# ISO 27701 Controller Controls (Annex A)

> Implement and document ISO 27701 Clause 7 and Annex A controls specific to PII controllers. Covers conditions for collection/processing, obligations to PII principals, privacy by design/default, and PII sharing/transfer/disclosure with implementation status, evidence, and justification for exclusions.



Tags: ISO 27701, Privacy, Controller, Annex A, PII, Compliance


## Example Prompts

- Implement controller controls for ISO 27701
- Document our Annex A controller control implementations
- Check our PII controller obligations coverage

URL: https://rakenne.app/skills/iso27701-controller-controls/index.md

Try this skill: https://rakenne.app/a/?skill=iso27701-controller-controls



## Overview

Implement and document ISO 27701 Clause 7 and Annex A controls specific to PII controllers. This skill walks through all four Annex A control areas: conditions for collection and processing (A.7.2), obligations to PII principals (A.7.3), privacy by design and default (A.7.4), and PII sharing, transfer, and disclosure (A.7.5). For each of the 22 individual controls, the agent helps document implementation status, supporting evidence, and justification for any controls marked as not applicable. The output is a comprehensive controller controls register ready for ISO 27701 certification audit.

### What It Covers

- **A.7.2 — Conditions for Collection and Processing** — Purpose identification, lawful basis determination, consent management (obtaining, recording, modifying, withdrawing), privacy impact assessments, processor contracts, joint controller arrangements, and processing records
- **A.7.3 — Obligations to PII Principals** — Determining and fulfilling obligations, privacy notices, consent modification/withdrawal mechanisms, right to object, access/correction/erasure, informing third parties of changes, providing copies of PII, request handling procedures, and automated decision-making
- **A.7.4 — Privacy by Design and Default** — Embedding privacy into system design and configuring privacy-protective defaults
- **A.7.5 — PII Sharing, Transfer, and Disclosure** — Cross-border transfer basis, destination countries/organizations, transfer records, and third-party disclosure records

## Example Conversation

> **You:** We need to document our Annex A controller controls for MedSecure Health Technologies. We act as a controller for employee data, job applicants, and website visitors. We already have the PII inventory and PIMS scope done.
>
> **Agent:** I've loaded your PIMS scope and PII inventory. Since MedSecure is a controller for employee, applicant, and visitor data, all Annex A controls apply to those activities. Let me walk through each control area systematically.
>
> Starting with **A.7.2 — Conditions for Collection and Processing**.
>
> **A.7.2.1 — Identify and document purpose:** For each controller processing activity, what is the documented purpose?
>
> **You:** Employee HR management — purpose is to fulfill employment obligations and administer compensation/benefits. Recruitment — evaluate candidates for employment. Website analytics — understand user behavior to improve our marketing and product.
>
> **Agent:** Good. Now **A.7.2.2 — Identify lawful basis.** For each activity:
>
> - Employee HR: Legal basis is **contract** (employment agreement) and **legal obligation** (tax, labor law)
> - Recruitment: Legal basis is **legitimate interest** (evaluate candidates) and **consent** (for background checks)
> - Website analytics: Legal basis is **consent** (cookie consent banner)
>
> Does that match your understanding?
>
> **You:** Yes, that's right. For consent, we use a cookie consent platform (OneTrust) and for recruitment background checks we get written consent.
>
> **Agent:** Now for **A.7.3 — Obligations to PII Principals**. This is where data subject rights come in.
>
> **A.7.3.4 — Consent withdrawal:** How can employees and website visitors withdraw consent?
>
> **You:** Website visitors can change cookie preferences anytime via OneTrust. Employees can withdraw consent for optional processing (like company newsletter, photo on website) by emailing HR. Recruitment candidates can withdraw by contacting our recruitment team.
>
> **Agent:** **A.7.3.6 — Access, correction, and erasure:** What mechanisms exist for data subject requests?
>
> **You:** We have a privacy@medsecure.com inbox monitored by our DPO. Response SLA is 30 days. For employees, HR can process requests directly in Workday. For website visitors, we can export/delete data from OneTrust and HubSpot.
>
> **Agent:** I've now documented all 22 Annex A controls. Controls A.7.2.7 (Joint PII controller) is marked Not Applicable because MedSecure does not jointly determine purposes with another controller for any processing activity. Let me validate.
>
> `check_controller_controls_coverage` on `output/Controller-Controls-Register.md`:
>
> ```
> Coverage: 22/22 controls (100%)
>   [OK] A.7.2.1 — Identify and document purpose
>   [OK] A.7.2.2 — Identify lawful basis
>   [OK] A.7.2.3 — Determine when and how consent is obtained
>   [OK] A.7.2.4 — Obtain and record consent
>   [OK] A.7.2.5 — Privacy impact assessment
>   [OK] A.7.2.6 — Contracts with PII processors
>   [OK] A.7.2.7 — Joint PII controller
>   [OK] A.7.2.8 — Records relating to processing PII
>   [OK] A.7.3.1 — Determine and fulfill obligations
>   [OK] A.7.3.2 — Determine information for PII principals
>   [OK] A.7.3.3 — Provide information to PII principals
>   [OK] A.7.3.4 — Consent modification/withdrawal
>   [OK] A.7.3.5 — Object to PII processing
>   [OK] A.7.3.6 — Access, correction and erasure
>   [OK] A.7.3.7 — Inform third parties
>   [OK] A.7.3.8 — Providing copy of PII
>   [OK] A.7.3.9 — Handling requests
>   [OK] A.7.3.10 — Automated decision-making
>   [OK] A.7.4.1 — Privacy by design and default
>   [OK] A.7.5.1 — Basis for PII transfer
>   [OK] A.7.5.2 — Countries/organizations for transfer
>   [OK] A.7.5.3 — Records of PII transfers
>   [OK] A.7.5.4 — Records of PII disclosure
>
>   [INFO] All Annex A controller controls are addressed in the register.
> RESULT: PASS
> ```
>
> All 22 Annex A controller controls are documented with implementation status and evidence. One control (A.7.2.7) is justified as Not Applicable. The register is ready for audit.

