What does control A.3.11 require?
The organisation shall plan and prepare for managing information security incidents related to PII processing by defining, establishing and communicating incident management processes, roles and responsibilities.
This control sits within the Shared security controls annex (A.3), which contains obligations for both PII controllers and PII processors. It focuses specifically on the planning and preparation phase — ensuring your organisation is ready to respond before an incident occurs, rather than scrambling after a breach.
What does the Annex B implementation guidance say?
Annex B (section B.3.11) provides the following guidance:
- Establish identification and recording procedures — Define clear responsibilities and procedures for identifying and recording PII breaches, including how to classify the severity of an incident
- Establish notification procedures — Create documented procedures for notifying relevant parties of PII breaches, including the timing of notifications
- Account for legal requirements — Take account of applicable legal and regulatory requirements for breach notification, which vary by jurisdiction
- Jurisdictional awareness — Some jurisdictions impose specific breach response regulations with defined timelines and content requirements for notifications
The guidance emphasises that incident planning cannot be generic. Procedures must account for the specific types of PII your organisation processes, the jurisdictions in which you operate, and the notification requirements that apply to your circumstances.
How does this map to GDPR?
Control A.3.11 maps to several GDPR articles:
- Article 5(1)(f) — Integrity and confidentiality, including the ability to respond to breaches
- Article 33(1) — Controllers must notify the supervisory authority within 72 hours of becoming aware of a breach
- Article 33(3)(a-d) — Notifications must include the nature of the breach, contact point, likely consequences and measures taken
- Article 33(4-5) — Information may be provided in phases; the controller must document all breaches
- Article 34(1-4) — Communication of breaches to data subjects when there is a high risk to their rights and freedoms
The 72-hour GDPR notification window makes advance planning essential. Without pre-established processes, meeting this deadline is extremely difficult.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.13.1.4, which addressed responsibilities and procedures for incident management. The 2025 edition retains the core requirements as A.3.11 but provides clearer separation between the control statement and the implementation guidance in B.3.11. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.3.11, auditors will typically look for:
- Incident management policy and procedures — A documented plan covering identification, classification, escalation and notification of PII breaches
- Defined roles and responsibilities — Clear assignment of who does what during an incident, including a named incident manager and notification coordinator
- Notification templates — Pre-prepared templates for notifying supervisory authorities, affected individuals and business partners, aligned with legal requirements
- Legal requirement register — A documented list of breach notification obligations by jurisdiction, including timelines and content requirements
- Training and exercise records — Evidence that incident response teams have been trained and that the plan has been tested through tabletop exercises or simulations
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.12 Response to incidents | A.3.11 covers planning; A.3.12 Security Incident Response covers the actual response when an incident occurs |
| A.3.13 Legal and contractual requirements | Breach notification timelines and obligations depend on applicable legal requirements |
| A.3.17 Awareness and training | Staff must know how to recognise and report potential PII incidents |
| A.3.14 Protection of records | Incident records must be protected from loss, destruction or unauthorised access |
| A.3.10 Supplier agreements | Supplier contracts should include breach notification obligations and response timelines |
Who does this control apply to?
A.3.11 is a shared control that applies to both PII controllers and PII processors. Controllers bear the primary obligation to notify supervisory authorities and affected individuals, while processors must have procedures in place to detect and report breaches to their controllers without undue delay. Both roles need documented, tested incident management plans.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for incident management planning?
ISMS.online provides practical tools for building and maintaining your PII incident response capability:
- Incident management workflows — Pre-built, configurable workflows that guide your team through identification, classification, escalation and notification steps
- Role assignment — Define incident roles and responsibilities with clear escalation paths, so everyone knows their part before an incident occurs
- Notification tracking — Track supervisory authority and data subject notifications against regulatory deadlines, with automated alerts as time limits approach
- Breach register — Maintain a complete log of all PII incidents with severity ratings, response actions and outcomes, meeting the GDPR Article 33(5) documentation requirement
- Exercise management — Schedule and record tabletop exercises and plan reviews to demonstrate ongoing preparedness
FAQs
How specific should incident response procedures be?
Procedures should be specific enough that a team member can follow them under pressure without ambiguity. This means named roles (not just job titles), specific contact details, step-by-step escalation paths, and pre-prepared notification templates. Generic procedures that do not account for PII-specific requirements and jurisdictional notification timelines will not satisfy auditors.
What jurisdictional factors affect breach notification planning?
Notification requirements vary significantly by jurisdiction. The GDPR imposes a 72-hour deadline for notifying supervisory authorities. Other jurisdictions may have different timelines, different thresholds for when notification is required, and different requirements for the content of notifications. Your incident plan must account for every jurisdiction in which you process PII.
How often should incident response plans be tested?
Best practice is to conduct at least one tabletop exercise per year, with additional reviews whenever there is a significant change to your processing activities, IT infrastructure or organisational structure. The standard requires that plans are reviewed at planned intervals or when significant changes occur. Documenting the results of each exercise and any improvements made is essential for audit evidence.
