What does control A.1.2.7 require?
The organisation shall have a written contract with any PII processor that it uses, and shall ensure that their contracts with PII processors address the implementation of the appropriate controls in Annex A (see Table A.2).
This control sits within the Conditions for collection and processing objective (A.1.2). It recognises that many organisations do not process PII entirely in-house — they engage cloud providers, payroll bureaux, marketing platforms and other third parties to process PII on their behalf. A.1.2.7 ensures that these arrangements are governed by formal contracts that extend privacy and security obligations to the processor.
The reference to Table A.2 is significant: it means the contract must address the PII processor controls defined in the standard, not just general data protection clauses.
What does the implementation guidance say?
Annex B (section B.1.2.7) provides the following guidance on what processor contracts should specify:
- Nature and purpose of processing — What the processor will do with the PII and why
- Types of PII processed — The categories of personal data the processor will handle (e.g. contact details, financial data, health records)
- Duration of processing — How long the processor will process PII and what happens to the data at the end of the contract
- Obligations of the processor — Specific duties the processor must fulfil, including implementing the Table A.2 controls appropriate to the processing
- Rights and obligations of the controller — The organisation’s right to audit, give instructions, and approve or reject sub-processors
- Requirements to implement Table A.2 controls — The contract must reference or incorporate the specific processor controls from Annex A that are relevant to the processing activities
The guidance also notes that organisations should consider sub-processing provisions — whether the processor is permitted to engage further processors, and if so, under what conditions and with what notification requirements.
How does this map to GDPR?
Control A.1.2.7 maps to the following GDPR provisions:
- Article 5(2) — The accountability principle, which requires controllers to be able to demonstrate compliance. Written processor contracts are a key accountability mechanism
- Article 28(3)(e) — Processor contracts must require the processor to assist the controller in ensuring compliance with obligations under Articles 32–36 (security, breach notification, DPIAs and prior consultation)
- Article 28(9) — The contract shall be in writing, including in electronic form
GDPR Article 28 contains additional mandatory contract clauses beyond what ISO 27701 explicitly requires — including requirements for the processor to act only on documented instructions, ensure confidentiality of processing personnel, delete or return data after the contract ends, and make available all information necessary to demonstrate compliance. Organisations aiming for full GDPR alignment should ensure their contracts cover all Article 28(3) requirements.
How does this relate to ISO 29100 privacy principles?
This control supports two ISO 29100 privacy principles:
- Accountability — Contracts extend accountability for PII protection beyond the controller’s own operations to its processors, ensuring the entire processing chain is governed
- Information security — Contracts requiring implementation of Table A.2 controls ensure that processors apply appropriate security measures to the PII they handle
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.2.7, auditors will typically look for:
- Processor register — A complete list of all PII processors engaged by the organisation, with the processing activities they perform
- Signed contracts or DPAs — Written agreements with each processor, either as standalone data processing agreements (DPAs) or as clauses within broader service agreements
- Table A.2 coverage analysis — Evidence that the contract addresses the relevant processor controls from Table A.2, either by explicit reference or by incorporating equivalent requirements
- Sub-processor provisions — Clauses addressing whether and how the processor may engage further processors, including notification and approval mechanisms
- Contract review records — Evidence that processor contracts are periodically reviewed and updated, particularly when processing activities change or the standard is updated
- Due diligence records — Evidence that the organisation assessed the processor’s ability to implement the required controls before entering the contract
What are the related controls?
| Control | Relationship |
|---|---|
| Table A.2 (PII processor controls) | The controls that must be addressed in processor contracts |
| A.1.2.6 Privacy impact assessment | PIAs should consider risks arising from processor arrangements |
| A.1.5.2 Basis for PII Transfer Between Jurisdictions | Sharing PII with processors is a form of disclosure that must be governed |
| A.1.2.8 Joint PII controller | Where a relationship is joint controllership rather than controller-processor, different contractual requirements apply |
| A.1.2.9 Records of Processing PII | Processing records should identify which activities involve processors |
| ISO 27001 A.5.19–A.5.22 | Supplier relationship security controls in the underlying ISMS |
What changed from ISO 27701:2019?
In the 2019 edition, this requirement appeared as Clause 7.2.6 (contracts with PII processors). The core requirement — written contracts addressing appropriate controls — is unchanged. The 2025 edition strengthens the requirement by explicitly referencing Table A.2, which provides a clearer and more structured set of processor controls than the 2019 edition’s Annex A. This makes it easier for organisations to identify exactly which controls their contracts need to address. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for managing PII processor contracts?
ISMS.online simplifies the entire processor contract lifecycle from due diligence to ongoing compliance monitoring:
- Processor register — Maintain a centralised register of all PII processors with their processing activities, contract status and review dates in one place
- DPA clause library — Pre-built contract clause templates aligned to ISO 27701 Table A.2 requirements and GDPR Article 28, ready to incorporate into your agreements
- Table A.2 mapping — Automatically identify which processor controls apply to each processing arrangement, ensuring no required clauses are missed
- Sub-processor tracking — Record approved sub-processors for each processor, with alerts when new sub-processors are notified
- Contract review reminders — Automated notifications when contracts are due for review, when processing activities change, or when the standard is updated
- Supplier due diligence — Integrated questionnaires to assess processor capabilities before contract signing, with scored assessments and documented outcomes
FAQs
Does every supplier need a data processing agreement?
Only suppliers that process PII on your behalf (i.e. act as PII processors) require a contract under A.1.2.7. Suppliers who provide services that do not involve access to PII — such as office supply vendors — do not need a DPA. The key question is whether the supplier will process, access or store PII as part of the service. If in doubt, classify the supplier as a processor and put a contract in place — it is better to have an unnecessary DPA than to miss a required one.
What should we do about sub-processors?
Your contract with each processor should address sub-processing. Common approaches include: requiring prior written approval for all sub-processors, requiring notification with a right to object, or pre-approving a named list of sub-processors. Under GDPR Article 28, the processor must not engage another processor without prior specific or general written authorisation from the controller. Whichever approach you choose, ensure the contract requires the processor to impose equivalent contractual obligations on its sub-processors.
How do we handle processors that refuse to sign our DPA?
Large processors (especially SaaS providers) often offer their own standard DPA rather than signing yours. This is generally acceptable provided their DPA covers the required elements — nature and purpose of processing, types of PII, duration, obligations and the relevant Table A.2 controls. Review their DPA against a checklist of required clauses. If gaps exist, negotiate addendums or supplementary terms. If a processor refuses any written agreement covering PII processing, you should not use that processor — the control explicitly requires a written contract.
