Appearance
ISO/IEC 27701 — annexes
ISO/IEC 27701 organises its privacy controls into two role-based annexes: Annex A for PII controllers and Annex B for PII processors. Annex D provides an informative mapping to GDPR. This page covers the structure of each annex at the theme level, with reference numbers only.
Quick decision
- You determine purposes and means of processing → apply Annex A (PII controller controls).
- You process PII on behalf of a controller → apply Annex B (PII processor controls).
- You are both, for different processing activities → apply both annexes per the relevant activities.
- You need to demonstrate GDPR alignment → use Annex D as the planning aid; map PIMS controls to GDPR articles to identify where one control produces evidence for both.
TL;DR
- Annex A — privacy controls for PII controllers. Covers lawfulness, PII principals' rights, privacy by design, records of processing, transfers, automated decision-making, breach notification.
- Annex B — privacy controls for PII processors. Covers documented instructions, security, sub-processor oversight, assistance to controllers, breach notification to controller, end-of-processing.
- Annex D — informative mapping to GDPR articles (planning aid, not a compliance attestation).
- Role drives selection — controller / processor per processing activity. Many organisations are both.
- Statement of Applicability records which Annex A and / or B controls are included or excluded.
Primary source
ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance. Annex A (PII controllers, normative). Annex B (PII processors, normative). Annex D (GDPR mapping, informative). Available via the ISO Online Browsing Platform. © ISO. Withdrawn prior edition: ISO/IEC 27701:2019.
Annex A — controls for PII controllers (normative)
Annex A organises controls around the controller's privacy obligations. Without reproducing the control text, the high-level structure covers:
| Theme | Focus |
|---|---|
| Lawfulness of processing | Identifying lawful basis (consent, contract, legal obligation, legitimate interests, etc.); managing consent |
| Transparency to PII principals | Privacy notice content; modalities for providing information |
| PII principals' rights | Access, rectification, erasure, restriction, portability, objection — handling and timing |
| Privacy by design and by default | Embedding privacy into system design, vendor selection, defaults |
| Records of processing activities | Inventory of processing activities; categories of PII; retention; recipients |
| Privacy impact assessment | Structured PIA process triggered by risk threshold |
| Cross-border transfer | Transfer impact assessment; appropriate safeguards (SCCs, BCRs, adequacy) |
| Automated decision-making and profiling | Transparency, human review, contestability |
| Personal-data breach | Detection, internal escalation, notification to supervisory authority and PII principals |
| DPO / privacy lead | Appointment, responsibilities, independence |
How to use Annex A
- Apply per processing activity where the organisation is the controller.
- Drive selection from the privacy risk assessment under Clause 6.1.2.
- Translate controls into operating reality — owned work, cadence, evidence, escalation.
- Record selection in the Statement of Applicability under Clause 6.1.3.
Annex B — controls for PII processors (normative)
Annex B organises controls around the processor's obligations to the controller and to PII principals indirectly:
| Theme | Focus |
|---|---|
| Documented instructions | Processing only on the controller's documented instructions; alerting when instructions infringe applicable law |
| Confidentiality of personnel | Personnel authorised to process PII bound by confidentiality |
| Security measures | Implementing appropriate technical and organisational measures (ties to ISO 27001 Annex A) |
| Sub-processor management | Authorisation, due diligence, contractual safeguards, change notification |
| Assistance to the controller | Assisting with PII principals' rights handling, DPIAs, prior consultation, breach handling |
| Breach notification to the controller | Notifying the controller without undue delay |
| End-of-processing | Return or deletion of PII at end of processing; documented completion evidence |
| Sub-processor breach notification | Cascading breach notification up the chain |
How to use Annex B
- Apply per processing activity where the organisation is the processor.
- Drive selection from contractual obligations — Data Processing Agreements, SCCs Module 2.
- Operate Annex B controls together with the relevant ISO 27001 Annex A security controls — most processor security obligations cross-reference into ISMS controls.
Annex D — informative mapping to GDPR
Annex D is an informative cross-reference between the PIMS Annex A / B controls and the GDPR articles. It is a planning aid, not a compliance attestation:
- A single control in Annex A or B can produce evidence relevant to multiple GDPR articles.
