Implementing ISO 27001 Annex A 5.34 is a strict data governance mandate requiring the identification, classification, and cryptographic protection of Personally Identifiable Information (PII) throughout its lifecycle. This control forces organizations to move beyond policy documents to enforce technical privacy controls, ensuring the business benefit of regulatory compliance with GDPR and reduced legal liability from data breaches.

ISO 27001 Annex A Privacy and Protection of PII Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.34. This control demands a rigorous technical and legal framework to ensure the privacy and protection of Personally Identifiable Information (PII), going far beyond simple policy declarations to require hard-coded data governance.

1. Conduct Forensic Data Discovery

Control Requirement: Identify and classify all PII held within the organisation’s systems. Required Implementation Step: Ignore user surveys. Run automated data discovery tools (using regex patterns for NI numbers, emails, credit cards) across all unstructured file servers, S3 buckets, and database schemas to locate “shadow” PII. Map these findings to your asset register.

Minimum Requirement: A scan report confirming the physical location of all PII, reconciled against the stated inventory.

2. Construct a Granular Record of Processing Activities (RoPA)

Control Requirement: Document the legal basis and purpose for processing PII (alignment with GDPR/DPA 2018). Required Implementation Step: Create a detailed register that maps specific database tables and columns to a legal basis (e.g., Consent, Contract, Legitimate Interest). Ensure this document explicitly lists the “Who, What, Where, Why, and When” for every PII data set.

Minimum Requirement: A RoPA document that references specific system identifiers (Table IDs/API endpoints) rather than vague business processes.

3. Implement Automated Data Retention Policies

Control Requirement: Ensure PII is not kept for longer than necessary. Required Implementation Step: Configure database-level retention policies (e.g., TTL indices in MongoDB, Retention Policies in SQL) to automatically purge or anonymise user data once the retention period expires. Do not rely on manual administrative deletion.

Minimum Requirement: Verified scripts or configuration settings that auto-delete PII after the defined retention period.

4. Enforce Pseudonymisation and Anonymisation

Control Requirement: Reduce risk to data subjects by obscuring their identity. Required Implementation Step: Apply dynamic data masking or tokenisation to PII fields in non-production environments (staging/dev). Ensure developers work with sanitised data sets, not live customer data.

Minimum Requirement: Technical proof that Lower Environments (Dev/Test) do not contain raw, identifying PII.

5. Secure PII with Column-Level Encryption

Control Requirement: Protect PII confidentiality against unauthorised access. Required Implementation Step: Beyond full-disk encryption, implement application-layer or database column-level encryption for highly sensitive PII (e.g., health data, financial identifiers). Manage the decryption keys strictly via a Hardware Security Module (HSM) or Key Management Service (KMS).

Minimum Requirement: Database schema showing sensitive columns are encrypted at rest.

6. Operationalise Subject Access Requests (DSARs)

Control Requirement: Facilitate the rights of data subjects (access, rectification, erasure). Required Implementation Step: Develop and test scripts that can query all systems to extract or delete a specific user’s data upon request. Ensure this process handles “hard deletes” across backups and third-party SaaS integrations where possible.

Minimum Requirement: A tested procedure (runbook) that executes a “Right to be Forgotten” request within 72 hours.

7. Validate Cross-Border Data Transfers

Control Requirement: Ensure PII remains protected when transferred internationally. Required Implementation Step: Audit cloud configuration regions. Ensure data is pinned to specific geographic regions (e.g., “UK South” or “EU West”) and does not replicate to non-adequate jurisdictions without Standard Contractual Clauses (SCCs) and a Transfer Risk Assessment (TRA).

Minimum Requirement: Network diagrams and cloud configs proving data residency is restricted to approved jurisdictions.

8. Integrate Privacy by Design into SDLC

Control Requirement: Consider privacy at the earliest stage of system development. Required Implementation Step: Update the change management process. Require a Data Privacy Impact Assessment (DPIA) trigger for any code commit or schema change that introduces new PII fields. Block deployment pipelines until privacy risks are mitigated.

Minimum Requirement: Jira/Git history showing privacy reviews attached to feature branches involving PII.

9. Audit Sub-Processor Compliance

Control Requirement: Ensure third-party vendors protect your PII data. Required Implementation Step: Review every SaaS tool and vendor processing your PII. Enforce signed Data Processing Agreements (DPAs) that mandate security controls equivalent to your own. Periodically audit their SOC 2 reports or ISO certificates specifically for privacy controls.

Minimum Requirement: A central repository of signed DPAs for every external PII handler.

10. Establish Breach Notification Protocols

Control Requirement: Promptly notify authorities and subjects of PII compromises. Required Implementation Step: Draft specific templates for notifying the ICO (or relevant authority) and affected individuals. Integrate these into the Incident Response Plan. Test the communication chain to ensure notifications can be issued within the statutory 72-hour window.

Minimum Requirement: Pre-approved legal notification templates and a tested call tree for privacy incidents.

ISO 27001 Annex A 5.34 SaaS / GRC Platform Implementation Failure Checklist

Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Data Inventory	Manually entering “Customer Data” as a line item in a GRC tool.	Without regex scanning, you have Excel files full of CC numbers on a forgotten marketing server. GRC tools don’t scan disks.
Right to be Forgotten	A policy document saying “We will delete data on request.”	If you don’t have a SQL script to cascade-delete a UserID from 15 tables, you cannot comply. A policy is not a deletion tool.
Retention	Setting a calendar reminder to “review data”.	Human memory fails. Unless the database auto-purges old records, your liability grows every day.
Consent Management	Storing a PDF of a consent form.	Consent must be granular and revoked easily. If your database doesn’t track `consent_timestamp` and `scope`, you are exposed.
Anonymisation	Developers promising they “don’t look at live data”.	If your staging environment is a restore of Prod, you are breaching privacy laws. You must use masking tools.
Vendor Management	Sending a questionnaire to a vendor.	Did you read their DPA? Did you check their cloud region settings? Questionnaires are often filled out by sales reps, not engineers.
Privacy Notices	Copy-pasting a generic template to the website footer.	If the notice doesn’t match the actual cookies and scripts running on your site, it’s evidence of non-compliance, not compliance.

Do it Yourself ISO 27001

Our Lead-Auditor verified templates with expert support have a 100% success rate.

Get the Auditor-Verified ISO 27001 Toolkit.

Fay Barker - High Table - ISO27001 Director

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Implement ISO 27001 Annex A 5.34