ISO 27001 Annex A 5.34 Guide

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.34 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.34 Privacy and Protection of PII

ISO 27001 Annex A 5.34 requires organizations to identify and protect Personally Identifiable Information (PII) in accordance with applicable laws, regulations, and contracts. It acts as the bridge between your information security management system (ISMS) and privacy frameworks like GDPR, ensuring that personal data is not just “secure” but also handled legally.

Core requirements for compliance include:

Legal Register: You must clearly identify which privacy laws apply to you (e.g., GDPR in Europe, CCPA in California) and list them in your legal register.
Topic-Specific Policy: Create a dedicated policy for “Privacy and Protection of PII.” This should define how you classify, handle, and protect personal data specifically, separate from general company data.
Role Assignment: Appoint a responsible person, such as a Data Protection Officer (DPO) or Privacy Officer, to provide leadership.
Technical Measures: Implement specific controls to protect PII, such as encryption, access control, and data masking.

Audit Focus: Auditors will look for evidence that you understand why you are holding data. They will check your PII Register (or Record of Processing Activities) to see if you have defined a “Lawful Basis” for every type of personal data you store, whether it’s employee payroll, customer emails, or CCTV footage.

Practical Application: This control acknowledges that ISO 27001 is not a privacy standard by itself. It requires you to “consult with a professional” and potentially integrate with ISO 27701 (the privacy extension) if you process significant amounts of personal data.

What is PII?
What is ISO 27001 Annex A 5.34?
Watch the ISO 27001 Annex A 5.34 Tutorial
ISO 27001 Annex A 5.34 Podcast
ISO 27001 Annex 5.34 Implementation Guide
How to implement ISO 27001 Annex 5.34
PII Register Example
Applicability of ISO 27001 Annex A 5.34 across different business models.
Fast Track ISO 27001 Annex A 5.34 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.34 FAQ
What other standards apply to ISO 27001 Annex 5.34?
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values

What is PII?

Personally identifiable information (PII) is any information that can be used to identify a specific individual. This can include things like a person’s name, address, phone number, email address or date of birth. PII can also include things like a person’s biometric data, such as their fingerprints or facial recognition data.

PII is considered sensitive data because it can be used to commit identity theft, fraud, or other crimes. It is important to protect PII from unauthorised access, use, disclosure, disruption, modification, or destruction.

There are often specific laws, such as the GDPR that relate to the protection of PII and these take precedence over this clause.

Consult with a GDPR or Data Protection professional.

What is ISO 27001 Annex A 5.34?

ISO 27001 Annex A 5.34 Privacy and Protection of PII is an ISO 27001 control that wants you to protect personally identifiable information (PII). It requires you to identify and meet any requirements including those laid out in law, contracts and regulations.

What is the purpose of ISO 27001 Annex 5.34?

The purpose of ISO 27001 Annex A 5.34 Privacy and Protection of PII is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection of personally identifiable information (PII) .

Organisations should have a clear understanding of their obligations when it comes to the protection of PII and make sure that they adhere to those requirements.

What is the definition of ISO 27001 Annex 5.34?

The ISO 27001 standard defines ISO 27001 Annex A 5.34 as:

The organisation should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
ISO 27001:2022 Annex A 5.34 Privacy and Protection of PII

Watch the ISO 27001 Annex A 5.34 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.34 and how to pass the audit.

ISO 27001 Annex A 5.34 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.34 Privacy And Protection Of PII . The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex 5.34 Implementation Guide

Have a topic specific policy on privacy and protection of PII

You are going to implement an ISO 27001 Information Classification and Handling Policy that includes and specifically addresses as part of it, the protection and handling of PII.

Implement Process and procedures for PII

Building on the ISO 27001 Information Classification and Handling Policy you will implement the processes and procedures to protect the preservation and privacy of PII.

Assign roles and responsibilities

Roles and responsibilities will be defined and assigned. Consideration will be given to appointing someone to be responsible such as a privacy officer who will provide that leadership and guidance to people on their responsibilities and the procedures to be followed.

Put in place technical and organisational measures

Appropriate measures for both the organisation and technology will be implemented to protect PII.

Ensure you cover different country requirements

There is a difference in the international approach to data protection and requirements on PII. These should be addressed based on where you are operating. This forms part of the ISO 27001 legal register and the requirements that we covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.

Use a data protection professional

The ISO 27001 standard is actually dabbling in other areas with this particular control. It is one isolated part of a bigger profession and requirement and as such for this and in more general terms we strongly recommend engaging the services of a data protection professional.

How to implement ISO 27001 Annex 5.34

Implementing ISO 27001 Annex A 5.34 requires a robust alignment between technical security controls and legal privacy obligations. By following this action-oriented workflow, organisations can ensure the protection of Personally Identifiable Information (PII) throughout its entire lifecycle, maintaining compliance with the UK GDPR and the Data Protection Act 2018 while reducing the risk of regulatory fines and data breaches.

1. Formalise Legal and Regulatory Privacy Requirements

Identify and document the specific legal and contractual obligations applicable to the organisation to establish a compliant baseline for data processing.

