What does control A.1.4.4 require?
The organisation shall ensure and document that PII is as accurate, complete and up to date as necessary for the purposes for which it is processed, throughout the life cycle of the PII.
This control sits within the PII minimization objective (A.1.4) and addresses a dimension of data quality that goes beyond volume. Even if you collect only the minimum PII needed (A.1.4.2), that data must remain fit for purpose throughout its lifecycle. Inaccurate PII can lead to wrong decisions, denied services, or harm to the individual, particularly where automated decision making (A.1.3.11) is involved.
What does the implementation guidance say?
Annex B (section B.1.4.4) provides the following guidance:
- Verify accuracy at collection — Implement procedures to check that PII is accurate at the point of collection, such as validation rules, verification checks and confirmation steps
- Maintain accuracy during storage — Put processes in place to keep PII up to date while it is stored, including regular data quality checks and update prompts
- Enable PII principals to update their data — Provide accessible mechanisms for individuals to review and correct their own PII, supporting the rectification rights under A.1.3.7 Access, Correction or Erasure
- Define “accurate enough” — Determine what level of accuracy is appropriate for each processing purpose, recognising that different purposes may require different levels of precision
- See also A.1.4.3: Limit Processing for related requirements
- See also A.1.4.5: PII Minimization Objectives for related requirements
The key insight is that accuracy is purpose-dependent. A marketing mailing list may tolerate a small percentage of outdated addresses, but a medical records system requires near-perfect accuracy. The organisation must define and document the accuracy threshold for each processing purpose.
How does this map to GDPR?
Control A.1.4.4 maps to GDPR Article 5(1)(d), the accuracy principle: personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
This GDPR principle is directly operationalised by the A.1.4.4 requirements for verification, maintenance and correction mechanisms.
How does this relate to ISO 29100 privacy principles?
This control directly supports the ISO 29100 principle of Accuracy and quality, which requires that PII processed should be accurate, complete, up to date, adequate and relevant for the purpose of use. The principle also requires that the reliability of PII should be ensured throughout the lifecycle.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.4.4, auditors will typically look for:
- Data quality policy — A documented policy defining accuracy requirements for each category of PII, including acceptable accuracy thresholds per purpose
- Validation controls — Technical controls at collection points (format validation, verification steps, confirmation emails) that help ensure accuracy from the start
- Data quality review records — Evidence of periodic data quality audits, including the metrics used, results found and corrective actions taken
- Self-service mechanisms — Evidence that PII principals can access and correct their own data, such as account profile pages, update request forms or customer portals
- Rectification logs — Records of accuracy corrections made, whether initiated by the organisation or by PII principals
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.7 Access, correction or erasure | Enables individuals to verify and correct their own PII |
| A.1.3.11 Automated decision making | Input data accuracy is critical for fair automated decisions |
| A.1.4.2 Limit collection | Less data to manage means easier accuracy maintenance |
| A.1.4.8 Retention | Shorter retention reduces the window for data to become inaccurate |
| A.1.4.10 PII transmission controls | Data integrity during transmission protects accuracy |
| A.1.2.9 Records of processing | Processing records should reflect accuracy requirements for each activity |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, accuracy and quality was addressed under Clause 7.4.3 (PII accuracy and quality). The 2025 control retains the same core requirement but adds explicit emphasis on documenting accuracy throughout the “life cycle” of the PII. The implementation guidance in B.1.4.4 is also more structured, with clearer separation between collection-time and storage-time accuracy measures. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII accuracy and quality?
ISMS.online supports your data quality obligations with practical tools built into your privacy management system:
- Data quality framework — Define accuracy thresholds for each category of PII and processing purpose, creating a documented standard that auditors can verify
- Review scheduling — Set up recurring data quality reviews with automated reminders, ensuring accuracy checks happen on schedule
- Rectification tracking — Log all correction requests and actions taken, maintaining the audit trail auditors expect
- Linked controls — Connect accuracy requirements to access and correction rights, automated decision making safeguards and retention schedules in a single system
- Evidence export — Generate data quality reports and rectification logs as part of your certification evidence pack
FAQs
What does “as accurate as necessary” mean in practice?
The standard deliberately avoids requiring perfection. Instead, accuracy must be proportionate to the purpose. A customer’s postal address used for marketing mailings may tolerate minor inaccuracies, while the same customer’s financial details used for credit decisions require strict accuracy. The organisation should document what “accurate enough” means for each processing purpose and implement controls proportionate to that threshold.
How should organisations handle PII they suspect is inaccurate?
Where inaccuracy is suspected, the organisation should take reasonable steps to verify the data, either by checking against a reliable source or by contacting the PII principal. While verification is pending, the data should be flagged as unverified and, where possible, processing that depends on its accuracy should be paused. If the PII principal has requested rectification, this should be handled promptly under your correction procedures.
Does this control require automated data validation?
The standard does not mandate specific technical measures. However, automated validation (format checks, range checks, duplicate detection) is strongly recommended as a practical way to enforce accuracy at scale. The choice of controls should be proportionate to the volume and sensitivity of the PII and the accuracy requirements for the processing purpose.
