Overview
Implement and document ISO 27701 Clause 8 and Annex B controls specific to PII processors. This skill walks through each Annex B control area systematically — conditions for processing, obligations to PII principals, privacy by design and default, and PII sharing, transfer, and disclosure — producing a comprehensive Processor Controls Register with implementation status, evidence references, and justified exclusions. It is designed for organizations that process personal data on behalf of controllers and need to demonstrate Annex B compliance for ISO 27701 certification.
What It Covers
- B.8.2 — Conditions for Processing — Customer agreements, purpose limitation, marketing restrictions, infringing instruction procedures, controller obligations support, and records of processing
- B.8.3 — Obligations to PII Principals — How the processor assists the controller in meeting data subject rights obligations
- B.8.4 — Privacy by Design and Default — Embedding privacy into processing services and default configurations
- B.8.5 — PII Sharing, Transfer, and Disclosure — Cross-border transfer basis, destination countries, third-party disclosure records, law enforcement requests, and sub-processor management (engagement, changes, disclosure)
- Sub-Processor Management — Register of sub-processors, due diligence process, contractual flow-down, monitoring and audit, change notification, and exit procedures
Example Conversation
You: We need to document our Annex B processor controls for ISO 27701 certification. MedSecure Health Technologies is a SaaS health data platform — we process patient data on behalf of hospital clients across the EU and Brazil. We have about 200 employees and act as a processor for hospital client data.
Agent: I’ll help you build the Processor Controls Register for MedSecure’s processor role. Let me start by loading your PII inventory to understand the processing activities in scope.
I can see from your PII inventory that MedSecure processes three main categories of data on behalf of hospital controllers: patient health records, appointment scheduling data, and billing information. You have processing agreements with 14 hospital clients across Germany, France, and Brazil.
Let me walk through each Annex B control area. Starting with B.8.2 — Conditions for Processing:
- B.8.2.1 — Customer agreement: Can you describe your standard Data Processing Agreement (DPA) with hospital clients? Does it specify the subject matter, duration, nature, and purpose of processing?
You: Yes, we have a standard DPA template that all hospital clients sign. It covers scope of processing, data categories, retention, and sub-processor terms. Our legal team reviews it annually. We also have specific addenda for clients in Brazil addressing LGPD requirements.
Agent: Good — that covers B.8.2.1 comprehensively. I’ll document both the standard DPA and the LGPD-specific addenda as evidence.
Now for B.8.2.2 — Organization’s purposes: Does MedSecure ever use hospital client data for its own purposes, such as analytics, product improvement, or benchmarking?
You: We do aggregate anonymized data for platform performance metrics, but we never use identifiable patient data for our own purposes. Our DPA explicitly prohibits this.
Agent: I’ll document that as implemented with the DPA clause as evidence. Moving to sub-processor management — B.8.5.6 through B.8.5.8: I see you use AWS for hosting, Twilio for appointment reminders, and a Brazilian cloud provider for LGPD-compliant storage. Can you describe your sub-processor onboarding and change notification process?
You: We maintain a sub-processor register on our website. Hospital clients are notified 30 days before any sub-processor change via email. They have the right to object. We conduct security assessments of all sub-processors before engagement, and we have DPAs with each of them.
Agent: Excellent — that covers the sub-processor controls thoroughly. I’ve now completed the interview across all Annex B areas. Let me write the register and validate it.
I’ve written the Processor Controls Register to
output/Processor-Controls-Register.md. Running the validation tool now.
check_processor_controls_coverageonoutput/Processor-Controls-Register.md:=== ISO 27701 ANNEX B — PROCESSOR CONTROLS COVERAGE === Coverage: 16/16 controls (100%) --- PRESENT --- [OK] B.8.2.1 — Customer agreement [OK] B.8.2.2 — Organization's purposes [OK] B.8.2.3 — Marketing and advertising [OK] B.8.2.4 — Infringing instruction [OK] B.8.2.5 — Customer obligations [OK] B.8.2.6 — Records relating to processing PII [OK] B.8.3.1 — Obligations to PII principals [OK] B.8.4.1 — Privacy by design and privacy by default [OK] B.8.5.1 — Basis for PII transfer between jurisdictions [OK] B.8.5.2 — Countries and organizations PII may be transferred to [OK] B.8.5.3 — Records of PII disclosure to third parties [OK] B.8.5.4 — Notification of PII disclosure requests [OK] B.8.5.5 — Legally binding PII disclosures [OK] B.8.5.6 — Disclosure of sub-contractors used to process PII [OK] B.8.5.7 — Engagement of a sub-contractor to process PII [OK] B.8.5.8 — Change of sub-contractor to process PII --- FINDINGS --- [INFO] All Annex B processor controls are addressed in the register. Errors: 0, Warnings: 0, Info: 1All 16 Annex B controls are documented with implementation status and evidence references. The register is ready for audit review.
Sample Output Excerpt
Below is a representative excerpt from the Processor Controls Register produced for MedSecure’s processor activities. The full register covers all 16 Annex B controls across four control areas.
