISO/IEC 27701:2025 & ISO/IEC 27706:2025, and submit it to UKAS no later than December 2026 to ensure that timescales for transition can be achieved. The submitted information shall include:
- the gap analysis of the changes in ISO/IEC 27701:2025 & ISO/IEC 27706:2025
- the transition arrangements and evidence of implementation within the CAB’s management system
- evidence of the training and authorisation of relevant personnel (as applicable)
Given the limited number and nature of changes introduced by ISO/IEC 27701:2025 & ISO/IEC 27706:2025, it is not envisaged that significant additional assessment effort will be required by UKAS to review the changes made by the Certification Body, however this is dependent on the clarity of the submitted information provided by the CB. It is estimated that an initial 1.75 day of effort (minimum) will be required to assess the changes, complete the report and to finalise the associated back-office administration.
UKAS Assessment Approach
- UKAS will complete a desktop assessment of the CAB’s submission of a detailed gap analysis and evidence of full implementation of the revised requirements of ISO/IEC 27706:2025 and ISO/IEC 27706:2025 (including completion of training for all applicable certification personnel). The CABs transition / migration arrangements and timeframes (for their own customers) will also be assessed to confirm alignment with the UKAS transition & migration plan.
- UKAS will raise mandatory and recommended improvement action in the normal way (via the UKAS assessment portal and documented in the assessment report). The normal 30 days improvement action deadline will be provided.
- A CAB head office assessment will only be required if there are significant concerns or gap in conformity that cannot be addressed via normal corrective/improvement action process. This may be conducted as an extra assessment or as part of routine surveillance or reassessment, providing they are within the timelines specified in this plan.
Timeline:
| Date | Milestone / Activity |
|---|---|
| 14 October 2025 | Publication of ISO/IEC 27701:2025 & ISO/IEC 27706:2025 |
| 31 April 2026 | UKAS ready to assess |
| 01 May 2026 | Assessment of CABs to commence |
| 31 October 2027 | UKAS to have transitioned all accredited CABs |
| 31 October 2028 | CABs to have transitioned all certified clients |
- Richard McFarlane: Head of Technical Coordination – [email protected]
- Adam Ward: Accreditation Specialist – [email protected]
- Sean Tomlinson: Assessment Manager – [email protected]
Download this Technical Bulletin as a pdf here.