ISO 27001 Privacy And Protection Of PII
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.34 (Privacy And Protection Of PII) and ensure you pass your audit.
You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and ISO 27001 toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with a free training video, an explainer video, a podcast and plain-English advice to get you certified.
Table of contents
- ISO 27001 Privacy And Protection Of PII
- What is PII?
- What is ISO 27001 Annex A 5.34?
- Watch the ISO 27001 Annex A 5.34 Tutorial
- ISO 27001 Annex A 5.34 Podcast
- How to implement ISO 27001 Annex 5.34
- ISO 27001 Annex A 5.34 FAQ
- What other standards apply to ISO 27001 Annex 5.34?
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute values
What is PII?
Personally identifiable information (PII) is any information that can be used to identify a specific individual. This can include things like a person’s name, address, phone number, email address or date of birth. PII can also include things like a person’s biometric data, such as their fingerprints or facial recognition data.
PII is considered sensitive data because it can be used to commit identity theft, fraud, or other crimes. It is important to protect PII from unauthorised access, use, disclosure, disruption, modification, or destruction.
There are often specific laws, such as the GDPR that relate to the protection of PII and these take precedence over this clause.
Consult with a GDPR or Data Protection professional.
What is ISO 27001 Annex A 5.34?
ISO 27001 Annex A 5.34 Privacy and Protection of PII is an ISO 27001 control that wants you to protect personally identifiable information (PII). It requires you to identify and meet any requirements including those laid out in law, contracts and regulations.
What is the purpose of ISO 27001 Annex 5.34?
The purpose of ISO 27001 Annex A 5.34 Privacy and Protection of PII is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection of personally identifiable information (PII) .
Organisations should have a clear understanding of their obligations when it comes to the protection of PII and make sure that they adhere to those requirements.
What is the definition of ISO 27001 Annex 5.34?
The ISO 27001 standard defines ISO 27001 Annex A 5.34 as:
The organisation should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
ISO 27001:2022 Annex A 5.34 Privacy and Protection of PII
DO IT YOURSELF ISO27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Watch the ISO 27001 Annex A 5.34 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.34 and how to pass the audit.
ISO 27001 Annex A 5.34 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.34 Privacy And Protection Of PII . The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex 5.34
Have a topic specific policy on privacy and protection of PII
You are going to implement an ISO 27001 Information Classification and Handling Policy that includes and specifically addresses as part of it, the protection and handling of PII.
Implement Process and procedures for PII
Building on the ISO 27001 Information Classification and Handling Policy you will implement the processes and procedures to protect the preservation and privacy of PII.
Assign roles and responsibilities
Roles and responsibilities will be defined and assigned. Consideration will be given to appointing someone to be responsible such as a privacy officer who will provide that leadership and guidance to people on their responsibilities and the procedures to be followed.
Put in place technical and organisational measures
Appropriate measures for both the organisation and technology will be implemented to protect PII.
Ensure you cover different country requirements
There is a difference in the international approach to data protection and requirements on PII. These should be addressed based on where you are operating. This forms part of the ISO 27001 legal register and the requirements that we covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.
Use a data protection professional
The ISO 27001 standard is actually dabbling in other areas with this particular control. It is one isolated part of a bigger profession and requirement and as such for this and in more general terms we strongly recommend engaging the services of a data protection professional.
ISO 27001 Annex A 5.34 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.34 Privacy and Protection of PII:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that protects PII
Reduced risk: You will reduce the information security risks to PII
Improved compliance: Standards and regulations require you to protect PII
Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract protection of PII process in place will reduce the potential for fines and reduce the PR impact of an event
PII is valuable to criminals and is often used to commit any number of crimes from identity theft to fraud. The consequences to the individual can be devastating. You are entrusted with their personal information to cary out the products and services that you provide but you have a moral, societal, legal, regulatory, statutory and compliance requirement to protect it. Getting it wrong can lead to massive fines under frameworks such as the GDPR.
What other standards apply to ISO 27001 Annex 5.34?
There are a number of additional standards that support this particular requirement. I am not saying you have to implement them or certify to them but they are for consideration.
- ISO/IEC 29100 – provides guidance on the protection of Personal Identifiable Information (PII) within Information and Communications Technology (ICT) systems.
- ISO/IEC 27701 – provides a framework for privacy information management systems
- ISO/IEC 27018 – provides specific information regarding privacy information management for public clouds acting as PII processors
- ISO/IEC 29134 – provides guidelines for privacy impact assessments (PIA)
Related ISO 27001 Controls
ISO 27001 Annex A 5.37 Documented Operating Procedures
ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing
Further Reading
ISO 27001 Privacy and Personally Identifiable Information (PII): Your Complete FAQ Guide
ISO 27001 Data Protection Policy Template
ISO 27001 Controls and Attribute values
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
