What does control A.1.3.5 require?
The organisation shall provide a mechanism for PII principals to modify or withdraw their consent.
This control sits within the Obligations to PII principals objective (A.1.3). It complements the consent collection controls in A.1.2 by ensuring that consent is not a one-way street. If your organisation relies on consent as a lawful basis for processing (see A.1.2.4 Determine Consent and A.1.2.5 Obtain and Record Consent), you must also make it easy for individuals to change their mind.
What does the implementation guidance say?
Annex B (section B.1.3.5) provides guidance on what an effective consent withdrawal mechanism should look like:
- Equal ease — Withdrawal of consent should be as easy as giving consent. If consent was given with a single click, withdrawal should not require a phone call or written letter
- Clear communication — The mechanism for withdrawal should be clearly communicated to PII principals at the time consent is obtained and at any time thereafter
- No retrospective effect — Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. This should be communicated to PII principals
- Consequences — Before withdrawal, PII principals should be informed of any consequences (for example, loss of access to a service). The consequences should not be punitive
- Modification — In addition to full withdrawal, consider allowing PII principals to modify the scope of their consent (for example, opting out of marketing while retaining consent for service delivery)
- See also A.1.2.2: Identify and Document Purpose for related requirements
How does this map to GDPR?
Control A.1.3.5 maps to several GDPR provisions:
- Article 7(3) — The data subject shall have the right to withdraw consent at any time. It shall be as easy to withdraw as to give consent. The data subject shall be informed of this right before giving consent
- Article 13(2)(c) — The right to withdraw consent must be included in the information provided at collection
- Article 14(2)(d) — The right to withdraw consent must be included in the information provided for indirect collection
- Article 18(1)(a-d) — Right to restriction of processing, which may apply when consent is withdrawn but other grounds may exist
The GDPR‘s “as easy to withdraw as to give” principle has been interpreted strictly by supervisory authorities. Organisations using online consent mechanisms should provide equally simple online withdrawal options.
How does this relate to ISO 29100 privacy principles?
This control supports the Consent and choice principle from ISO 29100. Meaningful consent requires that individuals retain control over their choices after the initial decision. The ability to modify or withdraw consent at any time is fundamental to this principle, ensuring that consent remains a genuine expression of the individual’s wishes.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.1.3.5, auditors will typically look for:
- Withdrawal mechanisms — Documented and accessible mechanisms (online preference centres, unsubscribe links, forms) that PII principals can use to withdraw consent
- Equal ease assessment — Evidence that the withdrawal process is comparable in effort to the consent-giving process
- Communication records — Evidence that PII principals are informed about the withdrawal mechanism at the time of consent and in ongoing communications
- Consequence documentation — Clear documentation of what happens when consent is withdrawn, and evidence this is communicated to PII principals
- Processing cessation — Evidence that processing actually stops (or is modified) when consent is withdrawn, within documented timeframes
- Consent records — Updated records showing the withdrawal, linked to the original consent record (see A.1.2.5 Obtain and Record Consent)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.4 Determine consent | Defines how consent is obtained; A.1.3.5 ensures it can be undone |
| A.1.2.5 Obtain and record consent | Consent records must be updated to reflect withdrawals |
| A.1.3.3 Determining information for PII principals | The right to withdraw consent must be included in the information provided |
| A.1.3.4 Providing information to PII principals | Withdrawal mechanism details should be communicated clearly |
| A.1.3.6 Object to PII processing | Related but distinct: objection applies regardless of lawful basis, withdrawal applies only to consent |
| A.1.4.6 PII De-identification and Deletion | Consent withdrawal may trigger deletion obligations |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 7.3.4 (Providing mechanism to modify or withdraw consent). The 2025 edition retains the same core requirement under A.1.3.5, with the guidance in B.1.3.5. The emphasis on “equal ease” and the requirement to communicate consequences before withdrawal remain the key principles. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for consent withdrawal management?
ISMS.online provides the infrastructure to manage the full consent lifecycle, including modification and withdrawal:
- Consent preference centre — Give PII principals a self-service portal to view, modify or withdraw their consent at any time, meeting the “equal ease” requirement
- Automated processing updates — When consent is withdrawn, trigger workflows to cease the affected processing and notify relevant teams
- Linked consent records — Withdrawal events are automatically linked to the original consent record, creating a complete audit trail from collection through to withdrawal
- Consequence communication templates — Pre-built templates for informing PII principals of the consequences of withdrawal, ensuring consistent messaging
- Compliance dashboard — Monitor consent health across your organisation, with visibility into withdrawal rates, processing cessation timelines and outstanding actions
FAQs
What does “as easy to withdraw as to give” mean in practice?
If consent was collected via a checkbox on a web form, withdrawal should be available through a similarly simple online mechanism, such as a preference centre or unsubscribe link. Requiring a phone call, written letter or visit to a physical location when consent was given online would not meet the standard. The withdrawal path should require the same or fewer steps than the consent path.
Does consent withdrawal mean all PII must be deleted?
Not necessarily. Consent withdrawal means you must stop the processing that was based on consent. However, you may have other lawful bases for retaining the data (such as legal obligations or legitimate interests for other purposes). You should assess whether any other lawful basis applies before deleting the data. Where no other basis exists, deletion or anonymisation should follow per your retention policies.
How quickly must processing stop after consent withdrawal?
The standard does not specify a precise timeframe, but the expectation is that processing ceases without undue delay. In practice, organisations should document their target response time and ensure it is reasonable. For automated processing (such as marketing emails), cessation should be near-immediate. For more complex processing involving multiple systems, a short documented timeframe (such as 48 hours) is typically acceptable, provided the delay is justified.
