What does control A.3.30 require?
The organization shall direct, monitor and review the activities related to outsourced PII processing system development.
This control sits within the Shared security controls annex (A.3) and addresses the reality that many organisations outsource some or all of their software development. Whether using contractors, agencies, offshore teams or managed service providers, the organisation remains responsible for ensuring that outsourced systems protect PII to the same standard as internally developed systems. The three verbs — direct, monitor and review — establish a complete oversight framework.
What does the Annex B implementation guidance say?
Annex B (section B.3.30) provides the following guidance:
- Apply privacy by design and privacy by default — The same principles of privacy by design and privacy by default (see B.3.29) should be applied, if applicable, to outsourced information systems
The guidance is deliberately concise because the full set of development principles from A.3.29 Secure System Architecture applies equally to outsourced work. The practical implication is that outsourced development contracts must include the organisation’s secure engineering principles, and the organisation must have oversight mechanisms to verify compliance throughout the development process.
How does this map to GDPR?
Control A.3.30 does not have a direct GDPR article mapping in Annex D. However, it supports several GDPR obligations indirectly:
- Article 25(1) — Data protection by design applies regardless of whether development is performed in-house or outsourced
- Article 28 — Where an outsourced developer acts as a processor, the requirements of Article 28 (processor contracts, instructions, security measures) apply
The GDPR makes clear that outsourcing does not transfer responsibility. The controller or processor remains accountable for the privacy and security of systems built on its behalf.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.11.2.7 (outsourced development). The 2025 edition retains the core requirement as A.3.30 with the implementation guidance in B.3.30 now explicitly linking to the privacy by design and privacy by default principles in B.3.29. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.3.30, auditors will typically look for:
- Development contracts with privacy requirements — Contracts with outsourced developers that include PII protection requirements, secure engineering principles, data handling obligations and the right to audit
- Direction and oversight records — Evidence of how the organisation communicates privacy requirements to outsourced developers, including specifications, guidelines and training materials provided
- Monitoring activities — Records of ongoing monitoring such as code reviews, security testing, progress reviews and compliance checks performed during the development engagement
- Review and acceptance criteria — Documented review processes including privacy-focused acceptance testing, security review sign-off and verification that deliverables meet PII protection requirements
- Data handling during development — Evidence that outsourced developers do not use real PII for testing (linking to A.3.31 Test Information) and that any PII access is appropriately controlled and logged
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.29 Secure system architecture | Outsourced development must follow the same engineering principles |
| A.3.10 Supplier agreements | Development outsourcing contracts must include PII protection clauses |
| A.3.27 Secure development life cycle | Outsourced developers should follow the organisation’s SDLC requirements |
| A.3.31 Test information | Outsourced development must not use real PII for testing |
| A.3.18 Confidentiality agreements | Outsourced developers must sign confidentiality agreements covering PII |
Who does this control apply to?
A.3.30 is a shared control that applies to both PII controllers and PII processors. Any organisation that outsources the development of systems that will process PII must direct, monitor and review the outsourced development activities. This applies to full outsourcing arrangements, individual contractors, development agencies and any other third-party development engagement.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for outsourced development oversight?
ISMS.online provides practical tools for managing outsourced development relationships:
- Supplier management — Track outsourced development suppliers with contract records, compliance status, risk assessments and review schedules in one place
- Requirements communication — Share privacy requirements and secure engineering principles with outsourced developers through the platform, with acknowledgement tracking
- Review workflows — Create structured review workflows for code reviews, security assessments and acceptance testing with sign-off tracking
- Risk assessments — Run risk assessments specific to outsourced development scenarios, including data access risks, code quality risks and subcontractor risks
- Audit trail — Maintain a complete audit trail of all oversight activities, communications and review outcomes for compliance evidence
FAQs
What should be included in an outsourced development contract?
The contract should include: PII protection requirements and the organisation’s secure engineering principles; data handling obligations (including restrictions on using real PII for testing); confidentiality obligations; the right to audit code and security practices; security testing requirements; incident notification obligations; intellectual property and code ownership provisions; and data destruction requirements at the end of the engagement. Where the developer will have access to PII, the contract should also address GDPR Article 28 processor requirements.
How should organisations monitor outsourced development?
Monitoring should include: regular code reviews focusing on PII handling; security testing (SAST, DAST, penetration testing) at defined milestones; progress reviews that include privacy requirement compliance; verification that test environments do not contain real PII; review of access logs for any development environment containing PII; and periodic assessment of the developer’s own security practices. The level of monitoring should be proportionate to the sensitivity of the PII and the criticality of the system.
Does this control apply to using open-source components?
A.3.30 specifically covers outsourced development relationships where a third party is developing systems on the organisation’s behalf. Open-source components fall more naturally under A.3.28 Application Security (application security requirements) where the organisation should assess the security suitability of third-party components. However, if an organisation commissions a third party to develop or customise an open-source component for PII processing, that engagement falls within the scope of A.3.30.
