What does control A.1.2.5 require?
The organisation shall obtain and record consent from PII principals according to the documented processes.
This control sits within the Conditions for collection and processing objective (A.1.2) and represents the operational step that follows A.1.2.4 Determine Consent (designing the consent process). Where A.1.2.4 Determine Consent defines how consent will be collected, A.1.2.5 ensures that the organisation actually follows through — obtaining consent in practice and maintaining records that prove it.
What does the implementation guidance say?
Annex B (section B.1.2.5) provides the following guidance:
- The organisation should be able to demonstrate that consent was freely given — PII principals must not be coerced, penalised for refusing, or presented with pre-ticked boxes
- Consent must be specific — tied to a particular, clearly articulated processing purpose rather than a blanket approval
- Consent must be unambiguous and explicit — expressed through a clear affirmative action (e.g. ticking a box, clicking a button, signing a form) rather than inferred from silence or inactivity
- Records of consent should capture:
- The identity of the PII principal (or a pseudonymous identifier that can be linked back)
- The date and time consent was given
- The consent statement — the specific terms to which the PII principal agreed
- See also A.1.2.6: Privacy Impact Assessment for related requirements
- See also A.1.2.7: Contracts with PII Processors for related requirements
These three elements — freely given, specific, and unambiguous and explicit — align with the GDPR‘s definition of valid consent and have become the de facto international standard for consent quality.
How does this map to GDPR?
Control A.1.2.5 maps to the following GDPR provisions:
- Article 7(1) — Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented. This is the direct accountability requirement — you must keep records
- Article 7(2) — If consent is given in a written declaration that also concerns other matters, the request for consent must be clearly distinguishable, in intelligible and easily accessible form, and in clear and plain language
- Article 9(2)(a) — For special categories of data, explicit consent is required. This raises the bar from standard consent — the PII principal must expressly confirm their agreement, typically through an additional affirmative step
How does this relate to ISO 29100 privacy principles?
This control supports the Consent and choice principle in ISO 29100. While A.1.2.4 Determine Consent addresses the design of the consent mechanism, A.1.2.5 addresses its execution — ensuring that the PII principal’s choice is actually captured and preserved as evidence. Together, these controls provide the complete implementation of the consent and choice principle.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.2.5, auditors will typically look for:
- Consent records database — A centralised store of consent records with the three required elements: identification of PII principal, time consent was provided, and the consent statement
- Sample consent records — Auditors will typically pull a sample to verify completeness, checking that all fields are populated and timestamps are plausible
- Consent mechanism screenshots — Evidence of the actual interface or form presented to PII principals, showing no pre-ticked boxes and clear affirmative action requirements
- Version history — Records of what consent wording was in use at the time each consent was obtained, not just the current version
- Explicit consent for special categories — Enhanced records for sensitive data processing, showing the additional affirmative step taken
- Withdrawal records — Evidence that consent withdrawal requests were actioned and that processing ceased (links to A.1.3.5 Modify or Withdraw Consent)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.4 Determine consent | Defines the consent process that A.1.2.5 implements |
| A.1.2.3 Identify lawful basis | Consent recording is only required where consent is the chosen lawful basis |
| A.1.3.5 Modify or Withdraw Consent | Ongoing management of consent including refresh and withdrawal mechanisms |
| A.1.3.3 Information for PII principals | Information provision is a prerequisite for valid informed consent |
| A.1.2.2 Identify and document purpose | Consent must reference the specific documented purpose |
| A.1.2.9 Records of Processing PII | Consent records form part of the broader processing records |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement appeared as Clause 7.2.4 (obtain and record consent). The substance of the control is unchanged in the 2025 edition — the three qualities of valid consent (freely given, specific, and unambiguous and explicit) and the three elements of a consent record (identification, time, and consent statement) remain the same. The restructuring into Table A.1 provides a cleaner reference structure with the control statement in A.1.2.5 and implementation guidance in B.1.2.5. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for consent record management?
ISMS.online makes it straightforward to obtain, store and demonstrate valid consent:
- Centralised consent register — Store all consent records in one searchable location with the four required fields (identity, date/time, purpose, information provided) captured by default
- Timestamped audit trail — Every consent event is automatically timestamped and immutable, giving auditors the evidence they need without manual record-keeping
- Version-controlled consent wording — Retain a history of every consent form version so you can prove what wording was in use when each consent was collected
- Withdrawal tracking — Record consent withdrawals alongside the original consent, with automatic task creation to ensure processing ceases promptly
- Bulk export for audits — Export consent records by date range, purpose or processing activity to build evidence packs quickly when audit time arrives
- Special category flagging — Automatically identify where explicit consent is required and prompt for the enhanced affirmative action step
FAQs
How long should consent records be retained?
Consent records should be retained for at least as long as the processing they authorise continues, plus any period required by applicable law for demonstrating compliance. Under GDPR, the accountability principle means you must be able to prove valid consent existed for the entire duration of processing. Many organisations retain consent records for the statutory limitation period (typically 6 years in the UK) after processing ends, in case of regulatory challenge.
What counts as a clear affirmative action?
An affirmative action requires a deliberate, positive step by the PII principal. Examples include: ticking an unticked checkbox, clicking a clearly labelled “I agree” button, signing a form, or providing a verbal statement that is recorded. Silence, pre-ticked boxes, continued browsing, and failure to opt out are not affirmative actions and do not constitute valid consent under this control or under GDPR.
Is electronic consent as valid as written consent?
Yes. ISO 27701:2025 does not prescribe the format of consent — electronic and written consent are equally valid provided they meet the three quality criteria (freely given, specific, and unambiguous and explicit). Electronic consent can actually be easier to evidence because digital systems can automatically capture timestamps, IP addresses and the exact version of information presented. The key is that your recording mechanism captures all three required elements reliably.
