What does control A.1.2.2 require?
The organisation shall identify and document the specific purposes for which the PII will be processed.
This control sits within the Conditions for collection and processing objective (A.1.2), which aims to demonstrate that processing is lawful, with a legal basis per applicable jurisdictions, and with clearly defined and legitimate purposes.
What does the implementation guidance say?
Annex B (section B.1.2.2) provides the following guidance:
- The organisation should ensure that PII principals understand the purpose for which their PII is processed
- It is the organisation’s responsibility to clearly document and communicate this to PII principals
- Without a clear statement of purpose, consent and choice cannot be adequately given
- Documentation of purposes should be sufficiently clear and detailed to support the information provided to PII principals (see A.1.3.3 Information for PII Principals)
- Purpose documentation should include information necessary to obtain consent (see A.1.2.4 Determine Consent) and documented information of policies and procedures (see A.1.2.9 Records of Processing PII)
- See also A.1.2.5: Obtain and Record Consent for related requirements
- See also A.1.3.5: Modify or Withdraw Consent for related requirements
The guidance also notes that the taxonomy and definitions in ISO/IEC 19944-1 can be helpful for describing processing purposes in cloud computing contexts.
How does this map to GDPR?
Control A.1.2.2 maps to GDPR Article 5(1)(b) (purpose limitation principle) and Article 32(4) (ensuring persons acting under authority process only on instructions). The GDPR requires that personal data be collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes.
How does this relate to ISO 29100 privacy principles?
This control supports two ISO 29100 privacy principles:
- Consent and choice — Clear purpose documentation enables meaningful consent
- Purpose legitimacy and specification — Directly addresses the requirement for specified, legitimate purposes
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.1.2.2, auditors will typically look for:
- Processing purpose register — A documented list of all PII processing activities with their stated purposes
- Privacy notices — Evidence that purposes are communicated to PII principals in clear, accessible language
- Records of processing activities — Documented records showing purposes for each category of PII processed
- Change management — Evidence that new processing purposes are assessed and documented before processing begins
- Alignment with consent records — That purposes documented in consent forms match the actual processing being performed
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.3 Identify lawful basis | Once purposes are defined, the lawful basis for each must be identified |
| A.1.2.4 Determine consent | Consent processes depend on clearly documented purposes |
| A.1.2.9 Records of Processing PII | Purpose documentation feeds into the processing records |
| A.1.3.3 Information for PII principals | Purposes must be communicated to PII principals |
| A.1.3.4 Providing information | Clear, accessible purpose descriptions in privacy notices |
| A.1.4.3 Limit processing | Processing must be limited to what is necessary for the documented purposes |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 7.2.1 (identify and document purpose). The control content is substantively the same in 2025, but it now sits in Table A.1 with a clearer separation between the control statement (A.1.2.2) and implementation guidance (B.1.2.2). See the Annex F correspondence table for the full mapping.
Why choose ISMS.online for managing processing purposes?
ISMS.online provides practical tools for documenting and managing processing purposes:
- Processing activity register — Document each processing activity with its stated purpose, categories of PII and legal basis
- Privacy notice management — Maintain version-controlled privacy notices linked to processing purposes
- Change tracking — Log when purposes are added, changed or retired with full audit trail
- Cross-referencing — Link purposes to consent records, privacy impact assessments and data subject requests
- Audit evidence — Export purpose documentation as part of your compliance evidence pack
FAQs
How detailed should purpose documentation be?
Sufficiently clear and detailed so that it can be used as part of the information provided to PII principals and as the basis for obtaining consent. Vague purposes like “business operations” or “improving services” are unlikely to meet the standard. Each purpose should describe the specific outcome of the processing.
What happens if purposes change after collection?
Any new purpose must be documented and assessed for compatibility with the original purpose. If the new purpose is not compatible, additional consent or a separate lawful basis is typically required. The change should be reflected in updated privacy notices and processing records.
Does this apply to PII processors as well?
A.1.2.2 is a PII controller control. PII processors have a related but different obligation under A.2.2.3 Organisation Purposes (Organization’s purposes), which requires them to process PII only for the purposes documented in the customer’s instructions.
