What are the shared security controls in ISO 27701:2025?
Table A.3 of ISO 27701:2025 Annex A defines 29 information security controls that apply to any organisation processing PII, whether as a controller, processor or both.
These controls replaced the 90+ subclauses in the 2019 edition’s Clause 6. The 2025 edition retained only those controls that require PII-specific implementation guidance, consolidating them into a focused set. See the Annex F correspondence table for the full mapping from 2019 to 2025.
Implementation guidance for each control is in Annex B section B.3 (e.g. guidance for A.3.3 Information Security Policies is at B.3.3).
Complete list of Table A.3 controls
| Control | Title | Summary |
|---|---|---|
| A.3.3 Information Security Policies | Policies for information security | Define, approve and communicate information security policies related to PII processing |
| A.3.4 Security Roles | Information security roles and responsibilities | Define and allocate security roles and responsibilities for PII processing |
| A.3.5 Classification of Information | Classification of information | Classify information considering PII based on confidentiality, integrity and availability |
| A.3.6 Labelling of Information | Labelling of information | Develop labelling procedures that consider PII classification |
| A.3.7 Information Transfer | Information transfer | Establish transfer rules, procedures and agreements for PII |
| A.3.8 Identity Management | Identity management | Manage the full life cycle of identities related to PII processing |
| A.3.9 Access Rights | Access rights | Provision, review, modify and remove access rights to PII |
| A.3.10 Supplier Agreements | Addressing information security within supplier agreements | Establish security requirements for PII processing with each supplier |
| A.3.11 Incident Management | Incident management planning and preparation | Plan and prepare for managing security incidents related to PII |
| A.3.12 Security Incident Response | Response to information security incidents | Respond to PII-related security incidents per documented procedures |
| A.3.13 Legal and Regulatory Requirements | Legal, statutory, regulatory and contractual requirements | Document legal and regulatory requirements relevant to PII processing security |
| A.3.14 Protection of Records | Protection of records | Protect PII processing records from loss, destruction and unauthorised access |
| A.3.15 Independent Review | Independent review of information security | Independently review the approach to managing PII-related security |
| A.3.16 Compliance with Policies | Compliance with policies, rules and standards | Regularly review compliance with PII processing security policies |
| A.3.17 Security Awareness and Training | Information security awareness, education and training | Provide appropriate security awareness training related to PII processing |
| A.3.18 Confidentiality Agreements | Confidentiality or non-disclosure agreements | Identify, document and review confidentiality agreements for PII protection |
| A.3.19 Clear Desk and Clear Screen | Clear desk and clear screen | Define and enforce clear desk and clear screen rules for PII facilities |
| A.3.20 Storage Media | Storage media | Manage storage media with PII through its full life cycle |
| A.3.21 Secure Disposal of Equipment | Secure disposal or re-use of equipment | Verify PII is removed from equipment before disposal or re-use |
| A.3.22 User Endpoint Devices | User endpoint devices | Protect PII on user endpoint devices |
| A.3.23 Secure Authentication | Secure authentication | Implement secure authentication for PII processing systems |
| A.3.24 Information Backup | Information backup | Maintain and test backup copies of PII and related systems |
| A.3.25 Logging | Logging | Produce, store, protect and analyse logs of PII processing activities |
| A.3.26 Use of Cryptography | Use of cryptography | Define and implement cryptography rules for PII processing |
| A.3.27 Secure Development Life Cycle | Secure development life cycle | Establish rules for secure development of PII processing systems |
| A.3.28 Application Security | Application security requirements | Identify security requirements for PII when developing or acquiring applications |
| A.3.29 Secure System Architecture | Secure system architecture and engineering principles | Establish principles for engineering secure PII processing systems |
| A.3.30 Outsourced Development | Outsourced development | Direct, monitor and review outsourced PII processing system development |
| A.3.31 Test Information | Test information | Appropriately select, protect and manage test information for PII processing |
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
How do these controls relate to the 2019 edition?
The 29 controls in Table A.3 are direct descendants of the 2019 edition’s Clause 6. However, the 2019 Clause 6 contained over 90 subclauses — most referencing ISO 27002 controls. The 2025 edition removed subclauses that had no PII-specific guidance (physical security, network security, malware protection, business continuity etc.) and consolidated the remaining controls.
For the full mapping, see the Annex F correspondence table.
Who needs to implement Table A.3?
Every organisation seeking ISO 27701:2025 certification must consider Table A.3, regardless of whether they act as a PII controller or PII processor. These controls form the information security foundation of your Privacy Information Management System.
If you also hold ISO 27001, many of these controls will already be familiar. The key difference is that Table A.3 adds PII-specific requirements to each control — for example, A.3.25 Logging (Logging) specifically requires recording who accessed which PII principal’s data and what changes were made.
Why choose ISMS.online for shared security controls?
ISMS.online helps you implement Table A.3 alongside your other compliance requirements:
- Integrated with ISO 27001 — If you already have ISO 27001 controls, see where Table A.3 adds PII-specific requirements without duplicating work
- Policy management — Draft, approve, distribute and track acknowledgement of PII-related security policies
- Incident management — Log, assess and respond to PII-related security incidents with notification tracking
- Supplier management — Track supplier agreements, security requirements and compliance status
- Audit tools — Plan independent reviews and compliance checks against Table A.3 requirements
- Evidence linking — Attach policies, procedures and audit results directly to each control
FAQs
Why are there only 29 controls when the 2019 edition had 90+ subclauses?
The 2019 edition referenced every ISO 27002 control with PII-related additions. Many subclauses simply stated “no additional guidance”. The 2025 edition removed those and retained only the 29 controls that require specific PII implementation guidance, making the scope more focused and auditable.
Do I need Table A.3 if I already have ISO 27001?
Yes. Table A.3 controls are ISO 27701-specific requirements, not ISO 27001 controls. They add PII-focused requirements on top of your existing ISMS controls. However, much of your ISO 27001 evidence and implementation will be directly relevant.
What happened to controls like physical security and malware protection?
They were removed from ISO 27701:2025 because they did not require PII-specific implementation guidance. If you hold ISO 27001, these remain covered under that standard. They are not gone from your security programme — they are just no longer within the scope of ISO 27701.
