What does control A.3.10 require?
Relevant information security requirements related to PII processing shall be established and agreed with each supplier based on the type of supplier relationship.
This control sits within the Shared security controls annex (A.3), which contains obligations for both PII controllers and PII processors. It recognises that PII rarely stays within a single organisation — suppliers, sub-processors and partners all introduce risk that must be contractually managed.
What does the Annex B implementation guidance say?
Annex B (section B.3.10) provides the following guidance:
- Specify PII processing — Agreements should specify whether PII is to be processed and, if so, the minimum technical and organisational measures that the supplier must implement
- Clearly allocate responsibilities — The division of responsibilities between the organisation, its partners and its suppliers should be explicit and unambiguous
- Compliance mechanisms — Provide a mechanism for ensuring compliance with applicable legal requirements, such as contractual clauses covering data protection obligations
- Independent audit evidence — Consider requiring independently audited compliance (for example, ISO 27001 certification) as a way to demonstrate that suppliers meet information security requirements
- Processor-specific guidance — Where the organisation acts as a processor, contracts with its own suppliers (sub-processors) should specify that PII is only processed according to the controller’s instructions
The guidance stresses that supplier agreements are not just a legal formality — they are the primary mechanism through which organisations extend their privacy controls into the supply chain.
How does this map to GDPR?
Control A.3.10 maps to several GDPR articles:
- Article 5(1)(f) — Integrity and confidentiality, including when PII is handled by third parties
- Article 28(1) — Controllers must use only processors providing sufficient guarantees
- Article 28(3)(a-h) — Mandatory contract terms for processor agreements, including subject matter, duration, nature of processing, and obligations on both parties
- Article 30(2)(d) — Processors must record categories of processing carried out on behalf of each controller
- Article 32(1)(b) — Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clauses 6.12.1.1 and 6.12.1.2, which addressed information security policy for supplier relationships and addressing security within supplier agreements. The 2025 edition consolidates these into a single control (A.3.10) with a unified implementation guidance section in B.3.10. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.3.10, auditors will typically look for:
- Supplier register — A list of all suppliers that process PII, with details of what data they access and the nature of the processing
- Data processing agreements — Signed contracts or clauses specifying information security requirements, responsibilities and compliance obligations
- Due diligence records — Evidence that suppliers were assessed before engagement, including security questionnaires or certification checks
- Ongoing monitoring — Records of periodic supplier reviews, audits or re-certification checks to confirm continued compliance
- Sub-processor management — Where the organisation is a processor, documentation showing that sub-processors are contractually bound to the controller’s instructions
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.9 Access rights | Supplier access to PII must be governed by the organisation’s access control policy |
| A.3.13 Legal and contractual requirements | Supplier agreements must reflect applicable legal and regulatory obligations |
| A.3.18 Confidentiality agreements | Supplier personnel with PII access should sign confidentiality agreements |
| A.3.15 Independent review | Independent audits can demonstrate supplier compliance in lieu of individual customer audits |
| A.3.12 Incident response | Supplier agreements should include breach notification obligations and response timelines |
Who does this control apply to?
A.3.10 is a shared control that applies to both PII controllers and PII processors. Controllers must ensure their processors and suppliers have adequate contractual safeguards. Processors must flow down equivalent requirements to their own sub-processors, ensuring PII is only processed in accordance with the controller’s documented instructions.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for managing supplier privacy agreements?
ISMS.online provides practical tools for managing supplier relationships and privacy obligations:
- Supplier management module — Maintain a central register of all suppliers that process PII, with risk ratings, contract dates and review schedules
- Contract tracking — Store and version-control data processing agreements with automated renewal reminders
- Due diligence workflows — Assess new suppliers against your security requirements before onboarding, with configurable questionnaire templates
- Ongoing monitoring — Schedule periodic supplier reviews with task assignments and evidence collection
- Audit-ready reporting — Generate supplier compliance reports showing agreement status, review history and outstanding actions
- Sub-processor tracking — Map the full processing chain so you know exactly where PII flows through your supply network
FAQs
What should a supplier agreement include for PII processing?
At minimum, the agreement should specify whether PII is processed, the categories and volume of data involved, the minimum technical and organisational measures the supplier must implement, the allocation of responsibilities between both parties, breach notification requirements, and a mechanism for verifying compliance. Under GDPR, Article 28(3) lists mandatory contract terms that must be addressed.
Can ISO 27001 certification replace a supplier audit?
The implementation guidance specifically mentions independently audited compliance such as ISO 27001 as a mechanism for demonstrating that security requirements are met. While certification is strong evidence, organisations should still ensure the scope of the supplier’s certification covers the relevant PII processing activities. Certification alone may not address all privacy-specific requirements.
How does this differ for processors managing sub-processors?
When your organisation acts as a processor, your contracts with sub-processors must include a clause ensuring PII is processed only according to the controller’s instructions. You remain accountable to the controller for your sub-processors’ actions, so the same level of contractual rigour and due diligence should apply throughout the chain.