## Sample Output Excerpt

Below is a representative excerpt from the Controller Controls Register showing controls from two of the four Annex A areas.

---

# Controller Controls Register — MedSecure Health Technologies

**Standard:** ISO/IEC 27701:2019, Clause 7 and Annex A
**Organization role:** PII Controller (for employee, applicant, and website visitor data)
**Date:** 2026-03-21

## A.7.2 — Conditions for Collection and Processing

| Control | Title | Status | Implementation Description | Evidence |
|---|---|---|---|---|
| A.7.2.1 | Identify and document purpose | Implemented | Purposes documented in PII Processing Inventory for each controller activity: employment management (HR), candidate evaluation (recruitment), user behavior analysis (website analytics). Purposes reviewed annually by DPO. | PII Processing Inventory v1.0; Annual DPO review minutes |
| A.7.2.2 | Identify lawful basis | Implemented | Lawful basis determined for each activity: employment contract and legal obligation (HR), legitimate interest and consent (recruitment), consent (website analytics). Legal basis assessment documented per activity. | Legal Basis Assessment document; PII Processing Inventory |
| A.7.2.3 | Determine when and how consent is obtained | Implemented | Consent obtained via: OneTrust cookie banner (website visitors — prior to analytics tracking), written consent form (recruitment background checks — before check initiated), email opt-in (employee newsletter — at onboarding). | OneTrust configuration; Background check consent template; Onboarding checklist |
| A.7.2.4 | Obtain and record consent | Implemented | Consent records maintained in: OneTrust (cookie consent with timestamp and preferences), recruitment ATS (signed consent forms), Workday (employee consent records). Records retained for duration of processing + 3 years. | OneTrust consent logs; ATS consent archive; Workday consent records |
| A.7.2.5 | Privacy impact assessment | Implemented | DPIA procedure requires assessment for any new processing activity involving PII or changes to existing activities. DPIAs completed for: MedSecure Platform v2.0, HubSpot marketing integration, employee monitoring policy. | DPIA procedure v1.0; Completed DPIA register |
| A.7.2.6 | Contracts with PII processors | Implemented | DPAs in place with all processors: ADP (payroll), United Healthcare (benefits), Fidelity (retirement), HubSpot (marketing), OneTrust (consent management). DPAs include GDPR Art. 28 clauses, sub-processor controls, breach notification. | DPA register; Signed DPAs on file |
| A.7.2.7 | Joint PII controller | Not Applicable | MedSecure does not jointly determine the purposes and means of processing with any other organization for its controller activities. All processing purposes are determined solely by MedSecure. | PIMS Scope Statement (role determination section) |
| A.7.2.8 | Records relating to processing PII | Implemented | PII Processing Inventory (ROPA) maintained per GDPR Article 30. Covers all controller activities with purpose, legal basis, data categories, retention, and recipients. Reviewed quarterly. | PII Processing Inventory v1.0; Quarterly review log |

