What are the PII controller controls in ISO 27701:2025?
Table A.1 of ISO 27701:2025 Annex A defines 31 controls that apply to any organisation acting as a PII controller. A PII controller is an organisation that determines the purposes and means of processing personally identifiable information.
These controls are grouped into four objectives:
- Conditions for collection and processing (A.1.2) — 8 controls covering lawful basis, consent, privacy impact assessment, contracts and records
- Obligations to PII principals (A.1.3) — 10 controls covering transparency, data subject rights, automated decisions and request handling
- Privacy by design and privacy by default (A.1.4) — 9 controls covering data minimisation, retention, disposal and transmission
- PII sharing, transfer and disclosure (A.1.5) — 4 controls covering cross-border transfers and disclosure records
Each control has corresponding implementation guidance in Annex B (section B.1). For example, guidance for control A.1.2.2 Identify and Document Purpose is found at B.1.2.2.
Conditions for collection and processing (A.1.2)
Objective: To demonstrate that processing is lawful, with a legal basis per applicable jurisdictions, and with clearly defined and legitimate purposes.
| Control | Title | Summary |
|---|---|---|
| A.1.2.2 Identify and Document Purpose | Identify and document purpose | Identify and document the specific purposes for which PII will be processed |
| A.1.2.3 Identify Lawful Basis | Identify lawful basis | Determine, document and demonstrate compliance with the relevant lawful basis |
| A.1.2.4 Determine Consent | Determine when and how consent is to be obtained | Document a process to demonstrate if, when and how consent was obtained |
| A.1.2.5 Obtain and Record Consent | Obtain and record consent | Obtain and record consent from PII principals according to documented processes |
| A.1.2.6 Privacy Impact Assessment | Privacy impact assessment | Assess the need for and implement privacy impact assessments for new or changed processing |
| A.1.2.7 Contracts with PII Processors | Contracts with PII processors | Ensure written contracts with PII processors address appropriate Annex A controls |
| A.1.2.8 Joint PII Controller | Joint PII controller | Determine roles and responsibilities with any joint PII controller |
| A.1.2.9 Records of Processing PII | Records related to processing PII | Determine and securely maintain records in support of PII processing obligations |
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
Obligations to PII principals (A.1.3)
Objective: To ensure PII principals are provided with appropriate information about the processing of their PII and to meet any other applicable obligations.
| Control | Title | Summary |
|---|---|---|
| A.1.3.2 Obligations to PII Principals | Determining and fulfilling obligations to PII principals | Determine and document legal, regulatory and business obligations to PII principals |
| A.1.3.3 Information for PII Principals | Determining information for PII principals | Determine and document what information to provide to PII principals and when |
| A.1.3.4 Providing Information | Providing information to PII principals | Provide clear, accessible information identifying the controller and describing processing |
| A.1.3.5 Modify or Withdraw Consent | Providing mechanism to modify or withdraw consent | Provide a mechanism for PII principals to modify or withdraw consent |
| A.1.3.6 Object to PII Processing | Providing mechanism to object to PII processing | Provide a mechanism for PII principals to object to processing |
| A.1.3.7 Access, Correction or Erasure | Access, correction or erasure | Implement policies and mechanisms to meet access, correction or erasure obligations |
| A.1.3.8 Inform Third Parties | PII controllers’ obligations to inform third parties | Inform third parties of modifications, withdrawals or objections to shared PII |
| A.1.3.9 Providing Copy of PII | Providing copy of PII processed | Provide a copy of PII processed when requested by the PII principal |
| A.1.3.10 Handling Requests | Handling requests | Define and document policies for handling legitimate requests from PII principals |
| A.1.3.11 Automated Decision Making | Automated decision making | Identify obligations from decisions based solely on automated processing of PII |
Privacy by design and privacy by default (A.1.4)
Objective: To ensure processes and systems are designed such that collection and processing of PII are limited to what is necessary for the identified purpose.
