4. Data Subject Rights Request (DSRR) Mechanism Verified

Verification Criteria: A functional process exists for data subjects to exercise their rights, including access, rectification, and erasure of their PII. Required Evidence: DSRR Log showing timestamps for request receipt, verification, and resolution within statutory timeframes (e.g., 30 days).

5. Privacy by Design and Default Implementation Confirmed

Verification Criteria: Technical controls are implemented to ensure that only the minimum necessary PII is processed and that privacy is a default setting. Required Evidence: Product specification documents, database schemas showing minimised data fields, or default "Opt-In" configuration screenshots.

6. Secure PII Disposal and Anonymisation Procedures Verified

Verification Criteria: PII that has reached its retention limit is securely deleted or anonymised using irreversible technical methods. Required Evidence: Secure erasure logs or technical documentation of anonymisation/pseudonymisation algorithms (e.g., salt-hashing, k-anonymity).

7. Data Transfer Agreements (DTA) and SCCs Validated

Verification Criteria: Transfers of PII to third parties or across borders are governed by formal agreements that ensure equivalent levels of protection. Required Evidence: Signed DTAs, Standard Contractual Clauses (SCCs), or International Data Transfer Agreements (IDTAs) for sampled vendors.

8. PII Access Restriction and Least Privilege Verified

Verification Criteria: Access to systems containing PII is strictly limited to authorised personnel whose job function requires such access. Required Evidence: Access Control Lists (ACLs) or Role-Based Access Control (RBAC) reports for primary PII repositories.

9. Privacy Awareness Training Records Identified

Verification Criteria: Personnel with access to PII receive regular training on their privacy obligations and the technical handling of personal data. Required Evidence: Training logs showing >95% completion of privacy-specific modules (e.g., GDPR awareness) for relevant staff.

10. PII Breach Notification Procedure and Logging Confirmed

Verification Criteria: A specific process exists for detecting and notifying authorities and data subjects of PII breaches within statutory windows. Required Evidence: Incident Management Plan with a specific "PII Breach" annex and logs of any past notifications sent to regulators (e.g., ICO).

ISO 27001 Annex A 5.34 Audit Checklist [+ Templates]

Q: 1. Privacy Policy and PII Handling Procedure Verified

Verification Criteria: A documented policy exists that defines the organisation's requirements for the protection of Personally Identifiable Information (PII) in accordance with applicable laws. Required Evidence: Approved Privacy Policy and PII Handling Procedure with explicit version control and management sign-off.

Q: 2. Personal Data Inventory and RoPA Confirmed

Verification Criteria: A Record of Processing Activities (RoPA) is maintained, identifying all PII categories, purposes of processing, and data flows. Required Evidence: A current RoPA or Data Inventory mapping PII across internal systems and third-party processors.

Q: 3. Data Protection Impact Assessment (DPIA) Execution Validated

Verification Criteria: High-risk processing activities are subjected to a formal DPIA to identify and mitigate privacy risks before processing begins. Required Evidence: Signed DPIA reports for all major technical projects or high-risk data processing operations initiated in the current cycle.

In this ultimate how to audit guide to ISO 27001 Annex A 5.34 Privacy and Protection of PII I, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Privacy Policy and PII Handling Procedure Verified
2. Personal Data Inventory and RoPA Confirmed
3. Data Protection Impact Assessment (DPIA) Execution Validated
4. Data Subject Rights Request (DSRR) Mechanism Verified
5. Privacy by Design and Default Implementation Confirmed
6. Secure PII Disposal and Anonymisation Procedures Verified
7. Data Transfer Agreements (DTA) and SCCs Validated
8. PII Access Restriction and Least Privilege Verified
9. Privacy Awareness Training Records Identified
10. PII Breach Notification Procedure and Logging Confirmed

Auditing ISO 27001 Annex A 5.34 is the technical verification of an organization’s governance over personal data to ensure regulatory compliance. The Primary Implementation Requirement is a functional Record of Processing Activities, providing the Business Benefit of mitigated legal risks and enhanced data subject trust through transparent handling.

1. Privacy Policy and PII Handling Procedure Verified

Verification Criteria: A documented policy exists that defines the organisation’s requirements for the protection of Personally Identifiable Information (PII) in accordance with applicable laws.

Required Evidence: Approved Privacy Policy and PII Handling Procedure with explicit version control and management sign-off.

Pass/Fail Test: If the organisation lacks a formalised policy that specifically addresses the protection of PII, mark as Non-Compliant.

2. Personal Data Inventory and RoPA Confirmed

Verification Criteria: A Record of Processing Activities (RoPA) is maintained, identifying all PII categories, purposes of processing, and data flows.

Required Evidence: A current RoPA or Data Inventory mapping PII across internal systems and third-party processors.

Pass/Fail Test: If the organisation cannot identify where PII is stored or the legal basis for processing specific data categories, mark as Non-Compliant.

3. Data Protection Impact Assessment (DPIA) Execution Validated

Verification Criteria: High-risk processing activities are subjected to a formal DPIA to identify and mitigate privacy risks before processing begins.

Required Evidence: Signed DPIA reports for all major technical projects or high-risk data processing operations initiated in the current cycle.

Pass/Fail Test: If a new high-risk system (e.g., automated profiling or large-scale health data) was launched without a completed DPIA, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Privacy Policy and PII Handling Procedure Verified

2. Personal Data Inventory and RoPA Confirmed

3. Data Protection Impact Assessment (DPIA) Execution Validated