Getting the roles of ISO 27701 controllers and processors right is fundamental, because the standard assigns different responsibilities to each. A controller decides why and how personal data is processed, while a processor acts on the controller’s instructions. ISO 27701 controllers and processors follow different sets of Annex controls, so identifying your role — often you are both — shapes your entire Privacy Information Management System.

First, what is PII?
PII — personally identifiable information — is any data that can identify an individual, directly or indirectly: names, emails, IDs, location data, and much more. ISO 27701 is all about managing PII responsibly.
PII controller vs. PII processor
- A PII controller determines why and how personal data is processed. They make the decisions and carry primary accountability.
- A PII processor processes personal data on behalf of a controller, following the controller’s instructions.
These roles mirror the “controller” and “processor” concepts in privacy laws like GDPR.
A simple example
A retailer that collects customer data to run its business is a controller. The cloud email platform it uses to store and send messages containing that data is a processor — it handles the data, but only as instructed. The retailer decides the “why”; the platform just does the “how it’s told.”
Controls for whichever role you play.
The ISO 27701 Toolkit covers both the Annex A (controller) and Annex B (processor) controls — so whether you’re one, the other, or both, you have the right documents ready to tailor.
Why the distinction matters in ISO 27701
ISO 27701 splits its additional controls by role:
- Annex A — PIMS-specific controls for PII controllers (consent, purpose, individuals’ rights, transparency).
- Annex B — PIMS-specific controls for PII processors (acting on instructions, assisting the controller, sub-processor management).
Your Statement of Applicability and documentation follow directly from which set applies to you.
You’re often both
Many organizations are controllers and processors, depending on the activity. A SaaS company is usually a processor for its customers’ data (it processes on their behalf) but a controller for its own employee and marketing data. In that case, you implement controls from both Annex A and Annex B — mapped to the right activities.
How ISO 27701 controllers and processors differ in practice
The distinction drives which controls apply. A PII controller owns obligations like establishing a lawful basis, honouring data subject rights, and managing consent; a PII processor focuses on acting only on documented instructions, supporting the controller’s obligations, and controlling sub-processors. Most SaaS companies are both — a controller for their own employee and marketing data, and a processor for the customer data they host. ISO 27701 handles this with two annexes of guidance, and your Statement of Applicability records which role, and therefore which controls, applies where. The standard is published by ISO.
Frequently asked questions
How do I decide which role I’m in?
Ask who decides the purpose of the processing. If it’s you, you’re the controller; if you’re acting on someone else’s instructions, you’re the processor.
Can I be both at once?
Yes — commonly. You assess it per processing activity and apply the relevant controls to each.
New to the standard? Start with our complete guide to ISO 27701.
Bottom line: map every stream of personal data you touch to a role. Once you know where you act as controller and where as processor, the ISO 27701 controllers and processors requirements become a clear checklist rather than a source of confusion.
Getting this classification wrong has real consequences: a processor that behaves like a controller (deciding new purposes for the data, say) takes on obligations it may not have prepared for, and vice versa. That is why ISO 27701 controllers document their lawful bases and data subject processes, while processors focus their evidence on instructions, sub-processor management, and assisting the controller. Sorting this out early keeps your Statement of Applicability honest and your audit short.
