ISO27001:2022 FAQ

Home / ISO 27001 Explained / ISO 27001 Privacy and Personally Identifiable Information (PII): Your Complete FAQ Guide

ISO 27001 Privacy and Personally Identifiable Information (PII): Your Complete FAQ Guide

24/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

Privacy and Personally Identifiable Information (PII) FAQ

What is it?

ISO 27001 Privacy and Personally Identifiable Information (PII) is basically a checklist item within the ISO 27001 standard that says you should have a system in place to make sure you’re handling people’s personal data the right way. This means you need to follow all the rules and laws about privacy and data protection that apply to you.

What is it?
Applicability to Small Businesses, Tech Startups, and AI Companies
Where Do I Find a Template for This?
Why Is This So Important?
When Do I Need to Start Worrying About This?
Who Needs to Be Involved?
Where Do I Implement This?
How Do I Write My Policy?
How Do I Put It Into Practice?
Small Business Example
Tech Startup Example
AI Company Example
How Can an ISO 27001 Toolkit Help?
What Other Standards Need This?
Key ISO 27001:2022 Controls
ISO 27001 Privacy and Personally Identifiable Information (PII) FAQ

Applicability to Small Businesses, Tech Startups, and AI Companies

The concept is the same for everyone, but the scope itself will be very different depending on your business. This control is a big deal for just about any business today because most of them handle some kind of personal data.

For Small Businesses: If you have an online store, a customer list, or even just employee information, this control is for you. It helps you keep that data safe from prying eyes.
For Tech Startups: You’re often built on data! Whether it’s user sign-ups, app usage, or customer feedback, you’re collecting a lot of PII. This control helps you build a strong foundation for trust with your users.
For AI Companies: This is super important for you. AI models often train on massive datasets, and if that data includes PII, you have a huge responsibility to protect it. This control ensures you’re doing that right.

Where Do I Find a Template for This?

There isn’t a single, one-size-fits-all template because your approach needs to be specific to your business. However, the ISO 27001 toolkit and consulting services offer example documents or frameworks. You can use these as a starting point to create your own policy, making sure it fits your specific needs and the data you handle.

Why Is This So Important?

You need this control to show your customers, partners, and regulators that you take privacy seriously. It helps you:

Avoid big fines: Many countries have strict data protection laws, like GDPR. Following this control helps you stay on the right side of the law and avoid costly penalties.
Build trust: When people know you protect their data, they’re more likely to do business with you.
Protect your reputation: A data breach can be a disaster for your business’s reputation. This control helps you prevent that from happening.

When Do I Need to Start Worrying About This?

You should start thinking about this from day one, especially if you’re a new company. The sooner you build good data protection habits, the easier it will be to implement this control when you go for ISO 27001 certification.

Who Needs to Be Involved?

Everyone in your company! While your IT team might handle the technical side, everyone who handles PII, from your marketing team to your HR department, needs to understand their role in protecting it.

Where Do I Implement This?

You implement this control across your entire business. It’s not just about a single server or a specific document. It’s about your processes, your technology, and the way your people handle data every single day.

How Do I Write My Policy?

Keep it simple! Your policy should explain:

What PII you collect.
Why you collect it.
How you store and protect it.
How people can access their data or ask you to delete it.
Who is responsible for what.

Make it easy for everyone to understand.

How Do I Put It Into Practice?

Train your team: Make sure everyone knows the rules.
Use the right tools: Use secure systems and software to handle data.
Check everything regularly: Do regular reviews to make sure your processes are still working.

Small Business Example

Imagine you run an online bakery. You collect names, addresses, and payment info. To use this control, you would:

Write a privacy policy on your website explaining what data you collect and how you use it.
Use a secure payment processor to handle credit card info.
Limit who on your team can see customer addresses.

Tech Startup Example

A new social media app collects user profiles, photos, and location data. To follow this control, you would:

Design your app with privacy in mind from the start (this is called ‘privacy by design’).
Give users clear controls to manage their privacy settings.
Encrypt all user data on your servers.

AI Company Example

An AI company uses voice recordings to train its speech recognition software. To meet this control, you would:

Get clear permission from people before you record their voice.
Remove any identifying info from the recordings before you use them to train your AI model.
Store the data securely in a place that only a few people can access.

How Can an ISO 27001 Toolkit Help?

A toolkit can be a lifesaver! It includes:

Pre-written policies you can adapt.
Helpful checklists to make sure you don’t miss anything.
Guidance documents that explain the standard in simple terms.

Get the Small Business ISO 27001 Toolkit >

What Other Standards Need This?

This control is a key part of the entire ISO 27001 standard. It also connects with other standards and laws, like:

GDPR (General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
DORA (Digital Operational Resilience Act)
NIS2 (Network and Information Security (NIS) Directive)
SOC 2 (Service Organisation Control 2)
NIST (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)

Key ISO 27001:2022 Controls

The main ISO 27001 controls is ISO 27001:2022 Annex A 5.34 Privacy And Protection Of PII which covers the requirement. In addition consider:

For Small Businesses

Small Business:

ISO 27001:2022 Annex A 5.1: Policies for Information Security – You need a policy in place.
ISO 27001:2022 Annex A 5.12 Classification Of Information – Know which data is personal and needs special care.
ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships – Make sure any third-party services you use are also protecting your data.

For Tech Startups

ISO 27001:2022 Annex A 5.13 Labelling Of Information – Label data so everyone knows what it is.
ISO 27001:2022 Annex A 8.27: Secure Systems Architecture and Engineering Principles – Build your app with security from the start.
ISO 27001:2022 Annex A 8.23: Web Filtering – Make sure your team can’t access risky sites.

For AI Companies

ISO 27001:2022 Annex A 8.27: Secure Systems Architecture and Engineering Principles – Make sure your AI models are developed securely.
ISO 27001:2022 Annex A 8.28: Secure Coding – Write secure code for your AI.
ISO 27001:2022 Annex A 8.9: Configuration Management – Control changes to your systems so they don’t accidentally expose data.

ISO 27001 Privacy and Personally Identifiable Information (PII) FAQ

Is this the same as GDPR?

No, but it helps you meet the goals of GDPR and other laws.

What is PII?

Personally Identifiable Information, like your name, email, or address.

Do I need a lawyer for this?

It’s a good idea to get legal advice to make sure your policies meet all the laws that apply to you.

Can I do this myself?

Yes, especially for small businesses. There are plenty of resources to help.

What’s the biggest mistake people make?

Thinking it’s just an IT problem. It’s a whole company thing!

What happens if I ignore this?

You could get a huge fine or lose your customers’ trust.

How long does it take to implement?

It depends on your business, but it’s an ongoing process.

What is a privacy notice?

A document that explains your data practices to people.

Do I need to hire a privacy officer?

Maybe! For some companies, it’s required by law.

How often should I review my policies?

At least once a year, or whenever you change how you handle data.

Does this control cover employee data?

Yes, it covers all personal data you handle, including your employees’ info.

What is ‘privacy by design’?

Building privacy into your products and services from the very beginning.

Is this just for large companies?

Not at all. It’s just as important for small companies.

What’s the difference between privacy and data protection?

Privacy is about the right to control your own information. Data protection is the technical and organisational stuff you do to keep that information safe.

Can I use a toolkit to get certified?

A toolkit can help, but you’ll still need to put in the work to implement everything and get an auditor to check it.

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call

ISO 27001 Toolkit: Tech Startup Edition

ISO 27001 Toolkit: Small Business Edition

ISO 27001 Toolkit: Consultant Edition

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.