Conduct a comprehensive review of relevant legislation: such as the UK GDPR, EU GDPR, and the Data Protection Act 2018.
Document all contractual obligations with clients and third party vendors regarding the handling and protection of PII.
Create a central Legal and Regulatory Register to track updates in privacy laws and ensure the ISMS remains current.

2. Establish a Privacy Governance Framework and Roles

Define clear accountability and oversight for privacy activities by assigning dedicated roles and formalising internal policies.

Appoint a Data Protection Officer (DPO) or a designated Privacy Lead to oversee compliance and act as a point of contact for the Information Commissioner Office (ICO).
Formalise a high level Privacy Policy and a detailed Data Protection Policy that define how the organisation collects: uses: and stores PII.
Integrate privacy requirements into the existing Disciplinary Process to ensure personnel accountability for policy violations.

3. Execute PII Mapping and a Record of Processing Activities

Identify where personal data resides and how it flows through the organisation to ensure all PII is accounted for and protected.

Develop a Record of Processing Activities (RoPA) that documents the purposes of processing: data categories: and retention periods.
Utilise data discovery tools to locate PII across cloud environments: local servers: and physical filing systems.
Create data flow diagrams to visualise the movement of PII between internal departments and external sub processors.

4. Provision Technical Safeguards for PII Protection

Implement layered technical controls to secure PII at rest and in transit: ensuring only authorised personnel can access sensitive data.

Enforce AES 256 encryption for all databases and portable media containing personal data.
Provision Role Based Access Control (RBAC) within the Identity and Access Management (IAM) system to limit PII access to the absolute minimum required.
Deploy Multi Factor Authentication (MFA) for all systems that process or store special category data.
Implement data masking or pseudonymisation techniques for development and testing environments to prevent unauthorised exposure.

5. Implement Data Protection Impact Assessments (DPIA)

Formalise a process for identifying and mitigating privacy risks early in the development of new projects or system changes.

Integrate DPIA triggers into the Change Management process to ensure high risk processing activities are assessed before commencement.
Document the risk mitigation strategies identified during the assessment: such as data minimisation or enhanced audit logging.
Present completed DPIAs to the DPO for formal approval and maintain them as primary audit evidence for ISO 27001 certification.

6. Formalise Data Retention and Secure Disposal

Establish strict timelines for data storage and implement secure destruction methods to prevent the accidental recovery of obsolete PII.

Create a Data Retention Schedule that aligns with legal requirements and the specific needs of the business.
Automate the deletion of PII that has reached its retention limit within SaaS applications and internal databases.
Utilise certified data destruction services for the physical shredding of hardware or documents containing personal information.

PII Register Example

Data Category (PII)	Data Controller/Owner	Lawful Basis (UK GDPR)	Technical Retention Period	ISO 27001:2022 Mapping
Employee Payroll	HR Manager	Contractual Necessity	7 Years (Tax Law).	5.34 (PII Protection)
Customer Email	Sales Lead	Consent (Marketing)	Until Unsubscribed/Withdrawal.	5.34 (PII Protection)
CCTV Footage	Facilities Manager	Legitimate Interest	30 Days.	8.10 (Information Deletion)
Medical Record	Health and Safety Officer	Legal Obligation	40 Years.	5.34 (PII Protection)

Applicability of ISO 27001 Annex A 5.34 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Highly applicable for meeting basic GDPR or local privacy obligations. The focus is on identifying where customer and employee data (PII) is stored and ensuring it is handled with a clear “Lawful Basis.”	Maintaining a PII Register that lists all personal data held, such as employee payroll and customer contact lists. Enforcing a 7-year retention period for financial PII in line with tax laws, with automated deletion thereafter. Appointing the Office Manager as the internal “Privacy Lead” to oversee basic data subject access requests (DSARs).
Tech Startups	Critical for protecting high volumes of user data and ensuring compliance across multiple jurisdictions (e.g., GDPR and CCPA). Focus is on technical safeguards and privacy-by-design during development.	Implementing Data Masking or pseudonymization in development and testing environments to prevent developer exposure to real user PII. Integrating Data Protection Impact Assessments (DPIA) into the change management process for any new product feature that processes personal data. Enforcing AES-256 encryption for all cloud databases containing sensitive user PII.
AI Companies	Vital for protecting specialized AI datasets that may contain “Special Category” PII. Focus is on ensuring that training data pipelines do not ingest or leak sensitive personal information.	Utilizing automated Data Discovery Tools to scan large AI training datasets for accidental inclusion of biometrics or medical PII. Establishing strict “Model Training Privacy” protocols that ensure proprietary model weights do not inadvertently memorize PII from the training set. Formalizing Data Processing Agreements (DPAs) with all sub-processors and cloud GPU providers who handle research datasets.

