What does control A.3.4 require?
Information security roles and responsibilities related to PII processing shall be defined and allocated according to the organisational needs.
This control sits within the shared security controls (Table A.3), applying to both PII controllers and PII processors. It builds on A.3.3 Information Security Policies by ensuring that the policies defined there have clear ownership and accountability.
What does the implementation guidance say?
Annex B (section B.3.4) provides detailed guidance on the roles that should be established:
- Customer contact point — Designate a point of contact for customers regarding PII processing matters
- PII principal contact point — Designate a contact point for PII principals (data subjects) to exercise their rights and raise concerns
- Privacy programme owner — Appoint one or more persons responsible for the privacy programme, such as a Data Protection Officer (DPO)
- The responsible person should be independent, with the authority to carry out their role without conflict of interest
- The responsible person should have expert knowledge of data protection law and practice
- The responsible person should act as the contact for supervisory authorities
- See also A.3.13: Legal and Regulatory Requirements for related requirements
- See also A.3.15: Independent Review of Information Security for related requirements
The guidance aligns closely with GDPR DPO requirements but is written in jurisdiction-neutral terms, making it applicable regardless of which privacy laws the organisation operates under.
How does this map to GDPR?
Control A.3.4 maps (via Clause 5.3 of ISO 27701) to GDPR Articles 37–39 (related provisions, not formally mapped in Annex D):
- Article 37 — Designation of the Data Protection Officer, including the circumstances in which a DPO must be appointed
- Article 38 — Position of the DPO, including independence, resources and reporting line
- Article 39 — Tasks of the DPO, including informing, advising, monitoring compliance and acting as contact for the supervisory authority
Organisations subject to GDPR that are required to appoint a DPO will find that satisfying A.3.4 largely addresses their DPO obligations, provided the appointed person meets the specific GDPR requirements for expertise and independence.
How does this relate to ISO 29100 privacy principles?
As a shared security control, A.3.4 supports the broader ISO 29100 framework. Clear allocation of roles and responsibilities is a fundamental governance mechanism that underpins the accountability principle and ensures that someone is answerable for every aspect of PII protection.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.3.4, auditors will typically look for:
- Role definitions — Documented descriptions of all privacy-related roles, including scope, authority and reporting lines
- Appointment records — Evidence that roles have been formally allocated to named individuals (DPO appointment letter, board resolution, etc.)
- Independence evidence — Demonstration that the privacy programme owner does not have a conflict of interest (e.g. they do not also determine the purposes of PII processing)
- Competence records — Evidence of the appointed person’s expertise in data protection (qualifications, training records, experience)
- Contact point documentation — Published contact details for PII principals and customers, accessible through privacy notices or the organisation’s website
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.3 Policies for information security | Policies define what must be done; roles define who is accountable for doing it |
| A.3.8 Identity management | Role-based access is grounded in clearly defined roles and responsibilities |
| A.1.3.3 Information for PII Principals Determining information for PII principals | Contact points for PII principals must be communicated as part of the information provided to them |
| A.1.2.9 Records of Processing PII | Processing records should identify the responsible persons for each processing activity |
| A.3.5 Classification of information | Information owners (a defined role) are responsible for classification decisions |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered under Clause 6.3.1.1. The 2025 version consolidates the guidance into a cleaner structure under A.3.4/B.3.4 and places stronger emphasis on the DPO-equivalent role. The requirements for independence, expertise and supervisory authority contact are now more prominently positioned. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for defining privacy roles and responsibilities?
ISMS.online provides the structure to define, assign and track accountability across your privacy programme:
- Organisational structure mapping — Define privacy roles with clear descriptions, scope and authority, and assign them to named individuals within the platform
- RACI matrices — Map who is Responsible, Accountable, Consulted and Informed for each privacy control and processing activity
- Task assignment and tracking — Allocate specific privacy tasks to role holders and track completion against deadlines
- Competence records — Maintain training and qualification records for privacy role holders alongside their role assignments
- Audit-ready reporting — Generate reports showing all privacy roles, their holders, and the evidence of their competence and independence
- Segregation of duties — Configure access controls within the platform to reflect the independence requirements for the DPO/privacy programme owner
FAQs
Is a Data Protection Officer mandatory under ISO 27701?
ISO 27701 requires “one or more persons responsible for the privacy programme” but does not mandate the specific title of DPO. However, if GDPR applies to your organisation and you meet the criteria in Article 37 (public authority, large-scale monitoring, or large-scale processing of special categories), a DPO is mandatory. The ISO 27701 control is designed to satisfy DPO requirements where they exist, while being flexible enough for jurisdictions without a formal DPO requirement.
What does independence mean in practice?
The person responsible for the privacy programme should not be in a position where their other responsibilities create a conflict of interest with their privacy role. For example, a Chief Technology Officer who determines the purposes and means of processing would not be considered independent. The privacy role holder should report to senior management, have access to resources, and not receive instructions regarding the exercise of their privacy tasks.
Can one person hold multiple privacy roles?
Yes, provided there is no conflict of interest and the person has the capacity and competence to fulfil all assigned roles. In smaller organisations, it is common for one individual to serve as both the customer contact point and the PII principal contact point. However, the privacy programme owner role should not be combined with roles that determine the purposes and means of processing, as this would compromise independence.
