What does control A.3.9 require?
Access rights to PII and other associated assets related to PII processing shall be provisioned, reviewed, modified and removed in accordance with the organisation’s topic-specific policy on and rules for access control.
This control sits within the Shared security controls annex (A.3), which contains obligations that apply to both PII controllers and PII processors. Effective access management ensures that only authorised personnel can access personal data, reducing the risk of unauthorised disclosure or modification.
What does the Annex B implementation guidance say?
Annex B (section B.3.9) provides the following guidance:
- Maintain accurate records — Keep up-to-date records of user profiles that document which individuals have authorised access to PII and PII processing systems
- Individual user access IDs — Use individual user identifiers so that organisations can identify exactly who accessed PII and what changes they made, supporting accountability and traceability
- Processor responsibilities — In processor scenarios, the customer (controller) may be responsible for some aspects of access management. Processors should provide appropriate administrative rights to enable controllers to manage access as needed
- See also A.3.8: Identity Management for related requirements
- See also A.3.23: Secure Authentication for related requirements
The emphasis on individual identification means that shared accounts or generic login credentials are not acceptable where PII is involved. Every access event must be traceable to a specific person.
How does this map to GDPR?
Control A.3.9 maps to GDPR Article 5(1)(f), which requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorised access. Robust access control is one of the most direct ways to demonstrate compliance with this integrity and confidentiality principle.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered across Clauses 6.6.2.2, 6.6.2.5 and 6.6.2.6, which addressed user access provisioning, review of user access rights and removal or adjustment of access rights respectively. The 2025 edition consolidates these into a single control (A.3.9), with clearer separation between the control statement and implementation guidance in B.3.9. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.3.9, auditors will typically look for:
- Access control policy — A documented, topic-specific policy covering how PII access rights are provisioned, reviewed and revoked
- User access register — An up-to-date list of all individuals with access to PII, including their roles and the specific data sets they can access
- Periodic access reviews — Evidence of regular reviews (e.g. quarterly) confirming that access rights remain appropriate, with records of any changes made
- Joiner/mover/leaver process — Documented procedures showing how access is granted for new starters, adjusted when staff change roles, and promptly removed when someone leaves
- Audit logs — System logs demonstrating that individual user IDs are used and that access events are traceable
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.10 Supplier agreements | Supplier contracts should define access rights and restrictions for PII |
| A.3.18 Confidentiality agreements | Personnel with PII access must be subject to confidentiality obligations |
| A.3.16 Compliance with policies | Verify that access control policies are being followed in practice |
| A.3.15 Independent review | Independent audits should assess whether access controls are effective |
| A.3.17 Awareness and training | Staff need training on access control responsibilities and PII handling |
Who does this control apply to?
A.3.9 is a shared control that applies to both PII controllers and PII processors. Controllers must ensure that access to personal data is limited to authorised personnel, while processors must provide controllers with the administrative tools needed to manage access rights. In practice, this means both parties need documented access management procedures.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII access rights?
ISMS.online provides practical tools for managing access controls across your privacy programme:
- Access control register — Document who has access to which PII assets, with role-based categorisation and approval workflows
- Scheduled access reviews — Set review cycles with automated reminders so access rights are checked at planned intervals
- Joiner/mover/leaver workflows — Pre-built task templates for provisioning, modifying and revoking access when personnel changes occur
- Full audit trail — Every change to access rights is logged with timestamps, approvers and reasons, ready for auditor review
- Policy management — Maintain your access control policy with version control, staff acknowledgement tracking and review dates
FAQs
How often should access rights be reviewed?
The standard does not prescribe a specific frequency, but most organisations review PII access rights quarterly. High-risk systems handling sensitive categories of PII may warrant monthly reviews. The key is that reviews happen at planned intervals and are documented, with any discrepancies resolved promptly.
Can shared accounts be used to access PII?
The implementation guidance specifically requires individual user access IDs so that organisations can identify who accessed PII and what changes they made. Shared or generic accounts undermine this traceability. If shared accounts are unavoidable for a specific technical reason, compensating controls such as additional logging and supervision should be documented.
What are a processor’s obligations for customer access management?
Where a processor handles PII on behalf of a controller, the controller may need to manage some access aspects directly. The processor should provide appropriate administrative rights and tools so the controller can provision and revoke access as needed. The division of responsibilities should be clearly documented in the processing agreement.
