What is the purpose of Annex F?
Annex F was introduced in the 2025 edition specifically to support organisations transitioning from ISO 27701:2019. It provides backwards compatibility by mapping every control in both directions:
- Table F.1 — Maps each 2025 control to its 2019 equivalent(s)
- Table F.2 — Maps each 2019 control to its 2025 equivalent (or marks it N/A if removed)
This is the definitive reference for your transition gap analysis. Use Table F.2 to check what happened to each of your existing controls, and Table F.1 to understand where each new 2025 control comes from.
How do the 2025 shared security controls map to 2019?
The 29 shared security controls in Table A.3 replaced the 90+ subclauses in the 2019 edition’s Clause 6. Many 2019 controls were consolidated or removed because they did not contain PII-specific guidance.
| 2025 Control | 2019 Equivalent(s) | Control Name |
|---|---|---|
| A.3.3 Information Security Policies | 6.2.1.1, 6.2.1.2 | Policies for information security |
| A.3.4 Security Roles | 6.3.1.1 | Information security roles and responsibilities |
| A.3.5 Classification of Information | 6.5.2.1 | Classification of information |
| A.3.6 Labelling of Information | 6.5.2.2 | Labelling of information |
| A.3.7 Information Transfer | 6.10.2.1, 6.10.2.2, 6.10.2.3 | Information transfer |
| A.3.8 Identity Management | 6.6.2.1 | Identity management |
| A.3.9 Access Rights | 6.6.2.2, 6.6.2.5, 6.6.2.6 | Access rights |
| A.3.10 Supplier Agreements | 6.12.1.1, 6.12.1.2 | Supplier agreements |
| A.3.11 Incident Management | 6.13.1.4 | Incident management planning |
| A.3.12 Security Incident Response | 6.13.1.5 | Response to security incidents |
| A.3.13 Legal and Regulatory Requirements | 6.15.1.1, 6.15.1.5 | Legal and regulatory requirements |
| A.3.14 Protection of Records | 6.15.1.3 | Protection of records |
| A.3.15 Independent Review | 6.15.2.1 | Independent review |
| A.3.16 Compliance with Policies | 6.15.2.2, 6.15.2.3 | Compliance with policies and standards |
| A.3.17 Security Awareness and Training | 6.4.2.2 | Awareness, education and training |
| A.3.18 Confidentiality Agreements | 6.10.2.4 | Confidentiality agreements |
| A.3.19 Clear Desk and Clear Screen | 6.8.2.9 | Clear desk and clear screen |
| A.3.20 Storage Media | 6.5.3.1, 6.5.3.2, 6.5.3.3, 6.8.2.5 | Storage media |
| A.3.21 Secure Disposal of Equipment | 6.8.2.7 | Secure disposal or re-use |
| A.3.22 User Endpoint Devices | 6.3.2.1, 6.8.2.8 | User endpoint devices |
| A.3.23 Secure Authentication | 6.6.4.2 | Secure authentication |
| A.3.24 Information Backup | 6.9.3.1 | Information backup |
| A.3.25 Logging | 6.9.4.1, 6.9.4.2, 6.9.4.3 | Logging |
| A.3.26 Use of Cryptography | 6.7.1.1, 6.7.1.2 | Use of cryptography |
| A.3.27 Secure Development Life Cycle | 6.11.2.1 | Secure development life cycle |
| A.3.28 Application Security | 6.11.1.2, 6.11.1.3 | Application security requirements |
| A.3.29 Secure System Architecture | 6.11.2.5 | Secure system architecture |
| A.3.30 Outsourced Development | 6.11.2.7 | Outsourced development |
| A.3.31 Test Information | 6.11.3.1 | Test information |
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
Which 2019 controls were removed?
A significant number of 2019 Clause 6 controls have no direct equivalent in 2025. These are controls where the 2019 edition referenced ISO 27002 but did not add PII-specific guidance. The 2025 edition chose to only include controls that have specific privacy relevance.
Key categories of removed controls include:
| Category | 2019 Controls Removed | Reason |
|---|---|---|
| Segregation of duties | 6.3.1.2 | No PII-specific guidance needed |
| Contact with authorities / special interest groups | 6.3.1.3, 6.3.1.4 | Covered by management system clauses |
| Asset inventory and ownership | 6.5.1.1–6.5.1.4 | No PII-specific additions needed |
| Access control policy | 6.6.1.1, 6.6.1.2 | Covered by A.3.9 Access Rights (Access rights) |
| Physical security | 6.8.1.1–6.8.1.6, 6.8.2.1–6.8.2.6 | No PII-specific guidance beyond media/disposal |
| Malware protection | 6.9.2.1 | No PII-specific guidance needed |
| Network security | 6.10.1.1–6.10.1.3 | No PII-specific guidance needed |
| Vulnerability management | 6.9.6.1, 6.9.6.2 | No PII-specific guidance needed |
| Business continuity | 6.14.1.1–6.14.2.1 | No PII-specific guidance needed |
Important: Removal from ISO 27701 does not mean these controls are unimportant. If your organisation also holds ISO 27001, these controls remain relevant under that standard. They have simply been excluded from ISO 27701:2025 because they do not require PII-specific implementation guidance.
How should you use Annex F for your transition?
- Start with Table F.2 — List all your current 2019 controls and look up each one. Mark whether it maps to a 2025 control or shows N/A
- For mapped controls — Verify your existing implementation meets the 2025 wording. Most will carry over with minimal changes
- For N/A controls — Decide whether to retire the documentation or retain it under a different framework (e.g. ISO 27001)
- Check Table F.1 for new controls — Any 2025 control marked “New” in the 2019 column needs fresh implementation
- Update your statement of applicability — Rebuild it using the 2025 Annex A structure with the correct control references
For a complete walkthrough of the transition process, see our ISO 27701 transition guide.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for your transition?
ISMS.online provides the tools to make your transition structured and auditable:
- Built-in correspondence mapping — See how your existing 2019 controls map to the 2025 structure without manual spreadsheet work
- Gap analysis tracking — Mark each control as mapped, needs update, or new, and track progress to completion
- Statement of applicability builder — Generate your new SoA based on the 78 Annex A controls with justifications for exclusions
- Version-controlled documentation — Maintain both your 2019 and 2025 documentation during the transition period
- Audit trail — Demonstrate to your certification body exactly what changed and when during the transition
FAQs
Are all 2019 controls covered in the 2025 edition?
No. Many 2019 Clause 6 controls (particularly those related to physical security, network security, malware protection and business continuity) have no direct 2025 equivalent because they did not contain PII-specific guidance. These are marked N/A in the correspondence table.
Are there any entirely new controls in 2025?
The 2025 edition’s controls are largely reorganised from the 2019 content rather than brand new. However, the management system requirements in Clauses 4–10 are now standalone (not extensions of ISO 27001), which means some requirements like the standalone privacy policy and standalone privacy risk assessment process may be new for organisations that previously relied on their ISMS documentation.
Can I use both editions during the transition period?
Yes. During the transition period (October 2025 to October 2028), both editions are valid. Your existing 2019 certification remains valid until its scheduled expiry or October 2028, whichever comes first. New certifications can be issued against either edition.
