What does control A.2.5.9 require?
The organisation shall, in the case of having general written authorisation, inform the customer of any intended changes concerning the addition or replacement of subcontractors to process PII, thereby giving the customer the opportunity to object to such changes.
This control sits within the PII transfer and disclosure objective (A.2.5), which governs how PII processors manage the sharing and onward transfer of personal data entrusted to them by their customers.
What does the implementation guidance say?
Annex B (section B.2.5.9) provides the following guidance:
- Where the organisation changes the subcontractor, written authorisation from the customer is required prior to any PII being processed by the new subcontractor
- This authorisation can take the form of specific contract clauses that set out the notification and objection process
- Alternatively, it can be a specific one-off agreement obtained before the new subcontractor begins processing
- The key principle is that the customer retains control over which entities process their PII, even when general authorisation has been granted
- See also A.2.5.2: Basis for PII Transfer Between Jurisdictions for related requirements
- See also A.2.5.3: Countries and International Organizations for PII Transfer for related requirements
This guidance reinforces the idea that general authorisation does not mean blanket permission. The customer must always have the right to review and potentially reject changes to the subcontractor chain.
How does this map to GDPR?
Control A.2.5.9 maps directly to GDPR Article 28(2), which states that a processor shall not engage another processor without prior specific or general written authorisation of the controller. Where general written authorisation has been given, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
This is one of the most directly aligned controls between ISO 27701:2025 and GDPR, with the control language closely mirroring the regulation.
How does this relate to ISO 29100 privacy principles?
This control supports the following ISO 29100 privacy principle:
- Accountability — Maintaining clear accountability for PII processing throughout the subcontractor chain
- Openness, transparency and notice — Ensuring the customer is informed of changes that affect how their PII is processed
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.2.5.9, auditors will typically look for:
- Subcontractor register — A documented list of all current subcontractors engaged to process PII, with dates of engagement and scope of processing
- Notification records — Evidence that the customer was informed of intended subcontractor changes before they took effect
- Objection process — A defined procedure for how customers can raise objections to proposed changes, including timescales
- Contract clauses — Written agreements that set out the notification and objection mechanism for subcontractor changes
- Authorisation records — Evidence of written authorisation (whether general or specific) obtained from each customer
- Change history — An audit trail showing all additions, replacements and removals of subcontractors over time
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.7 Disclosure of subcontractors | Requires disclosing the use of subcontractors before processing begins |
| A.2.5.8 Engagement of a subcontractor | Governs the contractual requirements when engaging subcontractors |
| A.2.2.2 Customer agreement | The overarching agreement that defines the terms of processing, including subcontractor provisions |
| A.2.2.3 Organisation purposes | Processing must remain within the purposes agreed with the customer, including when subcontractors change |
| A.3.10 Supplier agreements | Broader supplier management requirements that apply to subcontractor relationships |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 8.5.8 (changes in subcontractor to process PII). The control content is substantively the same in 2025, but it now sits in Table A.2 with a clearer separation between the control statement (A.2.5.9) and implementation guidance (B.2.5.9). See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing subcontractor changes?
ISMS.online provides practical tools for managing subcontractor relationships and changes:
- Subcontractor register — Maintain a centralised register of all subcontractors processing PII, with scope, location and contract details
- Change workflow — Trigger notification workflows when subcontractors are added or replaced, with built in approval steps
- Customer communication — Record notifications sent to customers and track their responses, including any objections raised
- Contract management — Store and version control subcontractor agreements alongside authorisation records
- Audit trail — Generate a complete history of subcontractor changes for audit evidence and compliance reporting
FAQs
What is the difference between general and specific written authorisation?
General written authorisation allows the processor to engage subcontractors subject to notifying the customer and giving them the opportunity to object. Specific written authorisation requires the customer to approve each individual subcontractor before they can begin processing. A.2.5.9 specifically addresses the obligations that arise when general authorisation is in place.
How much notice should be given before a subcontractor change?
ISO 27701:2025 does not specify a minimum notice period, but the customer must have a reasonable opportunity to object. Best practice is to define the notice period in your processing agreement. Many organisations use 30 days as a standard period, but this should be agreed with each customer based on the sensitivity and volume of PII involved.
What happens if a customer objects to a subcontractor change?
If a customer objects, the new subcontractor must not process that customer’s PII. The organisation should have a documented process for handling objections, which might include retaining the existing subcontractor for that customer, offering an alternative, or in some cases allowing contract termination. The specific outcome should be governed by the terms of the processing agreement.
