What does control A.2.4.4 require?
The organization shall subject PII transmitted over a data-transmission network to appropriate controls, which are designed to ensure that the data reaches its intended destination.
This control sits within the PII Processor controls annex (A.2) and addresses the security of PII during transmission. Whenever personal data moves across networks, whether between systems within the processor’s environment, between the processor and the controller, or between the processor and a subcontractor, it must be protected from interception, alteration and misdirection.
What does the Annex B implementation guidance say?
Annex B (section B.2.4.4) provides the following guidance:
- Access control — Ensure only authorised individuals have access to transmission systems
- Documented processes — Follow appropriate processes, including retention of audit data to demonstrate compliance
- Integrity and delivery — Ensure PII is transmitted without compromise to the correct recipients
- Contractual requirements — Transmission requirements can be specified in the customer contract
- Customer consultation — Where no contractual requirements exist, the organisation should take advice from the customer prior to transmission
- See also A.2.3.2: Comply with Obligations to PII Principals for related requirements
- See also A.2.4.2: Temporary Files for related requirements
The guidance emphasises that transmission controls are not solely a technical matter. The processor must ensure that the right data reaches the right recipient without being compromised along the way. This requires a combination of encryption, access controls, authentication mechanisms and audit trails. Where the customer has specific transmission requirements, these should be documented in the contract.
How does this map to GDPR?
Control A.2.4.4 maps to the following GDPR article:
- Article 5(1)(f) — Integrity and confidentiality — Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The integrity and confidentiality principle requires that personal data is protected during transmission as well as at rest. Transmitting PII over networks without appropriate controls (such as encryption) exposes the data to interception and compromise, directly violating this principle.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.4.4 as a standalone control with implementation guidance in B.2.4.4 that specifically addresses access to transmission systems, audit data retention and the role of customer contracts in defining transmission requirements. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.2.4.4, auditors will typically look for:
- Encryption standards — Evidence that PII is encrypted during transmission using current, industry accepted protocols (such as TLS 1.2 or above for data in transit)
- Access controls — Documentation showing that only authorised individuals and systems have access to transmission mechanisms
- Audit trails — Retained audit data demonstrating successful transmission, including sender, recipient, timestamp and confirmation of delivery
- Contractual specifications — Contract clauses specifying the customer’s transmission requirements, including encryption standards, permitted channels and recipient verification procedures
- Incident records — Records of any transmission failures or security incidents, including root cause analysis and corrective actions taken
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.2 Basis for PII transfer between jurisdictions | Cross border transmission requires both technical controls and a legal basis |
| A.2.2.2 Customer agreement | Transmission requirements should be specified in the customer contract |
| A.2.4.3 Return, transfer or disposal | Returning PII to the customer is a form of transmission requiring appropriate controls |
| A.3 Shared security controls | Network security and cryptographic controls underpin transmission security |
| A.2.5.3 Countries for PII transfer | Transmission destinations must be documented and disclosed |
Who does this control apply to?
A.2.4.4 applies exclusively to PII processors. Processors frequently transmit PII as part of their operations, whether receiving data from controllers, returning processed results, sharing data with subcontractors or replicating data between systems. Each of these transmission points represents a potential exposure. This control ensures that processors implement appropriate safeguards for all PII in transit.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for PII transmission controls?
ISMS.online provides practical tools for managing PII transmission security:
- Policy documentation — Document your transmission security policies, including encryption standards, permitted channels and access controls, with version control and review scheduling
- Asset mapping — Map data flows that involve PII transmission, identifying sender and recipient systems, transmission methods and the controls applied to each
- Contract management — Track customer specific transmission requirements alongside your standard controls, ensuring contractual obligations are met
- Incident management — Record and manage transmission security incidents with root cause analysis, corrective actions and lessons learned
- Audit evidence — Store transmission audit data, encryption certificates and access control records as structured evidence for internal and external audits
FAQs
What encryption standards should be used for PII transmission?
The standard does not prescribe specific encryption protocols, but current best practice requires TLS 1.2 or above for data in transit over networks. For email transmission, consider S/MIME or PGP encryption. For file transfers, use SFTP or SCP rather than unencrypted FTP. For API communications, enforce HTTPS with certificate validation. The specific requirements may also be defined by the customer contract or by applicable data protection regulations.
What if the customer does not specify transmission requirements?
The Annex B guidance states that where no contractual requirements exist, the organisation should take advice from the customer prior to transmission. In practice, this means proactively consulting the customer about their preferred transmission methods, encryption requirements and recipient verification procedures. Documenting this consultation and the agreed approach protects both parties and demonstrates good practice to auditors.
Does this control apply to internal network transmission?
Yes. The control applies to PII transmitted over any data transmission network, including internal networks. While external transmissions typically carry higher risk, internal network traffic can also be intercepted, particularly in shared or cloud environments. Best practice is to encrypt PII in transit regardless of whether the network is internal or external, and to implement network segmentation and access controls to limit exposure.
