What does control A.3.16 require?
Compliance with the organisation’s information security policy, topic-specific policies, rules and standards related to PII processing shall be regularly reviewed.
This control sits within the Shared security controls annex (A.3) and focuses on operational verification — checking that the controls you have documented are actually being followed in practice. While A.3.15 Independent Review addresses independent review at a strategic level, A.3.16 ensures day-to-day compliance is monitored.
What does the Annex B implementation guidance say?
Annex B (section B.3.16) provides the following guidance:
- Review tools and components — Include methods of reviewing the tools and components related to PII processing, not just policies and procedures
- Ongoing monitoring — This can include continuous or periodic monitoring to verify that only permitted processing is taking place
- Penetration and vulnerability testing — Specific tests such as penetration testing or vulnerability assessments can form part of the compliance review programme
- Motivated intruder testing — The guidance specifically mentions motivated intruder tests on de-identified data sets to verify that anonymisation or pseudonymisation measures are effective
- See also A.3.3: Policies for Information Security for related requirements
- See also A.3.4: Information Security Roles and Responsibilities for related requirements
The guidance makes clear that compliance review is not just a paper exercise. Technical testing — including attempts to re-identify de-identified data — is an important part of verifying that privacy controls work as intended.
How does this map to GDPR?
Control A.3.16 maps to GDPR Article 32(1)(d), which requires a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing, and Article 32(2), which requires consideration of the risks that processing presents to data subjects.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clauses 6.15.2.2 (compliance with security policies and standards) and 6.15.2.3 (technical compliance review). The 2025 edition consolidates these into a single control (A.3.16), combining policy compliance reviews with technical compliance testing under one requirement. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.3.16, auditors will typically look for:
- Compliance review schedule — A documented programme of regular compliance checks covering all PII-related policies and standards
- Review records — Evidence of completed reviews, including what was assessed, the findings, and any non-conformities identified
- Technical testing reports — Results of penetration tests, vulnerability scans or other technical assessments that evaluate the effectiveness of PII security controls
- Monitoring evidence — Logs or reports from ongoing monitoring systems that verify only permitted PII processing is occurring
- Corrective action tracking — Evidence that non-conformities identified during reviews are logged, assigned and resolved with documented follow-up
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.15 Independent review | A.3.15 Independent Review provides strategic independent assurance; A.3.16 covers operational compliance checking |
| A.3.9 Access rights | Compliance reviews should verify access control policies are being followed |
| A.3.13 Legal and contractual requirements | Compliance reviews should cover adherence to legal obligations |
| A.3.17 Awareness and training | Non-compliance findings often indicate training gaps that need to be addressed |
| A.3.14 Protection of records | Review records and testing reports must be protected as compliance evidence |
Who does this control apply to?
A.3.16 is a shared control that applies to both PII controllers and PII processors. Both roles must verify that their documented policies and technical controls are being followed. For processors, this includes verifying that processing is limited to the controller’s instructions and that technical measures such as encryption and access controls are functioning as intended.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for ongoing compliance reviews?
ISMS.online provides practical tools for monitoring and verifying compliance across your privacy programme:
- Compliance review scheduler — Plan and schedule regular compliance checks with automated reminders, task assignments and due date tracking
- Policy acknowledgement tracking — Verify that staff have read and acknowledged current versions of PII-related policies, with automated reminders for those who have not
- Non-conformity management — Log findings from compliance reviews, assign corrective actions, track progress and verify closure
- Control effectiveness monitoring — Track the performance of individual controls over time, identifying trends and recurring issues
- Dashboard reporting — Real-time compliance dashboards showing review status, outstanding findings and overall programme health
FAQs
How often should compliance reviews be conducted?
The standard requires regular reviews but does not specify frequency. Best practice is to establish a rolling review programme that covers all PII-related policies and controls within a defined cycle — typically annually for low-risk areas and quarterly for high-risk processing activities. Technical testing such as vulnerability scans may be conducted more frequently, often monthly or after significant system changes.
What is a motivated intruder test and when is it needed?
A motivated intruder test assesses whether a determined adversary with access to publicly available information could re-identify individuals from de-identified or pseudonymised data sets. The implementation guidance recommends this type of testing where organisations rely on anonymisation or pseudonymisation as a privacy control. If the test reveals that re-identification is feasible, the de-identification method is insufficient and needs to be strengthened.
How does this differ from the independent review in A.3.15 Independent Review?
A.3.15 Independent Review focuses on periodic, strategic reviews conducted by independent parties (internal auditors or external certification bodies) that assess the overall approach to managing information security. A.3.16 focuses on regular, operational compliance checking — verifying that specific policies, rules and technical standards are being followed in day-to-day operations. Both are needed: A.3.15 Independent Review provides assurance at the system level, while A.3.16 catches operational deviations between formal audits.
