What does control A.1.2.9 require?
The organisation shall determine and securely maintain the necessary records in support of its obligations for the processing of PII.
This control sits within the Conditions for collection and processing objective (A.1.2), which aims to demonstrate that processing is lawful, with a legal basis per applicable jurisdictions, and with clearly defined and legitimate purposes. Record keeping is how you prove everything else is working.
What does the implementation guidance say?
Annex B (section B.1.2.9) provides detailed guidance on the categories of information that processing records should contain:
- Categories of processing — The types of processing operations carried out on PII (collection, storage, transfer, erasure, etc.)
- Purposes of processing — A clear statement of why each category of PII is processed, linked to the purpose documentation required by A.1.2.2 Identify and Document Purpose
- Categories of PII and PII principals — What types of personal data are held and about whom (employees, customers, website visitors, etc.)
- Recipients — Any third parties or processors who receive the PII
- International transfers — Details of any transfers to other jurisdictions, including safeguards in place
- Retention periods — How long each category of PII is held before deletion or anonymisation
- Security measures — A general description of the technical and organisational measures protecting the PII
- See also A.1.2.4: Determine When and How Consent Is to Be Obtained for related requirements
- See also A.1.2.5: Obtain and Record Consent for related requirements
The guidance also emphasises that records should be kept up to date as processing activities change, and made available to supervisory authorities on request. This is not a one-off documentation exercise but an ongoing operational requirement.
How does this map to GDPR?
Control A.1.2.9 maps to several GDPR provisions:
- Article 5(2) — The accountability principle, requiring controllers to demonstrate compliance
- Article 24(1) — Obligation to implement appropriate measures and be able to demonstrate compliance
- Article 30(1)(a-g) — The detailed requirements for records of processing activities maintained by controllers
- Article 30(3-5) — Requirements that records be in writing (including electronic form), made available to the supervisory authority on request, and exemptions for organisations with fewer than 250 employees (with exceptions)
Article 30 is widely regarded as one of the most operationally significant GDPR requirements. A well-maintained Record of Processing Activities (ROPA) is often the first document a supervisory authority will request during an investigation.
How does this relate to ISO 29100 privacy principles?
This control supports the Accountability principle from ISO 29100. Accountability requires that the organisation document and communicate its privacy-related policies and procedures, assign responsibility for implementing them, and maintain evidence of compliance. Processing records are the primary vehicle for demonstrating that accountability in practice.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.1.2.9, auditors will typically look for:
- Record of Processing Activities (ROPA) — A comprehensive register covering all seven categories listed in the guidance, with evidence of regular review
- Version control — Evidence that records are updated when processing activities change, with a clear audit trail of modifications
- Ownership and responsibility — A named individual or role responsible for maintaining processing records
- Accessibility — Evidence that records can be promptly produced for supervisory authorities or audit purposes
- Completeness checks — Procedures to ensure new processing activities are captured in the register before processing begins
- Security of records — The records themselves contain sensitive information and should be appropriately protected
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.2 Identify and document purpose | Purpose documentation feeds directly into processing records |
| A.1.2.3 Identify lawful basis | The lawful basis for each processing activity should be recorded |
| A.1.4.2 Limit collection | Records should reflect what PII is actually collected, supporting minimisation |
| A.1.4.6 PII De-identification and Deletion | Retention periods in records drive deletion schedules |
| A.1.5.2 Basis for PII Transfer | International transfer details recorded here are expanded in transfer-specific controls |
| A.1.3.3 Determining information for PII principals | Information provided to PII principals should align with processing records |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 7.2.8 (Records related to processing PII). The substantive requirements are the same in 2025, but the restructured format now separates the control statement (A.1.2.9) from the implementation guidance (B.1.2.9) more clearly. The 2025 edition also strengthens the emphasis on keeping records up to date as a continuous obligation rather than a point-in-time exercise. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for PII processing records?
ISMS.online provides purpose-built tools for maintaining comprehensive, auditable processing records:
- Pre-built ROPA templates — Start with a structured register covering all seven categories required by B.1.2.9, so you do not miss any required fields
- Automated version control — Every change to a processing record is tracked with timestamps, user details and change descriptions, creating the audit trail auditors expect
- Linked evidence — Connect processing records to related policies, consent records, DPIAs and transfer mechanisms in a single integrated system
- Supervisory authority export — Generate a complete ROPA export in formats suitable for regulator requests, ready at the click of a button
- Review reminders — Set review cycles for each processing activity so records stay current as your operations evolve
- Role-based access — Ensure processing records are accessible to authorised personnel while remaining protected from unauthorised changes
FAQs
Do small organisations need to maintain processing records?
Yes. While GDPR Article 30(5) provides a limited exemption for organisations with fewer than 250 employees, this exemption does not apply if the processing is likely to result in a risk to the rights of individuals, is not occasional, or includes special categories of data. In practice, most organisations processing PII systematically will need to maintain records regardless of size. ISO 27701 itself does not include a size-based exemption.
How often should processing records be reviewed?
Records should be reviewed whenever processing activities change and at a minimum as part of your regular management review cycle. Many organisations set quarterly or six-monthly review dates for the full register, with ad hoc updates triggered by new processing activities, changes to existing processes, or organisational changes such as new systems or third-party relationships.
Can a spreadsheet satisfy this requirement?
Technically yes, but spreadsheets lack version control, access restrictions and automated review reminders. As processing activities grow, spreadsheets become difficult to maintain accurately and are prone to errors. A dedicated compliance platform provides the structure, auditability and cross-referencing needed to meet the standard consistently over time.
