What does control A.1.2.4 require?
The organisation shall determine and document a process by which it can demonstrate if, when and how consent for the processing of PII was obtained from PII principals.
This control sits within the Conditions for collection and processing objective (A.1.2). It bridges the gap between identifying your lawful basis (A.1.2.3 Identify Lawful Basis) and actually obtaining consent (A.1.2.5 Obtain and Record Consent). Where consent is the chosen lawful basis, A.1.2.4 requires you to design and document the mechanism before you begin collecting consent.
What does the implementation guidance say?
Annex B (section B.1.2.4) provides the following guidance on what consent documentation should cover:
- Whether consent was needed — Not all processing requires consent. The organisation should document its assessment of whether consent is the appropriate lawful basis for each processing activity
- How consent was obtained — The specific mechanism used (e.g. opt-in checkbox, signed form, verbal agreement with recording) should be described in sufficient detail to demonstrate validity
- When consent was obtained — The process should capture the timing of consent relative to the start of processing, demonstrating that consent was given before PII was collected
- Whether the PII principal was appropriately informed — Before giving consent, individuals must receive adequate information about the processing. The documented process should describe what information is provided and how
- See also A.1.2.6: Privacy Impact Assessment for related requirements
- See also A.1.2.7: Contracts with PII Processors for related requirements
The guidance also highlights that some jurisdictions have specific requirements for children’s consent. Organisations processing children’s PII should document how they verify the age of the PII principal and, where required, how they obtain parental or guardian consent.
How does this map to GDPR?
Control A.1.2.4 maps to GDPR Articles 8(1) and 8(2), which deal specifically with conditions for children’s consent in relation to information society services:
- Article 8(1) — Where consent is the lawful basis and the data subject is a child, processing is lawful only if consent is given or authorised by the holder of parental responsibility. Member states may set the age threshold between 13 and 16
- Article 8(2) — The controller shall make reasonable efforts to verify that consent was given or authorised by the holder of parental responsibility, taking into account available technology
Although the GDPR mapping focuses on children’s consent, the broader consent requirements in Articles 6 and 7 are equally relevant. A.1.2.4 provides the process framework that ensures consent (for any age group) is systematically designed, documented and demonstrable.
How does this relate to ISO 29100 privacy principles?
This control supports the Consent and choice principle in ISO 29100. This principle requires that PII principals are presented with the choice whether to allow the processing of their PII, and that consent is obtained where applicable before processing. A.1.2.4 operationalises this principle by requiring the consent process itself to be pre-defined and documented, rather than handled ad hoc.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.1.2.4, auditors will typically look for:
- Consent process documentation — A written procedure describing how, when and where consent is collected for each processing activity that relies on it
- Consent form templates — Standardised forms, scripts or UI mockups showing the exact wording, checkboxes and information presented to PII principals
- Age verification procedures — Where children’s PII is processed, documented steps for verifying age and obtaining parental consent
- Information provision evidence — Proof that PII principals receive adequate information before giving consent, such as links to privacy notices, layered notices or just-in-time disclosures
- Decision records — Documentation showing which processing activities require consent and which rely on alternative lawful bases, with the rationale for each decision
- Review schedule — Evidence that consent processes are periodically reviewed and updated when legislation or processing activities change
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.3 Identify lawful basis | Determines whether consent is the appropriate basis — triggers this control |
| A.1.2.5 Obtain and record consent | The operational execution of the process designed under A.1.2.4 |
| A.1.3.3 Information for PII principals | Defines what information must be provided before consent can be validly given |
| A.1.3.5 Modify or Withdraw Consent | Ongoing management of consent, including withdrawal mechanisms |
| A.1.2.2 Identify and document purpose | Consent must be specific to documented purposes |
| A.1.2.9 Records of Processing PII | Processing records should reference the consent process used |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement appeared as part of Clause 7.2.3 (determine when and how consent is to be obtained). The core intent remains the same in the 2025 edition — organisations must pre-define and document their consent mechanisms. The restructuring into Table A.1 provides clearer separation between the normative control statement (A.1.2.4) and the normative guidance (B.1.2.4). The emphasis on children’s consent has been retained, reflecting the continued importance of age-appropriate design across global privacy frameworks. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for designing consent processes?
ISMS.online helps you build, document and maintain consent processes that satisfy auditors and protect PII principals:
- Consent workflow builder — Define consent collection processes with step-by-step procedures, assigned owners and approval gates
- Template library — Start with pre-built consent form templates that cover common scenarios including online forms, verbal consent and parental authorisation
- Purpose-linked consent design — Connect each consent mechanism directly to the processing purpose it supports, ensuring specificity and granularity
- Children’s consent procedures — Dedicated workflow templates for age verification and parental consent that address GDPR Article 8 and equivalent requirements
- Review reminders — Automated prompts to review consent processes when regulations change, processing activities are updated, or review dates are reached
FAQs
Do we need a consent process for every processing activity?
No. A.1.2.4 requires you to document a process that can demonstrate if consent was needed — not just how it was obtained. If a processing activity relies on a different lawful basis (such as legitimate interests or contractual necessity), you should document the decision not to use consent. The key is that every processing activity has a documented rationale, whether consent is used or not.
How granular should consent be?
Consent should be specific to each distinct processing purpose. Bundled consent — where a single tick box covers multiple unrelated purposes — is unlikely to meet the standard’s requirement for demonstrability. Best practice is to offer separate consent options for each purpose, allowing PII principals to agree to some purposes while declining others. This also simplifies consent withdrawal and record-keeping.
What constitutes adequate information before consent?
Before giving consent, PII principals should understand: the identity of the organisation, the specific purpose(s) of processing, the types of PII being collected, any third parties who will receive the data, and their right to withdraw consent. The information should be presented in clear, plain language — not buried in lengthy terms and conditions. Layered notices and just-in-time disclosures are effective approaches.
