Skip to content
ISMS.online

ISO 27701:2025 Control A.1.5.3: Countries and International Organizations for PII Transfer

Control A.1.5.3 requires organisations to specify and document the countries and international organizations to which PII can possibly be transferred. This transparency obligation is central to accountability in cross border data flows.

Author
Max Edwards
Updated March 23, 2026
4/5 Stars

What does control A.1.5.3 require?

The organisation shall specify and document the countries and international organizations to which PII can possibly be transferred.

This control sits within the PII transfer objective (A.1.5) in the PII controller controls. Where A.1.5.2 Basis for PII Transfer deals with the legal mechanism, A.1.5.3 focuses on documenting exactly where PII may end up.

What does the implementation guidance say?

Annex B (section B.1.5.3) provides the following guidance:

  • Maintain a register of all countries and international organizations to which PII may be transferred
  • Consider the adequacy status of each destination jurisdiction when determining whether transfers are permissible
  • Make information about transfer destinations available to PII principals, either directly or through published privacy documentation
  • Keep the register current as new transfer destinations are added or existing ones are removed

The practical effect is that organisations cannot treat international transfers as a black box. Every potential destination must be visible, assessed and documented before any PII flows there.

How does this map to GDPR?

Control A.1.5.3 maps to two key GDPR provisions:

  • Article 15(2) — The data subject has the right to be informed of the countries to which their personal data is transferred and the appropriate safeguards in place
  • Article 30(1)(e) — Records of processing activities must include transfers to third countries or international organisations, along with the documentation of suitable safeguards

Under GDPR, this information must be readily available to both data subjects and supervisory authorities on request.

How does this relate to ISO 29100 privacy principles?

This control supports the ISO 29100 principle of Accountability. Maintaining a documented register of transfer destinations demonstrates that the organisation knows where PII goes and has taken deliberate steps to assess and approve each destination.



climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


What evidence do auditors expect?

When assessing compliance with A.1.5.3, auditors will typically look for:

  • Country register — A documented, up-to-date list of all countries and international organizations to which PII may be transferred
  • Adequacy assessments — Evidence that the adequacy status of each destination has been considered and recorded
  • Privacy notices — Published privacy documentation that informs PII principals of the countries where their data may be processed
  • Change records — Evidence that the register is updated when new destinations are added, for example when a new cloud provider or sub-processor is engaged
  • Alignment with transfer records — That actual transfers (recorded under A.1.5.4 Records of PII Transfer) only go to documented destinations

What are the related controls?

Control Relationship
A.1.5.2 Identify basis for PII transfer The legal basis determines which countries are permissible destinations
A.1.5.4 Records of transfer of PII Actual transfer records should align with the approved destination list
A.1.5.5 Records of PII disclosures Disclosures to third parties in other jurisdictions must be documented
A.1.3.3 Information for PII Principals Determining information for PII principals Transfer destinations are part of the information that must be provided to individuals
A.1.2.9 Records of Processing PII The destination register feeds into overall processing records

What changed from ISO 27701:2019?

For a step-by-step approach, see the Transition from 2019 to 2025.

In the 2019 edition, this requirement was covered under Clause 7.5.2 (countries and international organizations to which PII can be transferred). The substance is unchanged, but the 2025 restructure provides a clearer link between the control statement (A.1.5.3) and implementation guidance (B.1.5.3). The emphasis on making destination information available to PII principals remains a core requirement. See the Annex F correspondence table for the full mapping.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


Why choose ISMS.online for tracking PII transfer destinations?

ISMS.online gives you the tools to maintain a clear, auditable record of where PII goes:

  • Transfer destination register — Maintain a centralised list of approved countries and organisations with adequacy status and review dates
  • Sub-processor tracking — Link each third-party processor to the countries where they operate, with automatic flagging when a new destination is introduced
  • Privacy notice integration — Keep privacy documentation aligned with the approved destination list through linked records
  • Review workflows — Set scheduled reviews for each destination and receive alerts when adequacy decisions or legal frameworks change
  • Audit evidence — Export the full destination register with change history for certification audits and regulatory enquiries

FAQs

Do we need to list every country a cloud provider operates in?

Yes, if PII could be stored or accessed from those locations. Cloud providers often process data across multiple regions and may have support staff in countries different from where data is hosted. You should work with your providers to get a definitive list of all countries where PII may be processed, stored or accessed, and include each one in your register.

What if the list of countries changes frequently?

The register should be a living document. Build a process to update it whenever a new transfer destination is proposed, for example through procurement or vendor onboarding workflows. Each change should be assessed against the transfer basis documented under A.1.5.2 Basis for PII Transfer, and privacy notices should be updated to reflect the current position.

Does this apply to transfers within the EU/EEA?

Under GDPR, transfers within the EU/EEA are not considered international transfers and do not require a specific transfer mechanism. However, ISO 27701 takes a broader, jurisdiction-neutral approach. Good practice is to document all countries where PII is processed, even within the EEA, as other applicable laws (e.g. national implementing legislation) may have additional requirements.

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.