What does control A.3.3 require?
Information security policies related to PII processing shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
This is the first control in the shared security controls (Table A.3), which apply to organisations acting as PII controllers, PII processors, or both. It extends the ISO 27001 requirement for information security policies to explicitly cover privacy and PII protection.
What does the implementation guidance say?
Annex B (section B.3.3) provides the following guidance:
- Develop separate privacy policies or augment existing information security policies to address PII processing requirements
- Include a commitment to compliance with applicable PII protection legislation and contractual terms
- Consider legal requirements during policy development, approval and ongoing maintenance
- Policies should be appropriate to the nature, scale and context of PII processing activities
- Review policies at planned intervals and when significant changes occur, such as new legislation, new processing activities or organisational restructuring
- See also A.3.13: Legal and Regulatory Requirements for related requirements
- See also A.3.15: Independent Review of Information Security for related requirements
The guidance gives organisations flexibility in how they structure their policies. A single integrated policy covering both information security and privacy is acceptable, as is a suite of separate but linked documents. What matters is that PII processing is explicitly addressed and that the policies are demonstrably communicated and acknowledged.
How does this map to GDPR?
Control A.3.3 maps to GDPR Article 5(1)(f) (integrity and confidentiality principle) and Article 32(2) (requirement to implement appropriate technical and organisational measures). The GDPR does not prescribe the exact form of security policies, but expects organisations to have documented measures in place that are proportionate to the risk.
These GDPR articles are mapped across the broader B.3.5–B.3.16 group of shared controls, reflecting that policy is the foundation from which all other security measures flow.
How does this relate to ISO 29100 privacy principles?
As a shared security control, A.3.3 supports the broader framework of ISO 29100 principles. Well-defined information security policies that address PII processing provide the governance foundation for implementing principles such as information security, accountability and compliance.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.3.3, auditors will typically look for:
- Approved policy documents — Information security policies that explicitly address PII processing, with evidence of management approval (signatures, board minutes, approval records)
- Communication records — Evidence that policies have been published and communicated to all relevant personnel and interested parties
- Acknowledgement records — Signed or electronic acknowledgements from personnel confirming they have read and understood the policies
- Review records — Evidence of planned reviews with dates, reviewers and any changes made
- Legal compliance commitment — An explicit statement in the policy committing to compliance with applicable PII protection law and contractual terms
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.4 Information security roles and responsibilities | Policies define expectations; roles and responsibilities ensure someone is accountable for implementing them |
| A.3.5 Classification of information | Classification policies should explicitly address PII as required by A.3.3 |
| A.3.6 Labelling of information | Labelling procedures implement the policy requirements for identifying PII |
| A.3.7 Information transfer | Transfer rules should be grounded in the overarching security policy |
| A.1.2.9 Records of Processing PII | Policies set the governance framework within which processing records are maintained |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was split across Clauses 6.2.1.1 and 6.2.1.2. Clause 6.2.1.1 covered the general requirement for information security policies to consider PII processing, while 6.2.1.2 addressed the management commitment aspect. The 2025 edition consolidates these into a single control (A.3.3) with unified implementation guidance in B.3.3. The substance is the same, but the structure is cleaner. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for managing information security policies?
ISMS.online gives you everything you need to create, communicate and maintain compliant policies:
- Pre-built policy templates — Start with templates aligned to ISO 27001 and ISO 27701, then customise them for your organisation’s PII processing activities
- Version control — Track every change to every policy with full version history, so you always know what was in force and when
- Acknowledgement tracking — Assign policies to personnel and track who has read and acknowledged them, with automated reminders for outstanding acknowledgements
- Scheduled reviews — Set review dates for each policy and receive alerts when reviews are due, ensuring policies are never left to go stale
- Linked evidence — Connect policies to the controls they support, creating a clear audit trail from policy to implementation
FAQs
Should we create a separate privacy policy or update existing security policies?
The standard allows either approach. A separate privacy policy works well for organisations with complex PII processing, as it can address privacy-specific topics in detail. Augmenting existing policies is more practical for smaller organisations or those with simpler processing activities. The key requirement is that PII processing is explicitly and adequately addressed, whichever approach you choose.
Who needs to acknowledge the policies?
All relevant personnel and relevant interested parties. “Relevant personnel” includes anyone who processes PII or has access to systems that process PII. “Relevant interested parties” may include contractors, temporary staff, third-party processors, or even customers where contractual obligations require awareness of the organisation’s security policies. The scope should be defined based on the organisation’s context.
How often should policies be reviewed?
At planned intervals (typically annually) and when significant changes occur. Significant changes include new PII processing activities, changes to applicable legislation, organisational restructuring, security incidents that reveal policy gaps, or changes to the technology environment. A fixed annual review combined with a trigger-based review process is the most common approach.
