What does control A.3.14 require?
Records related to PII processing shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
This control sits within the Shared security controls annex (A.3) and addresses a fundamental governance requirement: the records that demonstrate your privacy compliance must themselves be secure. If records can be lost, altered or accessed without authorisation, they lose their value as evidence of compliance.
What does the Annex B implementation guidance say?
Annex B (section B.3.14) provides the following guidance:
- Historical policy review — Review of both current and historical policies may be required in certain situations, such as resolving customer disputes or responding to investigations by supervisory authorities
- Retain copies of privacy documentation — Keep copies of privacy policies and procedures for the period specified in the organisation’s retention schedule, including previous versions when policies are updated
The guidance highlights that records protection is not just about current documents. Organisations may need to demonstrate what policies were in place at a specific point in time — for example, to show that adequate safeguards existed when a breach occurred, or to respond to a data subject complaint that references historical processing.
How does this map to GDPR?
Control A.3.14 maps to GDPR Article 5(2) (accountability principle) and Article 24(2) (implementation of appropriate data protection policies). The accountability principle requires controllers to be able to demonstrate compliance, which depends entirely on having reliable, protected records. If records are lost or tampered with, the organisation cannot fulfil this obligation.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.15.1.3 (protection of records). The 2025 edition retains the core requirements as A.3.14 with clearer separation between the control statement and implementation guidance in B.3.14. The emphasis on retaining historical versions of privacy policies remains a key feature of the guidance. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.3.14, auditors will typically look for:
- Records retention policy — A documented policy specifying how long PII processing records are retained, including minimum retention periods for different record categories
- Version control — Evidence that previous versions of privacy policies, procedures and processing records are retained and accessible, with clear version numbering and dates
- Access controls — Restrictions on who can access, modify and delete privacy records, with audit logging of any changes
- Backup and recovery — Evidence that records are backed up and can be recovered in the event of system failure or data loss
- Integrity controls — Mechanisms to detect and prevent falsification of records, such as audit trails, digital signatures or tamper-evident storage
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.9 Access rights | Access to privacy records must be restricted to authorised personnel |
| A.3.12 Incident response | Breach records must be protected as part of the organisation’s records management |
| A.3.13 Legal and contractual requirements | Retention periods may be driven by legal obligations |
| A.3.15 Independent review | Auditors need access to historical records to verify ongoing compliance |
| A.3.16 Compliance with policies | Records protection practices should be verified during compliance reviews |
Who does this control apply to?
A.3.14 is a shared control that applies to both PII controllers and PII processors. Controllers must protect records demonstrating their compliance with data protection laws, including processing records, consent records and privacy impact assessments. Processors must protect records of processing activities carried out on behalf of controllers, breach notifications and contractual documentation.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for protecting PII processing records?
ISMS.online provides practical tools for maintaining secure, auditable privacy records:
- Version-controlled document management — Every policy, procedure and record is version-controlled with full change history, so you can always retrieve the version that was in force at any point in time
- Role-based access controls — Restrict access to privacy records by role, ensuring only authorised personnel can view, edit or export sensitive documentation
- Tamper-evident audit trail — All changes to records are logged with timestamps and user identities, providing evidence of integrity
- Automated retention management — Set retention periods for different record types with alerts before expiry, ensuring compliance with your retention schedule
- Secure cloud storage — Records are stored with encryption at rest and in transit, with automated backups and disaster recovery
FAQs
Why is it important to retain previous versions of privacy policies?
Supervisory authorities or courts may need to review the policies that were in place at a specific point in time — for example, when a breach occurred, when a data subject’s PII was processed, or when a complaint was made. Without historical versions, the organisation cannot demonstrate what safeguards were in place. Retaining dated, version-controlled copies of all privacy documentation is essential for accountability.
How long should PII processing records be retained?
The standard does not prescribe a specific retention period. This should be defined in the organisation’s retention schedule based on applicable legal requirements, contractual obligations and business needs. GDPR does not specify exact retention periods for compliance records, but organisations should retain them for long enough to respond to supervisory authority investigations and data subject complaints, which can arise several years after processing occurred.
What types of records does this control cover?
This covers all records related to PII processing, including: processing activity records, privacy policies and procedures, consent records, data protection impact assessments, breach reports, data subject request logs, supplier agreements, training records and audit reports. The common thread is that any record used to demonstrate privacy compliance should be protected under this control.
