What does control A.1.4.10 require?
The organisation shall subject PII transmitted (e.g. sent to another organisation) over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination.
This control sits within the PII minimization objective (A.1.4) and addresses the security of PII when it leaves the organisation’s direct control during transmission. Whether PII is being sent to a PII processor, shared with a partner, transferred to a cloud service or transmitted between internal systems, the organisation must ensure it arrives where intended and is protected in transit.
What does the implementation guidance say?
Annex B (section B.1.4.10) provides the following guidance:
- Implement encryption for PII in transit — Use encryption to protect PII during transmission, preventing interception or eavesdropping. This includes both external transmissions (to third parties) and internal transmissions (between systems)
- Verify recipient identity and authorisation — Before transmitting PII, confirm that the recipient is who they claim to be and that they are authorised to receive the data
- Log transmissions — Maintain records of PII transmissions, including what was sent, to whom, when and through which channel
- Consider transmission channel security — Assess the security of the transmission channel itself, including the network, protocols and intermediaries involved
- Use secure protocols — Employ industry-standard secure protocols such as TLS (for web and email), SFTP (for file transfer), VPN (for network connections) and encrypted APIs
- See also A.1.4.2: Limit Collection for related requirements
- See also A.1.4.5: PII Minimization Objectives for related requirements
The control is technology-agnostic but expects organisations to select transmission methods proportionate to the sensitivity of the PII and the risk. Transmitting health records requires stronger controls than transmitting a business contact’s email address.
How does this map to GDPR?
Control A.1.4.10 maps to GDPR Article 5(1)(f), the integrity and confidentiality principle, which requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss. Transmission is a processing activity, and the security of data in transit is a core element of the GDPR‘s security requirements under Article 32.
How does this relate to ISO 29100 privacy principles?
This control supports the ISO 29100 principle of Information security, which requires that PII be protected with appropriate controls against risks such as unauthorised access, destruction, use, modification, disclosure or loss. Transmission represents one of the highest-risk moments in the data lifecycle because PII is exposed to network-level threats.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.4.10, auditors will typically look for:
- Transmission security policy — A documented policy specifying the minimum security controls required for PII in transit, including approved protocols, encryption standards and recipient verification procedures
- Encryption configurations — Evidence of TLS/SSL configurations for web services, SFTP configurations for file transfers, VPN settings for network connections and API encryption standards
- Recipient verification procedures — Documented procedures for verifying the identity and authorisation of PII recipients before transmission, particularly for new recipients or one-off transfers
- Transmission logs — Records of PII transmissions, showing what was sent, to whom and through which channel
- Third-party agreements — Data processing agreements or data sharing agreements with recipients that specify transmission security requirements
- Vulnerability assessments — Results of network and protocol assessments confirming that transmission channels meet security requirements
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.4.4 Accuracy and quality | Data integrity during transmission protects PII accuracy |
| A.1.4.9 Disposal | PII transmitted to third parties may also require disposal at the recipient end |
| A.1.4.7 Temporary files | Transmission processes often create temporary staging files that contain PII |
| A.1.4.3 Limit processing | Transmission should only occur for data that is necessary for the stated purpose |
| A.1.2.2 Identify and document purpose | Transmission should only occur to support a documented processing purpose |
| A.1.2.9 Records of processing | Transmission activities should be reflected in processing records, including categories of recipients |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, PII transmission controls were addressed under Clause 7.4.9 (PII transmission controls). The 2025 control retains the same core requirement. The implementation guidance now more explicitly references modern secure protocols and places greater emphasis on recipient verification and transmission logging. The restructured format also makes the relationship between transmission security and the broader ISO 27001 information security controls clearer. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for managing PII transmission controls?
ISMS.online bridges your privacy management and information security controls in a single platform:
- Data flow mapping — Visualise and document every PII transmission, including the source, destination, channel, protocol and encryption standard used
- Recipient register — Maintain a register of authorised PII recipients with their verification status, data processing agreements and approved transmission methods
- Security control documentation — Document encryption configurations, protocol standards and network security measures with version-controlled records
- ISO 27001 integration — Link PII transmission controls to your broader information security management system, ensuring privacy and security controls are aligned
- Third-party compliance tracking — Monitor the compliance status of data recipients, including contract reviews, security assessments and incident notifications
- Audit-ready evidence — Export transmission policies, configuration records and data flow maps as part of your certification evidence pack
FAQs
Does this control apply to internal data transfers as well as external ones?
Yes. The control applies to PII transmitted over any data transmission network, which includes internal networks as well as external transfers. While the risk profile may differ (external transfers generally face higher interception risk), internal transfers should also be protected with appropriate encryption and access controls, particularly where PII crosses network segments or passes through shared infrastructure.
What is the minimum acceptable encryption standard for PII in transit?
The standard does not prescribe a specific cipher suite, but current industry best practice is TLS 1.2 or higher for web and API traffic, with TLS 1.3 preferred where both parties support it. Older protocols (SSL, TLS 1.0, TLS 1.1) are deprecated and should not be used. For file transfers, SFTP or SCP over SSH is standard. For email, TLS encryption between mail servers should be enforced where possible. The choice should be documented and aligned with your information security policy.
How should organisations handle PII sent by email?
Email presents specific challenges because standard email protocols do not guarantee end-to-end encryption. Appropriate measures include: enforcing TLS between your mail server and the recipient’s server (opportunistic or enforced TLS); using S/MIME or PGP encryption for highly sensitive PII; password-protecting attachments containing PII; using secure file-sharing links instead of direct attachments; and implementing DLP (data loss prevention) rules to detect and prevent accidental PII exposure via email. The approach should be proportionate to the sensitivity of the PII.
