What are the PII processor controls in ISO 27701:2025?
Table A.2 of ISO 27701:2025 Annex A defines 18 controls that apply to any organisation acting as a PII processor. A PII processor processes PII on behalf of and under the instructions of a PII controller.
These controls are grouped into four objectives:
- Conditions for collection and processing (A.2.2) — 6 controls covering customer agreements, purpose limitations, marketing restrictions and records
- Obligations to PII principals (A.2.3) — 1 control covering compliance assistance to the customer
- Privacy by design and privacy by default (A.2.4) — 3 controls covering temporary files, return/disposal of PII and transmission
- PII sharing, transfer and disclosure (A.2.5) — 8 controls covering transfers, disclosures and subcontractor management
Implementation guidance for each control is in Annex B section B.2 (e.g. guidance for A.2.2.2 Customer Agreement is at B.2.2.2).
Complete list of Table A.2 controls
| Control | Title | Summary |
|---|---|---|
| A.2.2.2 Customer Agreement | Customer agreement | Ensure contracts address the processor’s role in assisting with customer obligations |
| A.2.2.3 Organisation Purposes | Organization’s purposes | Only process PII for the purposes in the customer’s documented instructions |
| A.2.2.4 Marketing and Advertising | Marketing and advertising use | Do not use contracted PII for marketing without appropriate PII principal consent |
| A.2.2.5 Infringing Instruction | Infringing instruction | Inform the customer if a processing instruction infringes applicable law |
| A.2.2.6 Customer Obligations | Customer obligations | Provide the customer with information to demonstrate their compliance |
| A.2.2.7 Records of Processing PII | Records related to processing PII | Maintain records demonstrating compliance with contractual PII obligations |
| A.2.3.2 Obligations to PII Principals | Comply with obligations to PII principals | Provide the customer with the means to comply with PII principal obligations |
| A.2.4.2 Temporary Files | Temporary files | Dispose of temporary files from PII processing within a documented period |
| A.2.4.3 Return, Transfer or Disposal | Return, transfer or disposal of PII | Securely return, transfer or dispose of PII and make the policy available |
| A.2.4.4 PII Transmission Controls | PII transmission controls | Subject PII transmitted over networks to appropriate controls |
| A.2.5.2 Basis for PII Transfer | Basis for PII transfer between jurisdictions | Inform the customer of the basis for international PII transfers in a timely manner |
| A.2.5.3 Countries for PII Transfer | Countries and international organizations for PII transfer | Specify and document countries and organisations PII can be transferred to |
| A.2.5.4 Records of PII Disclosures | Records of PII disclosures to third parties | Record PII disclosures including what was disclosed, to whom and when |
| A.2.5.5 PII Disclosure Requests | Notification of PII disclosure requests | Notify the customer of any legally binding disclosure requests |
| A.2.5.6 Legally Binding Disclosures | Legally binding PII disclosures | Reject non-binding requests and consult the customer before disclosing |
| A.2.5.7 Disclosure of Subcontractors | Disclosure of subcontractors used to process PII | Disclose to the customer whether subcontractors are used before use |
| A.2.5.8 Engaging Subcontractors | Engagement of a subcontractor to process PII | Only engage subcontractors according to the customer contract |
| A.2.5.9 Change of Subcontractor | Change of subcontractor to process PII | Inform the customer of intended subcontractor changes and allow objection |
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How do processor controls relate to GDPR?
Table A.2 maps primarily to GDPR Article 28 (processor obligations) and Article 30 (records of processing). Key connections:
- A.2.2.2 Customer Agreement–3 (Agreements and purposes) → Art. 28(3)(a), Art. 29 — processing under controller authority
- A.2.2.7 Records of Processing PII (Records) → Art. 30(2–5) — processor records of processing activities
- A.2.4.3 Return, Transfer or Disposal (Return/disposal) → Art. 28(3)(g) — deletion or return after service ends
- A.2.5.7 Disclosure of Subcontractors–9 (Subcontractors) → Art. 28(2–4) — sub-processor authorisation and changes
What else applies to PII processors?
Table A.2 is not the complete set of requirements for PII processors. You must also implement the applicable controls from Table A.3 (shared security controls), which covers information security fundamentals like access control, incident management, cryptography and logging.
Why choose ISMS.online for PII processor compliance?
ISMS.online helps you implement and evidence every Table A.2 control:
- Contract management — Track customer agreements, processing purposes and compliance obligations
- Subcontractor register — Document subcontractors, their locations and the customer notification process
- Transfer records — Maintain a register of international transfers with legal basis documentation
- Disclosure logging — Record all PII disclosures with details of what, to whom and when
- End-of-service procedures — Document and track PII return, transfer or disposal processes
- Dual-role support — If you act as both controller and processor, manage both Table A.1 and A.2 in one place
FAQs
Why are there only 18 processor controls compared to 31 controller controls?
PII processors act under the instructions of the controller, so many privacy decisions (lawful basis, consent, data subject rights) are the controller’s responsibility. Processor controls focus on contractual compliance, processing restrictions, subcontractor management and disclosure handling.
Can an organisation be both a controller and a processor?
Yes. Many organisations act as controllers for some processing activities and processors for others. In this case, both Table A.1 and Table A.2 apply, with separate roles determined for each processing activity. ISO 27701:2025 Clause 4.1 requires you to determine your role for each instance of PII processing.
Do I also need Table A.3 as a processor?
Yes. Table A.3 (shared security controls) applies to both controllers and processors. As a processor, you need both Table A.2 (processor-specific) and Table A.3 (shared security) controls in your statement of applicability.