| Control | Title | Summary |
|---|---|---|
| A.1.4.2 Limit Collection | Limit collection | Limit PII collection to the minimum that is relevant, proportional and necessary |
| A.1.4.3 Limit Processing | Limit processing | Limit processing to what is adequate, relevant and necessary for identified purposes |
| A.1.4.4 Accuracy and Quality | Accuracy and quality | Ensure PII is accurate, complete and up to date throughout its life cycle |
| A.1.4.5 PII Minimisation | PII minimization objectives | Define and document data minimisation objectives and mechanisms |
| A.1.4.6 De-identification and Deletion | PII de-identification and deletion | Delete PII or render it non-identifiable when no longer necessary |
| A.1.4.7 Temporary Files | Temporary files | Dispose of temporary files from PII processing within a documented period |
| A.1.4.8 Retention | Retention | Do not retain PII longer than necessary for the processing purposes |
| A.1.4.9 Disposal | Disposal | Have documented policies, procedures and mechanisms for PII disposal |
| A.1.4.10 PII Transmission Controls | PII transmission controls | Subject PII transmitted over networks to appropriate controls |
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
PII sharing, transfer and disclosure (A.1.5)
Objective: To determine whether, and document when, PII is shared, transferred or disclosed in accordance with applicable obligations.
| Control | Title | Summary |
|---|---|---|
| A.1.5.2 Basis for PII Transfer | Identify basis for PII transfer between jurisdictions | Identify and document the basis for international PII transfers |
| A.1.5.3 Countries for PII Transfer | Countries and international organizations for PII transfer | Specify and document the countries and organisations PII can be transferred to |
| A.1.5.4 Records of PII Transfer | Records of transfer of PII | Record PII transfers to or from third parties and ensure cooperation |
| A.1.5.5 Records of PII Disclosures | Records of PII disclosures to third parties | Record disclosures including what was disclosed, to whom and when |
How do these controls relate to GDPR?
The PII controller controls map extensively to GDPR requirements. Key connections include:
- A.1.2 (Collection and processing) maps to GDPR Articles 5–6 (principles and lawful basis), Article 7 (consent), Articles 8–9 (children and special categories)
- A.1.3 (Obligations to PII principals) maps to GDPR Articles 12–22 (data subject rights, including access, rectification, erasure, portability and automated decisions)
- A.1.4 (Privacy by design) maps to GDPR Article 25 (data protection by design and by default) and Article 5(1)(c–e) (minimisation, accuracy, storage limitation)
- A.1.5 (Transfers) maps to GDPR Articles 44–49 (international transfers, adequacy, safeguards, BCRs)
Why choose ISMS.online for PII controller compliance?
ISMS.online helps you implement and evidence every Table A.1 control:
- Pre-built control framework — All 31 controller controls mapped and ready for your statement of applicability
- Consent management — Document consent processes, records and withdrawal mechanisms
- PIA workflow — Conduct and track privacy impact assessments with templated forms
- Data subject request tracking — Log and manage access, correction and erasure requests with SLA tracking
- Transfer records — Maintain a register of international transfers with legal basis documentation
- Processor contract management — Track contracts, due diligence and compliance obligations for each processor
FAQs
Do all 31 controls apply to every PII controller?
Not necessarily. You must include all applicable controls in your statement of applicability, but controls can be excluded where your risk assessment determines they are not necessary or where they are not required by applicable law. Any exclusion must be justified.
What is the difference between Table A.1 and Table A.3?
Table A.1 contains controls specific to PII controllers (e.g. consent, data subject rights, privacy impact assessments). Table A.3 contains information security controls that apply to both controllers and processors (e.g. access control, logging, cryptography). As a PII controller, both tables apply to you.
Where do I find the implementation guidance for these controls?
Annex B section B.1 provides implementation guidance for every Table A.1 control. The numbering matches directly: guidance for A.1.2.2 Identify and Document Purpose is at B.1.2.2, guidance for A.1.3.7 Access, Correction or Erasure is at B.1.3.7, and so on.