Processor Controls Register — MedSecure Health Technologies
PIMS Scope: SaaS health data platform — processor role for hospital client data Date: 2026-03-21 Prepared by: Privacy Management Team
B.8.2 — Conditions for Processing
| Control | Title | Status | Implementation Description | Evidence |
|---|---|---|---|---|
| B.8.2.1 | Customer agreement | Implemented | Standard DPA executed with all 14 hospital clients. Specifies subject matter (patient health records, appointment data, billing), duration, nature of processing, and data categories. LGPD-specific addenda for Brazilian clients. | DPA-Template-v3.2.pdf, LGPD-Addendum-v1.1.pdf |
| B.8.2.2 | Organization’s purposes | Implemented | MedSecure does not use client PII for own purposes. DPA Section 4.2 explicitly prohibits processor use of data beyond controller instructions. Anonymized aggregate metrics are outside PII scope. | DPA Section 4.2, Data Anonymization Procedure DA-003 |
| B.8.2.3 | Marketing and advertising | Implemented | No client PII is used for marketing or advertising purposes. Platform terms of service and DPA explicitly prohibit this. Marketing team has no access to client data environments. | DPA Section 4.3, Access Control Matrix ACM-012 |
| B.8.2.4 | Infringing instruction | Implemented | Procedure requires escalation to DPO and Legal when a controller instruction appears to violate applicable data protection law. Controller is notified in writing within 48 hours. Processing is suspended pending resolution. | Infringing Instruction Procedure IIP-001 |
B.8.5 — PII Sharing, Transfer, and Disclosure
| Control | Title | Status | Implementation Description | Evidence |
|---|---|---|---|---|
| B.8.5.6 | Disclosure of sub-contractors | Implemented | Sub-processor register published on medsecure.com/sub-processors and attached to each DPA. Currently lists 3 sub-processors: AWS (EU hosting), Twilio (appointment notifications), CloudBR (Brazil storage). Updated within 5 business days of any change. | Sub-Processor Register (public URL), DPA Annex 3 |
| B.8.5.7 | Engagement of a sub-contractor | Implemented | Sub-processor onboarding requires: (1) security assessment against ISO 27001 criteria, (2) privacy impact screening, (3) DPA execution with flow-down of controller obligations, (4) DPO approval. Assessment records retained for 5 years. | Sub-Processor Assessment Checklist SAC-001, Sub-Processor DPA Template |
| B.8.5.8 | Change of sub-contractor | Implemented | Controllers notified 30 days before sub-processor changes via registered email. Objection window of 15 business days. If controller objects, MedSecure offers alternative processing arrangement or contract termination without penalty. Two sub-processor changes processed in 2025 with zero objections. | Change Notification Template CNT-001, Notification Log 2025 |
Extension Tools
check_processor_controls_coverage
Validates that the Processor Controls Register covers all 16 Annex B sub-controls across the four control areas. Each control is checked via pattern matching against the document content.
| Check | What It Validates |
|---|---|
| B.8.2.1 — Customer agreement | Controller/customer agreement or data processing agreement is documented |
| B.8.2.2 — Organization’s purposes | Purpose limitation for the processor’s own use of PII is addressed |
| B.8.2.3 — Marketing and advertising | Restrictions on marketing or advertising use of processed PII |
| B.8.2.4 — Infringing instruction | Procedure for handling unlawful or infringing instructions from controllers |
| B.8.2.5 — Customer obligations | How the processor assists the controller in meeting its obligations |
| B.8.2.6 — Records relating to processing | Records of processing activities (ROPA) maintained by the processor |
| B.8.3.1 — Obligations to PII principals | Processor’s role in supporting data subject rights requests |
| B.8.4.1 — Privacy by design and default | Privacy by design and privacy by default embedded into processing services |
| B.8.5.1 — Basis for PII transfer | Legal basis for cross-border or international PII transfers |
| B.8.5.2 — Countries and organizations | Destination countries and recipient organizations for PII transfers |
| B.8.5.3 — Records of disclosure | Logging and record-keeping for third-party PII disclosures |
| B.8.5.4 — Notification of disclosure requests | Procedure for notifying controllers of government or law enforcement requests |
| B.8.5.5 — Legally binding disclosures | Handling of court orders and legally compelled disclosures |
| B.8.5.6 — Disclosure of sub-contractors | Transparency about which sub-processors are used and their roles |
| B.8.5.7 — Engagement of sub-contractors | Due diligence, assessment, and DPA execution for new sub-processors |
| B.8.5.8 — Change of sub-contractors | Controller notification and objection process for sub-processor changes |
The tool also checks for valid implementation statuses (Implemented, Partially Implemented, Planned, Not Applicable), justifications on N/A controls, evidence references, and sub-processor management coverage. Returns a coverage percentage and severity-classified findings.
Getting Started
To get the most out of this skill, prepare the following before starting:
PII inventory — Run the ISO 27701 PII Inventory skill first. The processor controls register draws on your list of processing activities, data categories, and controller relationships.
Data Processing Agreements — Have your standard DPA template and any client-specific addenda available. The skill references these as evidence for B.8.2 controls.
Sub-processor information — Compile a list of all sub-processors including their names, locations, what PII they process, and the contractual basis. This is critical for B.8.5.6 through B.8.5.8.
Processor role confirmation — Confirm which processing activities involve MedSecure acting as a processor (versus controller). If you act as both, the controller activities are handled by the companion Controller Controls skill.
Existing policies and procedures — Gather any existing documents related to processor obligations: infringing instruction procedures, sub-processor assessment checklists, change notification templates, and records of processing activities.
Once you have these inputs ready, tell the agent about your organization and it will walk you through each Annex B control area, asking targeted questions about your current implementation before producing the register.