Fast Track ISO 27001 Annex A 5.34 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.34 (Privacy and protection of PII), the requirement is to identify and meet requirements regarding the preservation of privacy and protection of Personally Identifiable Information (PII) according to laws (like GDPR), regulations, and contracts. This control bridges the gap between security and legal data protection.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Data Ownership	Rents access to your privacy records; if you cancel the subscription, your documented PII registers and history vanish.	Permanent Assets: Fully editable Word/Excel PII Registers and Privacy Policies that you own forever.	A localized “PII Inventory” stored on your secure server defining data types and specific retention periods.
Legal Implementation	Attempts to “automate” privacy via dashboards that cannot determine Lawful Basis or assess Legitimate Interest.	Governance-First: Formalizes your existing data processing into an auditor-ready framework (GDPR/CCPA compliant).	A completed “Record of Processing Activities” (ROPA) proving you have identified the legal basis for all PII.
Cost Efficiency	Charges a “Privacy Record Tax” that scales costs based on the number of data subjects or records monitored.	One-Off Fee: A single payment covers your privacy governance for 100 records or 100,000.	Allocating budget to advanced encryption tools or legal counsel rather than monthly “dashboard” subscription fees.
Jurisdictional Freedom	Mandates rigid reporting structures that may not align with multi-jurisdictional legal requirements or niche industry rules.	100% Agnostic: Procedures adapt to any legal mix (GDPR, HIPAA, etc.) and any operating model without technical limits.	The ability to evolve your data strategy and cross-border transfer methods without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.34, the auditor wants to see that you have identified all relevant privacy laws and have a formal register of the PII you process (including lawful bases). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.34 FAQ

What is ISO 27001 Annex A 5.34?

ISO 27001 Annex A 5.34 is an organisational control that requires organisations to identify and implement the legal, regulatory, and contractual requirements related to the privacy and protection of Personally Identifiable Information (PII).

It ensures compliance with data protection laws such as the UK GDPR or Data Protection Act 2018.
It mandates the establishment of a data privacy policy.
It requires defined roles, such as a Data Protection Officer (DPO) or Lead, where applicable.
It focuses on the entire lifecycle of PII, from collection to secure disposal.

Is GDPR compliance mandatory for ISO 27001?

Yes, in jurisdictions where the GDPR or UK GDPR applies, compliance is mandatory under Annex A 5.34 as it requires adherence to all relevant privacy legislation.

ISO 27001 provides the framework for security, while Annex A 5.34 ensures the legal privacy requirements are met.
Auditors will look for evidence of a Data Protection Impact Assessment (DPIA) where high-risk processing occurs.
Failure to comply with privacy laws can result in a major non-conformity during an ISO 27001 audit.

What constitutes PII under this control?

Personally Identifiable Information (PII) refers to any information that can be used to identify a specific individual, either directly or indirectly through combination with other data.

Direct identifiers: Full names, national insurance numbers, or email addresses.
Indirect identifiers: IP addresses, location data, or biometrics.
Sensitive PII (Special Category): Health records, religious beliefs, or ethnic origin.

What is the difference between ISO 27001 Annex A 5.34 and ISO 27701?

Annex A 5.34 is a single control within the broader ISO 27001 standard, whereas ISO 27701 is an entire extension specifically for Privacy Information Management Systems (PIMS).

Annex A 5.34 is the baseline requirement for all ISO 27001 certified organisations.
ISO 27701 provides deeper, more granular controls for data processors and controllers.
Organisations handling vast amounts of sensitive PII often adopt ISO 27701 to supplement 5.34.

What technical controls are required to protect PII?

To satisfy Annex A 5.34, organisations must implement technical safeguards that ensure the confidentiality, integrity, and availability of personal data.

Encryption of PII at rest and in transit.
Access controls and Multi-Factor Authentication (MFA) to restrict data access.
Data masking, pseudonymisation, or anonymisation where possible.
Secure logging and monitoring of access to personal data repositories.

How do you prove compliance with Annex A 5.34 to an auditor?

Auditors require verifiable evidence of your privacy framework, including documented policies, data maps, and records of processing activities.

A formal Privacy Policy and Data Protection Policy.
A Record of Processing Activities (RoPA) or data inventory.
Privacy notices provided to data subjects.
Third-party data processing agreements (DPAs) with suppliers.

What other standards apply to ISO 27001 Annex 5.34?

There are a number of additional standards that support this particular requirement. I am not saying you have to implement them or certify to them but they are for consideration.

ISO/IEC 29100 – provides guidance on the protection of Personal Identifiable Information (PII) within Information and Communications Technology (ICT) systems.
ISO/IEC 27701 – provides a framework for privacy information management systems
ISO/IEC 27018 – provides specific information regarding privacy information management for public clouds acting as PII processors
ISO/IEC 29134 – provides guidelines for privacy impact assessments (PIA)

ISO 27001 Annex A 5.37 Documented Operating Procedures

ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability Confidentiality Integrity	Identify Protect	Legal and compliance Information protection	Protection

Availability, Confidentiality, Identify, Information Protection, Integrity, Legal and Compliance, Preventive, Protect, Protection

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.34 Privacy and protection of PII

Table of contents

What is PII?

What is ISO 27001 Annex A 5.34?

What is the purpose of ISO 27001 Annex 5.34?

What is the definition of ISO 27001 Annex 5.34?

Watch the ISO 27001 Annex A 5.34 Tutorial

ISO 27001 Annex A 5.34 Podcast

ISO 27001 Annex 5.34 Implementation Guide