What does control A.2.5.8 require?
The organization shall only engage a subcontractor to process PII according to the customer contract.
This control sits within the PII Processor controls annex (A.2) and establishes the contractual foundation for sub-processing. Processors cannot freely delegate PII processing to subcontractors. Every sub-processing arrangement must be authorised by the customer contract, and the subcontractor must be bound by equivalent privacy obligations. This protects the controller’s interests throughout the processing chain.
What does the Annex B implementation guidance say?
Annex B (section B.2.5.8) provides the following guidance:
- Written customer authorisation — Written authorisation from the customer is required prior to any subcontractor processing. This can take the form of contract clauses or a specific one-off agreement
- Written subcontractor contract — The organisation must have a written contract with each subcontractor
- Table A.2 controls — The subcontractor contract must address all applicable controls from Table A.2 (the PII Processor controls)
- Default implementation — Subcontractors should implement all A.2 controls by default; any exclusions must be justified
- See also A.2.5.2: Basis for PII Transfer Between Jurisdictions for related requirements
- See also A.2.5.4: Records of PII Disclosures to Third Parties for related requirements
The guidance establishes a clear chain of contractual obligations. The customer authorises the sub-processing, the processor contracts with the subcontractor and the subcontractor contract mirrors the obligations in the processor’s own contract with the customer. Exclusions from the A.2 controls are permitted only where justified, ensuring that the privacy protection does not diminish as processing moves down the chain.
How does this map to GDPR?
Control A.2.5.8 maps to the following GDPR articles:
- Article 28(2) — The processor shall not engage another processor without prior specific or general written authorisation of the controller
- Article 28(4) — Where a processor engages another processor, the same data protection obligations as set out in the contract between the controller and the first processor shall be imposed on that other processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures
GDPR Article 28(4) requires a flow-down of obligations: the sub-processor contract must impose the same obligations on the sub-processor as the controller imposed on the processor. If the sub-processor fails to fulfil its obligations, the initial processor remains fully liable to the controller.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.5.8 as a standalone control with implementation guidance in B.2.5.8 that explicitly requires subcontractor contracts to address all Table A.2 controls and requires subcontractors to implement all A.2 controls by default with justified exclusions. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.2.5.8, auditors will typically look for:
- Customer authorisation — Written authorisation from each customer for the use of subcontractors, whether through contract clauses (general authorisation) or specific approvals (specific authorisation)
- Subcontractor contracts — Written contracts with each subcontractor that address all applicable A.2 controls, with documented justifications for any exclusions
- Obligation flow-down — Evidence that the obligations imposed on the processor by the customer contract have been flowed down to subcontractor contracts
- A.2 control coverage — A mapping showing which A.2 controls are addressed in each subcontractor contract and the justification for any that are excluded
- Subcontractor compliance monitoring — Evidence that the organisation monitors subcontractor compliance with their contractual obligations, such as audit results, certification status and performance reviews
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.7 Disclosure of subcontractors | Subcontractors must be disclosed to the customer before engagement |
| A.2.2.2 Customer agreement | The customer contract authorises sub-processing and defines the conditions |
| A.2.5.3 Countries for PII transfer | Subcontractor processing locations must be documented and disclosed |
| A.2.4.3 Return, transfer or disposal | Subcontractors must comply with PII disposal requirements at contract end |
| A.2.2.6 Customer obligations | Subcontractor compliance evidence supports customer accountability |
Who does this control apply to?
A.2.5.8 applies exclusively to PII processors. When a processor engages a subcontractor, the controller’s PII passes through an additional layer of processing. The controller needs assurance that this additional layer provides the same level of protection as the primary processing relationship. This control ensures that sub-processing is authorised, contractually governed and subject to the full set of A.2 controls.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for subcontractor engagement management?
ISMS.online provides practical tools for managing subcontractor engagement:
- Contract management — Store and manage subcontractor contracts with version control, linking each contract to the applicable A.2 controls and customer authorisations
- Control mapping — Map each subcontractor contract against all A.2 controls, with structured fields for documenting control coverage and justified exclusions
- Authorisation tracking — Track customer authorisations for each subcontractor, including the authorisation type (specific or general), date granted and any conditions
- Compliance monitoring — Monitor subcontractor compliance through scheduled assessments, certification tracking and audit result management
- Obligation flow-down — Compare customer contract obligations with subcontractor contract obligations to verify that all requirements have been properly flowed down
FAQs
What must the subcontractor contract include?
The subcontractor contract must address all applicable controls from Table A.2 (the PII Processor controls). This includes processing instructions, confidentiality obligations, security measures, data subject rights support, breach notification, data disposal, cross border transfer provisions and audit rights. The subcontractor should implement all A.2 controls by default. Any exclusions must be documented and justified based on the scope of the sub-processing. The contract must also flow down the same obligations that the customer contract imposes on the processor.
Who is liable if the subcontractor breaches its obligations?
Under GDPR, the initial processor remains fully liable to the controller for the performance of the subcontractor’s obligations. If the subcontractor fails to fulfil its data protection obligations, the processor is responsible. This is why robust subcontractor contracts, compliance monitoring and audit rights are essential. The processor should also ensure it has appropriate indemnification provisions in its subcontractor contract to manage the commercial risk of subcontractor non-compliance.
Can exclusions from A.2 controls be justified?
Yes, but exclusions must be justified based on the scope and nature of the sub-processing. For example, a subcontractor that only provides infrastructure hosting (without access to PII content) may justifiably exclude controls related to data subject rights or PII disclosure. However, controls related to security, confidentiality and breach notification would still apply. The justification must be documented, assessed for risk and approved. Auditors will scrutinise exclusions to ensure they do not create gaps in privacy protection.
