What does control A.2.2.7 require?
The organization shall determine and maintain the necessary records in support of demonstrating compliance with its obligations (as specified in the applicable contract) for the processing of PII carried out on behalf of a customer.
This control sits within the PII Processor controls annex (A.2) and establishes the processor’s own record-keeping obligations. While A.2.2.6 Customer Obligations requires the processor to help customers demonstrate compliance, A.2.2.7 requires the processor to maintain records for its own accountability. These records must demonstrate that the processor has complied with its contractual obligations and applicable legal requirements.
What does the Annex B implementation guidance say?
Annex B (section B.2.2.7) provides the following guidance:
- Jurisdictional requirements — Some jurisdictions can require the organisation to record information such as:
- Categories of processing carried out on behalf of each customer
- Transfers to third countries or international organisations
- A general description of the technical and organisational security measures
- See also A.2.2.2: Customer Agreement for related requirements
- See also A.2.2.4: Marketing and Advertising Use for related requirements
The guidance directly mirrors the GDPR Article 30(2) requirements for processor records of processing activities. While the ISO standard frames these as jurisdictional requirements, organisations operating under GDPR will recognise them as mandatory record-keeping obligations.
How does this map to GDPR?
Control A.2.2.7 maps to the following GDPR articles:
- Article 30(2)(a) — The name and contact details of each processor, of each controller on behalf of which the processor is acting, and of the controller’s or processor’s representative and data protection officer
- Article 30(2)(b) — The categories of processing carried out on behalf of each controller
- Article 30(3) — Records shall be in writing, including in electronic form
- Article 30(4) — The processor shall make the record available to the supervisory authority on request
- Article 30(5) — Exemption for organisations with fewer than 250 employees, unless the processing is likely to result in a risk, is not occasional, or includes special categories of data
GDPR Article 30(2) provides a specific, minimum list of what processor records must contain. Organisations should treat this as a floor, not a ceiling.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.2.7 as a standalone control with implementation guidance in B.2.2.7 that clearly lists the jurisdictional record-keeping requirements. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.2.2.7, auditors will typically look for:
- Records of processing activities — A maintained register of processing activities carried out on behalf of each customer, including processing categories, data types and purposes
- Transfer records — Documentation of any PII transfers to third countries or international organisations, including the legal basis for each transfer
- Security measures documentation — A general description of the technical and organisational security measures in place for PII processing
- Contact details — Maintained records of processor, controller, representative and DPO contact details for each processing arrangement
- Record maintenance process — A documented process for keeping records up to date, including review schedules and update triggers
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.6 Customer obligations | Processing records support the information provided to customers for their compliance |
| A.2.2.3 Organization’s purposes | Records should demonstrate that processing aligns with documented customer purposes |
| A.1.2.9 Records (controller) | The controller-side equivalent of processing record requirements |
| A.3.14 Protection of records | Processing records must be stored securely and protected from unauthorised modification |
| A.2.5.2 Basis for PII transfer | Cross-border transfer records are a key component of processing records |
Who does this control apply to?
A.2.2.7 applies exclusively to PII processors. It creates an independent record-keeping obligation for processors, separate from the controller’s own record-keeping requirements under A.1.2.9 Records of Processing PII. Under GDPR, the small business exemption in Article 30(5) rarely applies in practice because most processing is not truly “occasional” and many processors handle special categories of data. Processors should therefore maintain records regardless of organisation size.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for processing record management?
ISMS.online provides practical tools for maintaining processor records of processing activities:
- Processing register — Maintain a central, structured register of all processing activities per customer, with categories, data types, purposes and security measures documented
- Transfer tracking — Record and monitor cross-border PII transfers with legal basis documentation and destination country tracking
- Automated reminders — Schedule periodic record reviews with automated reminders to ensure records remain current and accurate
- Supervisory authority readiness — Generate records in a format suitable for supervisory authority requests, meeting GDPR Article 30(4) obligations
- Version history — Maintain a complete version history of processing records, showing how processing arrangements have changed over time
FAQs
What must processor records contain?
Under GDPR Article 30(2), processor records must contain: the name and contact details of each processor and each controller it acts for, plus their representatives and DPOs where applicable; the categories of processing carried out on behalf of each controller; transfers to third countries or international organisations, including the legal basis; and a general description of technical and organisational security measures. Best practice extends this to include the types of PII processed, the legal basis for processing, sub-processor details and retention periods.
How often should records be updated?
Records should be updated whenever there is a material change to processing arrangements, such as a new customer, a change in processing categories, a new sub-processor, a new cross-border transfer or a change in security measures. In addition, records should be reviewed at regular intervals (at least annually) to verify they remain accurate and complete. Many organisations integrate record updates into their change management processes to ensure updates happen in real time.
Do processors with fewer than 250 employees need to maintain records?
GDPR Article 30(5) provides a limited exemption for organisations with fewer than 250 employees, but it only applies if the processing is not likely to result in a risk to data subjects, is occasional and does not include special categories of data or criminal offence data. In practice, most processors fall outside this exemption because their processing is regular (not occasional) and may involve data types that trigger the exception. ISO 27701 does not include a similar exemption, so all processors seeking certification should maintain records regardless of size.
