ISO 27701:2019 · Annex A
PII
controller controls
If your organisation decides why and how personal data is processed, you are a PII controller. ISO 27701 Annex A adds the privacy controls that govern that role — organised under four clear themes.
Annex A controls are additional to your ISO 27001 security controls, selected through the Statement of Applicability.
ISO/IEC 27701:2019 Annex A · PII controllers · Last reviewed June 2026
Direct Answer
What are the controller controls?
A PII controller determines the purposes and means of processing personal data. ISO 27701 Annex A adds the privacy controls specific to that role, grouped under four themes — from establishing a lawful basis through to governing cross-border transfer. They are additional to, not a replacement for, the ISO 27001 security controls, and you document them in the same Statement of Applicability.
The four themes
Annex A control themes
Conditions for collection and processing
Establish and document why and how you may process PII before you collect it.
- Identify and document the lawful basis for each purpose
- Obtain and record consent where it is the chosen basis
- Carry out a privacy impact assessment (DPIA) where required
- Put processor contracts and joint-controller arrangements in place
Obligations to PII principals
Give individuals the information and mechanisms to exercise their rights.
- Provide clear information to PII principals about processing
- Offer mechanisms to give, modify, and withdraw consent
- Handle access, correction, and erasure requests
- Address rights around automated decision-making
Privacy by design and by default
Build data minimisation and protection into systems and processes from the start.
- Limit collection and processing to what each purpose requires
- Keep PII accurate and minimise what is retained
- Define retention periods and securely dispose of PII
- Control temporary files and the transmission of PII
PII sharing, transfer, and disclosure
Govern how PII moves to third parties and across borders.
- Establish the basis for transferring PII between jurisdictions
- Keep records of PII transfers and disclosures to third parties
- Govern disclosure to third parties and respond to requests
- Notify third parties of changes to shared PII
Frequently Asked Questions
Common questions about the ISO 27701 controller controls.
Who has to implement the ISO 27701 controller controls?
Any organisation acting as a PII controller — one that decides why and how personally identifiable information is processed. If you also process PII on behalf of others, you apply the Annex B processor controls as well.
How is ISO 27701 Annex A organised?
Annex A groups its PII-controller controls under four themes — conditions for collection and processing, obligations to PII principals, privacy by design and default, and PII sharing, transfer, and disclosure. You select and apply them through your Statement of Applicability, just as you do for ISO 27001 Annex A.
Do these controls replace ISO 27001 Annex A controls?
No — they are additional. ISO 27701 controller controls sit on top of the ISO 27001 security controls you already operate; together they cover both information security and privacy.
Continue your ISO 27701 research
- ISO 27701 processor controls (Annex B) — the controls for organisations that process PII on a controller’s behalf.
- The ISO 27701 PIMS framework — how Annex A fits into the overall standard.
- ISO 27701 hub — PIMS overview, controls, and certification in one place.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreProcessor Controls (Annex B)
PII processor-specific controls for data processing agreements.
Read morePIMS Framework Explained
How the Privacy Information Management System extends an ISMS.
Read moreISO 27701 × GDPR Alignment
How ISO 27701 maps onto GDPR Articles — and what it proves.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreDPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours