Skip to content
ISMS.online

ISO 27701:2025 Control A.2.5.7: Disclosure of Subcontractors Used to Process PII

Control A.2.5.7 requires organisations to disclose to the customer whether any subcontractors are used to process PII before they are engaged. This gives controllers the transparency they need to assess subcontractor risks and maintain their own compliance obligations.

Author
Max Edwards
Updated March 23, 2026
4/5 Stars

What does control A.2.5.7 require?

Before use, the organization shall disclose whether any subcontractors are used to process PII to the customer.

This control sits within the PII Processor controls annex (A.2) and addresses subcontractor transparency. When a processor uses subcontractors (sub-processors) to process PII on behalf of the controller, the controller must be informed before the subcontractor begins processing. This is a proactive obligation: disclosure must happen before use, not after.

What does the Annex B implementation guidance say?

Annex B (section B.2.5.7) provides the following guidance:

  • Contractual provisions — Provisions for subcontractor disclosure should be included in the customer contract
  • Disclosure scope — Disclose the fact of subcontracting and the names of the subcontractors
  • Country and transfer information — Also disclose the countries and organisations where subcontractors can transfer data and the means by which subcontractors meet or exceed the processor’s own obligations
  • Security risk considerations — If public disclosure of subcontractor details increases security risk, disclosure can be made under a non-disclosure agreement (NDA) or on request. However, the country list must always be disclosed regardless
  • See also A.2.5.4: Records of PII Disclosures to Third Parties for related requirements
  • See also A.2.5.5: Notification of PII Disclosure Requests for related requirements

The guidance balances transparency with security. While full subcontractor details (including names and compliance status) may sometimes need to be disclosed under NDA to prevent security risks, the countries where PII can be transferred must always be disclosed without restriction. This ensures controllers can always assess cross border transfer compliance.

How does this map to GDPR?

Control A.2.5.7 maps to the following GDPR articles:

  • Article 28(2) — The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object
  • Article 28(4) — Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract between the controller and processor shall be imposed on that other processor

GDPR Article 28(2) requires either specific authorisation (naming each sub-processor) or general authorisation with a notification and objection mechanism. Either way, the controller must know about sub-processors before they begin processing.

What changed from ISO 27701:2019?

For a step-by-step approach, see the Transition from 2019 to 2025.

In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.5.7 as a standalone control with implementation guidance in B.2.5.7 that adds explicit coverage of country disclosure requirements, NDA provisions for security-sensitive disclosures and the requirement to disclose how subcontractors meet or exceed the processor’s obligations. See the Annex F correspondence table for the full mapping.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book a demo


What evidence do auditors expect?

When assessing compliance with A.2.5.7, auditors will typically look for:

  • Subcontractor register — A maintained register of all subcontractors used to process PII, including their names, processing activities, locations and the date they were disclosed to each customer
  • Pre-engagement disclosure records — Evidence that subcontractors were disclosed to customers before they began processing PII, not after
  • Country information — Documentation of the countries and organisations where each subcontractor processes or transfers PII
  • Compliance evidence — Records showing how subcontractors meet or exceed the processor’s own obligations, such as certifications, audit reports or contractual commitments
  • Contractual provisions — Contract clauses defining the subcontractor disclosure procedure, including whether specific or general authorisation applies and the customer’s right to object

What are the related controls?

Control Relationship
A.2.5.8 Engagement of subcontractors Governs the contractual and authorisation requirements for actually engaging the subcontractor
A.2.5.3 Countries for PII transfer Subcontractor countries must be included in the transfer destination list
A.2.5.2 Basis for PII transfer Transfers to subcontractors in other jurisdictions require a documented legal basis
A.2.2.2 Customer agreement The contract defines the subcontractor authorisation model (specific or general)
A.2.2.6 Customer obligations Subcontractor transparency helps customers demonstrate their own compliance

Who does this control apply to?

A.2.5.7 applies exclusively to PII processors. Controllers are ultimately accountable for the processing of PII, including processing carried out by sub-processors on their behalf. Without transparency about who is processing their data and where, controllers cannot fulfil their accountability obligations. This control ensures that processors do not introduce subcontractors into the processing chain without the controller’s knowledge.



ISMS.online's powerful dashboard

Get started easily with a personal product demo

One of our onboarding specialists will walk you through our platform to help you get started with confidence.

Book your demo


Why choose ISMS.online for subcontractor disclosure management?

ISMS.online provides practical tools for managing subcontractor transparency:

  • Subcontractor register — Maintain a centralised register of all sub-processors, including their names, processing activities, locations, certifications and compliance status
  • Disclosure workflows — Manage pre-engagement disclosure workflows with tracked customer notifications, approval requests and objection handling
  • Country mapping — Link subcontractors to their processing countries, automatically updating the transfer destination register when subcontractors change
  • Compliance monitoring — Track subcontractor compliance evidence (certifications, audit reports, contract terms) and flag when evidence expires or needs renewal
  • Customer portal — Provide customers with visibility into your subcontractor register, reducing ad hoc information requests and demonstrating ongoing transparency

FAQs

What information must be disclosed about subcontractors?

At minimum, the processor must disclose: the fact that subcontractors are used; the names of the subcontractors; the countries and organisations where subcontractors can transfer PII; and the means by which subcontractors meet or exceed the processor’s own obligations (such as certifications, contractual terms or audit results). If disclosing subcontractor names creates a security risk, the names can be disclosed under NDA or on request, but the country list must always be disclosed openly.

What is the difference between specific and general authorisation?

Under GDPR Article 28(2), the controller can grant specific authorisation (approving each sub-processor individually before engagement) or general authorisation (giving blanket permission for the processor to use sub-processors, subject to a notification and objection mechanism). With general authorisation, the processor must inform the controller of any intended changes to sub-processors and give the controller the opportunity to object before the change takes effect. The contract should clearly state which model applies.

Can a processor refuse to disclose subcontractor names?

The Annex B guidance allows names to be withheld from public disclosure if doing so increases security risk, provided they are disclosed under NDA or on request. However, the processor cannot refuse to disclose names to the customer entirely, as the controller needs this information to fulfil their own obligations. The country list must always be disclosed without restriction. In practice, most customers expect full subcontractor names as part of the data processing agreement or a publicly available sub-processor list.

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.