What does control A.2.5.3 require?
The organization shall specify and document the countries and international organizations to which PII can possibly be transferred.
This control sits within the PII Processor controls annex (A.2) and addresses a fundamental transparency requirement. Controllers need to know where their data might end up, because different jurisdictions have different data protection standards. Without a documented list of transfer destinations, the controller cannot conduct transfer impact assessments or ensure compliance with cross border transfer requirements.
What does the Annex B implementation guidance say?
Annex B (section B.2.5.3) provides the following guidance:
- Normal operations — Countries involved in normal operations should be made available to customers
- Subcontracted processing — The list should include countries involved through subcontracted processing arrangements
- Legal authority transfers — Outside normal operations, transfers required by legal authorities may not be specifiable in advance or may be prohibited from disclosure to preserve investigation confidentiality
- See also A.2.5.9: Change of Subcontractor to Process PII for related requirements
The guidance draws an important distinction between transfers that are part of normal operations (which must be documented and disclosed) and transfers required by legal authorities (which may not be predictable or disclosable). For normal operations, the processor must maintain a comprehensive list that includes both direct transfer destinations and those introduced through subcontractors.
How does this map to GDPR?
Control A.2.5.3 maps to the following GDPR article:
- Article 30(2)(c) — The record of processing activities carried out on behalf of a controller shall contain transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
GDPR Article 30(2)(c) makes this a mandatory record keeping obligation. Processors must include transfer destinations in their records of processing activities. This is not optional for processors with 250 or more employees, and also applies to smaller processors where the processing is likely to result in a risk to data subjects.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.5.3 as a standalone control with implementation guidance in B.2.5.3 that specifically distinguishes between normal operational transfers and legal authority transfers. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.2.5.3, auditors will typically look for:
- Country register — A documented, maintained list of all countries and international organisations to which PII can possibly be transferred during normal operations
- Subcontractor coverage — Evidence that the country list includes destinations introduced through subcontracted processing, not just direct transfers
- Customer availability — Evidence that the country list has been made available to customers, whether through contracts, customer portals or direct communication
- Records of processing activities — Transfer destinations recorded in the Article 30(2) records of processing activities
- Update procedures — A documented process for updating the country list when new transfer destinations are added, including customer notification procedures
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.2 Basis for PII transfer | Each documented country requires a documented legal basis for the transfer |
| A.2.5.7 Disclosure of subcontractors | Subcontractor disclosures include the countries where subcontractors operate |
| A.2.5.8 Engagement of subcontractors | Subcontractor contracts must address transfer destinations |
| A.2.2.7 Records of processing | Transfer destinations are a required element of processing records |
| A.2.5.4 Records of PII disclosures | Disclosures to organisations in other countries should be recorded with the destination country |
Who does this control apply to?
A.2.5.3 applies exclusively to PII processors. Controllers need this information to conduct their own transfer impact assessments and to fulfil their transparency obligations to data subjects. If a processor cannot tell its customers where PII might be transferred, the controller cannot comply with its own data protection obligations. This makes the country list a foundational element of processor transparency.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for transfer destination management?
ISMS.online provides practical tools for documenting and managing PII transfer destinations:
- Country register — Maintain a centralised, version controlled register of all countries and international organisations to which PII can be transferred
- Subcontractor integration — Link subcontractor records to their processing locations, automatically including subcontractor countries in your transfer destination list
- Customer reporting — Generate transfer destination reports for customers, showing all countries involved in processing their data
- Change tracking — Track additions and removals from the country list with full audit trail and automated customer notification triggers
- Compliance mapping — Map each transfer destination to its legal basis (A.2.5.2 Basis for PII Transfer) and related contractual provisions for a complete compliance picture
FAQs
Should the country list include cloud provider regions?
Yes. If your cloud infrastructure operates in multiple regions or availability zones, each country where data could be stored or processed should be included in the country list. This includes primary processing locations, failover regions and any locations used for data replication or backup. Even if you configure a specific region, check whether the cloud provider’s terms allow data to be processed or temporarily stored in other locations for operational reasons.
What about transfers required by law enforcement?
The Annex B guidance acknowledges that transfers required by legal authorities may not be specifiable in advance and may be prohibited from disclosure to preserve investigation confidentiality. These transfers fall outside the scope of the normal operations country list. However, you should still document your procedure for handling such requests (covered by A.2.5.5 PII Disclosure Requests and A.2.5.6 Legally Binding Disclosures) and inform customers where legally permitted to do so.
How often should the country list be reviewed?
The country list should be reviewed whenever there is a change to your processing infrastructure, subcontractor arrangements or cloud provider configurations. As a minimum, conduct an annual review to confirm that the list remains accurate. Changes to the list should trigger the customer notification process required by A.2.5.2 Basis for PII Transfer, giving customers the opportunity to assess the implications and object if necessary.
