What does control A.2.2.6 require?
The organization shall provide the customer with the appropriate information such that the customer can demonstrate compliance with their obligations.
This control sits within the PII Processor controls annex (A.2) and addresses a fundamental aspect of the processor-controller relationship: the controller’s ability to demonstrate accountability. Controllers are required by law (including GDPR Article 5(2)) to demonstrate compliance with data protection principles, but they cannot do this without information from their processors about how PII is being handled. This control ensures that processors do not become a black box.
What does the Annex B implementation guidance say?
Annex B (section B.2.2.6) provides the following guidance:
- Audit support — The information needed by the customer can include whether the organisation allows for and contributes to audits conducted by the customer or another auditor mandated or otherwise agreed by the customer
- See also A.2.2.3: Organization’s Purposes for related requirements
- See also A.2.2.4: Marketing and Advertising Use for related requirements
The guidance specifically highlights audit rights as a key mechanism for demonstrating compliance. This can take several forms: on-site audits conducted by the customer, third-party audits mandated by the customer, certification against recognised standards (such as ISO 27701 itself), or the provision of audit reports, SOC 2 reports or other compliance evidence on request.
How does this map to GDPR?
Control A.2.2.6 maps to the following GDPR article:
- Article 28(3)(h) — The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller
GDPR Article 28(3)(h) makes this a mandatory contractual obligation, requiring processors to make compliance information available and actively support controller audits. This is not optional — it is a legal requirement for processors operating under GDPR.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.2.6 as a standalone control with implementation guidance in B.2.2.6 that specifically highlights audit support as a key component. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.2.2.6, auditors will typically look for:
- Information provision capability — Evidence that the organisation can provide customers with relevant compliance information on request, such as processing records, security measures documentation and sub-processor details
- Audit support mechanisms — A documented approach to supporting customer audits, whether through on-site visits, third-party certifications, shared audit reports or questionnaire responses
- Compliance reporting — Regular compliance reports or dashboards provided to customers, demonstrating ongoing compliance with contractual and legal obligations
- Contract terms — Contract clauses that define the scope, frequency and format of compliance information to be provided
- Response records — Records of compliance information requests received from customers and the responses provided
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.2 Customer agreement | The contract defines what compliance information the processor must provide |
| A.2.2.7 Records of processing | Processing records are a key source of compliance information for customers |
| A.3.15 Independent review | Independent audit results can be shared with customers as compliance evidence |
| A.3.14 Protection of records | Compliance records must be maintained securely and made available when needed |
| A.2.5.7 Disclosure of subcontractors | Subcontractor information is a key element of compliance transparency |
Who does this control apply to?
A.2.2.6 applies exclusively to PII processors. It recognises that controllers depend on their processors for the information needed to demonstrate compliance. Without this information, the controller cannot fulfil its accountability obligations. Processors that refuse to provide compliance information or resist audit requests make it impossible for their customers to comply with data protection law.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for customer compliance support?
ISMS.online provides practical tools for supporting your customers’ compliance obligations:
- Compliance evidence packs — Generate pre-built evidence packs for customers containing processing records, security measures, certification status and sub-processor details
- Audit management — Manage customer audit requests with scheduling, document sharing and finding tracking in one place
- Certification management — Track and share your ISO 27701, ISO 27001 and other certifications with customers as evidence of compliance
- Questionnaire management — Respond to customer security and privacy questionnaires efficiently with pre-built answer libraries
- Transparency dashboards — Provide customers with visibility into your compliance posture through shared dashboards and reports
FAQs
What information should processors make available to customers?
Processors should be prepared to provide: details of processing activities performed on behalf of the customer; security measures implemented; sub-processor details and contracts; breach notification procedures; data transfer mechanisms; data retention and deletion procedures; staff training records; and the results of security audits or penetration tests. The specific information required should be defined in the data processing agreement and should be sufficient for the customer to demonstrate compliance with its own obligations.
Can a processor charge for audit support?
This depends on the contract terms. GDPR requires the processor to “allow for and contribute to audits” but does not prohibit reasonable charges for the time and resources involved. Many processors include a certain number of audit days or questionnaire responses per year in their service fees, with additional support available at an agreed rate. What processors cannot do is refuse or unreasonably obstruct audit requests. The approach should be transparent and agreed in advance in the contract.
Can certifications replace customer audits?
Certifications such as ISO 27701 or SOC 2 reports can significantly reduce the need for individual customer audits by providing independent assurance of compliance. Many customers accept current certifications as sufficient evidence. However, certifications do not eliminate the customer’s right to audit under GDPR Article 28(3)(h). The practical approach is to offer certifications as the primary evidence mechanism, with the option for additional customer-specific audits where the customer requires them.
