What does control A.3.15 require?
The organisation’s approach to managing information security related to PII processing and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
This control sits within the Shared security controls annex (A.3) and addresses the need for objective assurance. Self-assessment is important, but independent review provides the credibility that customers, regulators and business partners require.
What does the Annex B implementation guidance say?
Annex B (section B.3.15) focuses particularly on the processor context:
- Impracticality of individual audits — Where individual customer audits are impractical or may increase security risks (for example, by exposing other customers’ data), processors should consider making independent evidence available to customers instead
- Pre-contract and in-contract evidence — Independent evidence should be made available to customers both prior to and during the contract period, enabling ongoing assurance
- Acceptable audit evidence — A relevant independent audit (such as ISO 27001 certification or ISO 27701 certification) should normally be acceptable for fulfilling a customer’s interest in reviewing the processor’s operations
- See also A.3.3: Policies for Information Security for related requirements
- See also A.3.4: Information Security Roles and Responsibilities for related requirements
This is particularly significant for cloud service providers and SaaS platforms where hundreds of customers may each have a contractual right to audit — making individual audits operationally unworkable.
How does this map to GDPR?
Control A.3.15 maps to GDPR Article 32(1)(d), which requires a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures, and Article 32(2), which considers the risks to data subjects when evaluating the appropriate level of security.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.15.2.1 (independent review of information security). The 2025 edition retains the core requirements as A.3.15 with clearer separation between the control statement and implementation guidance in B.3.15. The practical guidance on using independent audits to satisfy customer assurance needs remains a key feature. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.3.15, auditors will typically look for:
- Internal audit programme — A documented schedule of independent reviews covering the PIMS scope, including frequency and selection criteria
- Auditor independence — Evidence that reviewers are independent of the areas being reviewed, whether internal auditors from a different department or external audit firms
- Audit reports — Completed review reports with findings, risk ratings and recommended actions
- Corrective action tracking — Evidence that findings are addressed through documented corrective actions with assigned owners and target dates
- Trigger-based reviews — Evidence that additional reviews are conducted when significant changes occur, not just at planned intervals
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.16 Compliance with policies | A.3.15 provides independent assurance; A.3.16 Compliance with Policies covers operational compliance checking |
| A.3.13 Legal and contractual requirements | Independent reviews should verify compliance with identified legal obligations |
| A.3.10 Supplier agreements | Supplier contracts may include audit rights that independent reviews can satisfy |
| A.3.14 Protection of records | Audit reports and findings must be protected as compliance records |
| A.3.9 Access rights | Independent reviews should assess whether access controls for PII are effective |
Who does this control apply to?
A.3.15 is a shared control that applies to both PII controllers and PII processors. Controllers need independent assurance that their privacy controls are working effectively. Processors benefit significantly from this control because independent audit evidence (such as ISO 27701 or ISO 27001 certification) can satisfy multiple customers’ audit requirements simultaneously, reducing the burden of individual customer audits.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing independent reviews?
ISMS.online provides practical tools for planning, executing and tracking independent reviews of your privacy programme:
- Internal audit programme — Plan and schedule audits with scope definitions, auditor assignments and automated reminders for upcoming reviews
- Audit management workflows — Guide auditors through the review process with checklists, evidence requests and finding templates
- Corrective action tracking — Log findings with severity ratings, assign owners, set deadlines and track progress to closure
- Evidence pack generation — Compile audit evidence into structured packs for external auditors or customer assurance requests
- Certification support — Maintain your ISO 27701 and ISO 27001 certification status with surveillance audit preparation and gap analysis tools
- Customer assurance portal — Share relevant audit evidence with customers securely, reducing the need for individual on-site audits
FAQs
How often should independent reviews be conducted?
The standard requires reviews at planned intervals or when significant changes occur. Most organisations conduct formal independent reviews annually, aligned with their ISO 27001 surveillance audit cycle. However, significant changes such as a major system migration, organisational restructure, or new type of PII processing should trigger an additional review outside the planned schedule.
Can an internal audit satisfy the independence requirement?
Yes, provided the auditors are independent of the area being reviewed. An internal audit team that does not report to the management of the area under review can provide independent assurance. However, for processor organisations seeking to satisfy customer audit requirements, external certification bodies typically provide the strongest evidence of independence.
How does this help processors manage multiple customer audit requests?
The implementation guidance explicitly recognises that individual customer audits may be impractical and could increase security risks. By maintaining current independent audit evidence (such as ISO 27701 or ISO 27001 certification), processors can provide standardised assurance to all customers. This reduces audit fatigue, protects the confidentiality of other customers’ data, and provides a scalable approach to assurance as the customer base grows.