- Implementing a mapped control does not automatically satisfy the corresponding GDPR article — GDPR legal interpretation is a separate exercise.
- Annex D is most useful when planning a single PIMS that also produces GDPR operational evidence.
The mapping typically covers:
| GDPR area | PIMS controls in Annex A or B |
|---|---|
| Lawfulness, transparency, fairness (Articles 5–7) | Annex A lawfulness, consent, transparency |
| PII principals' rights (Articles 12–22) | Annex A rights handling; Annex B assistance |
| Controller obligations (Articles 24–30) | Annex A records of processing, privacy by design |
| Processor obligations (Article 28) | Annex B in full |
| Personal-data breach (Articles 33–34) | Annex A breach notification + Annex B notification to controller |
| DPIA (Article 35) | Clause 6.1.2 / 6.1.3 privacy risk method plus Annex A privacy-impact-assessment evidence |
| DPO (Article 37) | Annex A DPO appointment + Clause 5.3 roles |
| Cross-border transfer (Articles 44–50) | Annex A transfer impact assessment |
How to operationalise the annexes in Modulos
ISO 27701 Annex A and Annex B control selection is tracked as control-level evidence on the ORF-265 requirement (Clause 6.1.3 privacy risk treatment) on OFF-12.
| OFF-12 requirement | Description | Annex coverage |
|---|---|---|
ORF-265 | Privacy risk treatment + Statement of Applicability | Annex A controller controls + Annex B processor controls via the SoA |
ORF-275 | Operational planning and control | Operational execution of the selected controls |
ORF-276 | Monitoring, measurement, analysis and evaluation | Privacy-control effectiveness signals |
ORF-277 / ORF-278 | Internal audit + audit programme | Sampling control operation |
Practical pattern:
- The SoA artefact is owner-authored documented information attached as evidence on
ORF-265. The SoA includes Annex A control decisions (where the organisation is a controller) and Annex B control decisions (where it is a processor). - Per-control evidence (control execution records, exception decisions, sub-processor reviews, DSAR responses) is linked to Modulos controls that map to the relevant requirements.
- The role-determination decisions that drive Annex A vs B selection flow from Clause 4.1 (recorded on
ORF-256).
Framework mapping
Four layers, one reusable spine.
Frameworks
EU AI Act
ISO 42001
Requirements
Art. 9.1Risk management
Art. 10.2Data governance
6.1.1Risk assessment
Components
Risk identification
Impact analysis
Evidence
Risk register
Test results
Controls
The reusable spine
One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.
Risk assessment process
Data validation checks
Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.
Cross-framework mapping (preview)
| ISO 27701 annex element | Adjacent provision |
|---|---|
| Annex A lawfulness | GDPR Articles 5, 6, 7, 9 |
| Annex A PII principals' rights | GDPR Articles 12–22 |
| Annex A records of processing | GDPR Article 30 |
| Annex A privacy impact assessment | GDPR Article 35 DPIA; ISO 42001 Clause 6.1.4 AI impact assessment |
| Annex A cross-border transfer | GDPR Articles 44–50; SCCs; adequacy decisions |
| Annex A automated decision-making | GDPR Article 22; EU AI Act Article 26(11) |
| Annex A personal-data breach | GDPR Articles 33–34; ISO 27001 Annex A.5.24–A.5.28 |
| Annex B in full | GDPR Article 28; SCCs Module 2 |
Related pages
ISO 27701 overview
Hub: PIMS structure, controller / processor distinction, GDPR alignment
PIMS foundations (scope + roles + certification)
Scope, controller / processor determination, certification cycle
Clauses 4–10 (implementation guide)
Annex SL backbone with PIMS-specific additions
Operationalizing in Modulos
OFF-12 + MFF-13 rollout, PIMS evidence patterns
Integration with GDPR
How the PIMS produces the operational evidence GDPR requires
Source attribution
ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Annex A (PII controllers, normative), Annex B (PII processors, normative), Annex D (informative GDPR mapping). © ISO/IEC. Available via the ISO Online Browsing Platform.
Disclaimer
This page is for general informational purposes and does not constitute legal or certification advice.