ISO 27001 Annex A 5.34 Privacy And Protection Of PII

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.34 Privacy And Protection Of PII

In this article I lay bare ISO 27001 Annex A 5.34 Privacy and Protection of PII.

Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, an ISO 27001 toolkit, show you examples and do a walkthrough.

In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update. 

I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Annex A 5.34 Privacy and Protection of PII.

What is PII?

Personally identifiable information (PII) is any information that can be used to identify a specific individual. This can include things like a person’s name, address, phone number, email address or date of birth. PII can also include things like a person’s biometric data, such as their fingerprints or facial recognition data.

PII is considered sensitive data because it can be used to commit identity theft, fraud, or other crimes. It is important to protect PII from unauthorised access, use, disclosure, disruption, modification, or destruction.

There are often specific laws, such as the GDPR that relate to the protection of PII and these take precedence over this clause.

Consult with a GDPR or Data Protection professional.

What is ISO 27001 Annex A 5.34 Privacy And Protection Of PII?

ISO 27001 Annex A 5.34 Privacy and Protection of PII is an ISO 27001 control that wants you to protect personally identifiable information (PII). It requires you to identify and meet any requirements including those laid out in law, contracts and regulations.

What is the purpose of ISO 27001 Annex 5.34?

The purpose of ISO 27001 Annex A 5.34 Privacy and Protection of PII is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection of personally identifiable information (PII) .

Organisations should have a clear understanding of their obligations when it comes to the protection of PII and make sure that they adhere to those requirements.

What is the definition of ISO 27001 Annex 5.34?

The ISO 27001 standard defines ISO 27001 Annex A 5.34 Privacy and Protection of PII as:

The organisation should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. 

ISO 27001:2022 Annex A 5.34

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

ISO 27001 Toolkit Business Edition

ISO 27001 Privacy and Protection of PII Implementation Guide

Topic specific policy on privacy and protection of PII

You are going to implement an ISO 27001 Information Classification and Handling Policy that includes and specifically addresses as part of it, the protection and handling of PII.

Process and procedures for PII

Building on the ISO 27001 Information Classification and Handling Policy you will implement the processes and procedures to protect the preservation and privacy of PII.

Roles and responsibilities

Roles and responsibilities will be defined and assigned. Consideration will be given to appointing someone to be responsible such as a privacy officer who will provide that leadership and guidance to people on their responsibilities and the procedures to be followed.

Technical and organisational measures

Appropriate measures for both the organisation and technology will be implemented to protect PII.

Different Country Requirements

There is a difference in the international approach to data protection and requirements on PII. These should be addressed based on where you are operating. This forms part of the ISO 27001 legal register and the requirements that we covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.

Other relevant standards

There are a number of additional standards that support this particular requirement. I am not saying you have to implement them or certify to them but they are for consideration.

  • ISO/IEC 29100 – provides guidance on the protection of Personal Identifiable Information (PII) within Information and Communications Technology (ICT) systems.
  • ISO/IEC 27701 – provides a framework for privacy information management systems
  • ISO/IEC 27018 – provides specific information regarding privacy information management for public clouds acting as PII processors
  • ISO/IEC 29134 – provides guidelines for privacy impact assessments (PIA)

Data Protection Professional

The ISO 27001 standard is actually dabbling in other areas with this particular control. It is one isolated part of a bigger profession and requirement and as such for this and in more general terms we strongly recommend engaging the services of a data protection professional.

ISO 27001 Privacy and Protection of PII Templates

Having an ISO 27001 template for control 5.34 can help fast track your implementation. The ISO 27001 Toolkit is a the ultimate resource for your ISO 27001 implementation including all the documents and templates that you need for Annex A 5.34 Privacy and Protection of PII. As always, we recommend that you should seek legal advice. In this case also considering engaging the services of a data protection professional.

What are the Benefits of ISO 27001 5.34 Privacy and Protection of PII?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.34 Privacy and Protection of PII: 

  1. You cannot get ISO 27001 certification without it.
  2. Improved security: You will have an effective information security implementation that protects PII
  3. Reduced risk: You will reduce the information security risks to PII
  4. Improved compliance: Standards and regulations require you to protect PII
  5. Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract protection of PII process in place will reduce the potential for fines and reduce the PR impact of an event

Why is ISO 27001 5.34 Privacy and Protection of PII important?

PII is valuable to criminals and is often used to commit any number of crimes from identity theft to fraud. The consequences to the individual can be devastating. You are entrusted with their personal information to cary out the products and services that you provide but you have a moral, societal, legal, regulatory, statutory and compliance requirement to protect it. Getting it wrong can lead to massive fines under frameworks such as the GDPR.

Matrix of ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
Preventive
Availability
Confidentiality
Integrity
Identify
Protect
Legal and compliance
Information protection

Protection

ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.