## A.7.3 — Obligations to PII Principals

| Control | Title | Status | Implementation Description | Evidence |
|---|---|---|---|---|
| A.7.3.1 | Determine and fulfill obligations | Implemented | Obligations mapped per regulation: GDPR (Art. 12-23), LGPD (Art. 17-22), CCPA (Sec. 1798.100-135). DPO maintains obligation register and monitors regulatory updates. | Regulatory obligation register; DPO quarterly report |
| A.7.3.4 | Provide mechanism to modify or withdraw consent | Implemented | Website visitors: OneTrust preference center accessible from footer link on all pages. Employees: email HR@medsecure.com for optional processing withdrawal. Recruitment: contact recruitment@medsecure.com. All withdrawals processed within 5 business days. | OneTrust preference center; HR consent withdrawal procedure; Withdrawal processing log |
| A.7.3.6 | Access, correction and erasure | Implemented | DSR inbox: privacy@medsecure.com monitored by DPO. 30-day response SLA. Identity verification before fulfillment. Employee requests processed directly in Workday. Visitor data exported/deleted from OneTrust and HubSpot. Erasure verification across all systems including backups. | DSR procedure v1.0; DSR tracking spreadsheet; Erasure verification checklist |
| A.7.3.9 | Handling requests | Implemented | Standardized DSR process: (1) receive via privacy@medsecure.com, (2) log in tracking system, (3) verify identity, (4) route to data owner (HR/Marketing/IT), (5) fulfill within 30 days, (6) respond to principal, (7) close and archive. Escalation path to DPO for complex requests. | DSR procedure v1.0; DSR tracking system; Monthly DSR metrics report |
| A.7.3.10 | Automated decision-making | Not Applicable | MedSecure does not make automated decisions that produce legal effects or similarly significant effects on individuals. Website analytics are used for aggregate reporting only, not individual targeting or profiling. | Processing activity descriptions in PII Inventory |

<!-- /excerpt -->

## Extension Tools

### `check_controller_controls_coverage`

Validates the controller controls register covers all 22 Annex A controls across the four control areas, with implementation status and supporting documentation.

| Check | Severity | What It Validates |
|---|---|---|
| A.7.2 area coverage | ERROR if entire area missing | Conditions for collection and processing controls (A.7.2.1 through A.7.2.8) are documented |
| A.7.3 area coverage | ERROR if entire area missing | Obligations to PII principals controls (A.7.3.1 through A.7.3.10) are documented |
| A.7.4 area coverage | ERROR if entire area missing | Privacy by design and default control (A.7.4.1) is documented |
| A.7.5 area coverage | ERROR if entire area missing | PII sharing, transfer, and disclosure controls (A.7.5.1 through A.7.5.4) are documented |
| A.7.2.1 Identify purpose | ERROR if missing | Purpose identification for processing activities |
| A.7.2.2 Lawful basis | ERROR if missing | Legal basis determination documented |
| A.7.2.3 Consent timing | ERROR if missing | When and how consent is obtained |
| A.7.2.4 Consent recording | ERROR if missing | Consent records maintained |
| A.7.2.5 Privacy impact assessment | ERROR if missing | DPIA/PIA procedure documented |
| A.7.2.6 Processor contracts | ERROR if missing | DPA requirements addressed |
| A.7.2.7 Joint controller | WARNING if missing | Joint controller arrangements (may be N/A) |
| A.7.2.8 Processing records | ERROR if missing | ROPA maintenance documented |
| A.7.3.1-A.7.3.10 | ERROR/WARNING | Each obligation to PII principals is addressed |
| A.7.4.1 PbD/PbDefault | ERROR if missing | Privacy by design and default practices |
| A.7.5.1-A.7.5.4 | ERROR if missing | Transfer and disclosure controls documented |
| Implementation status | ERROR if missing | Each control has a valid status (Implemented, Partially Implemented, Planned, Not Applicable) |
| N/A justification | WARNING if missing | Controls marked Not Applicable include specific justification |
| Evidence references | WARNING if missing | Implemented controls reference supporting evidence |

The tool reports overall coverage as a percentage of the 22 controls addressed, and flags missing critical controls as errors.

## Getting Started

To document your controller controls effectively, prepare the following:

1. **Complete prerequisite skills** — The agent references the PIMS Scope Statement (to confirm your controller role) and the PII Processing Inventory (to understand your processing activities, legal bases, and retention periods). Complete those skills first.

2. **Gather consent mechanisms** — Know how your organization obtains, records, and manages consent. This includes cookie consent platforms, opt-in forms, written consent documents, and the processes for handling withdrawal requests.

3. **Document data subject request processes** — If you have existing procedures for handling access, correction, erasure, or portability requests, have them ready. If not, be prepared to design these with the agent.

4. **Review processor contracts** — Collect your Data Processing Agreements (DPAs) with all third-party processors. The agent will document these under A.7.2.6.

5. **Know your cross-border transfers** — Identify which countries and organizations receive PII from your controller activities, and what transfer mechanisms are in place (adequacy decisions, SCCs, BCRs).

6. **Privacy by design practices** — Think about how privacy is embedded in your product and system design. Do you conduct DPIAs for new features? Are default settings privacy-protective? The agent will document this under A.7.4.

7. **Identify non-applicable controls** — Some controls may not apply to your organization (e.g., joint controller if you do not jointly determine purposes with another entity, automated decision-making if you do not profile individuals). Have justifications ready for these exclusions.

The skill produces `output/Controller-Controls-Register.md` with all 22 Annex A controls documented and validated.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)