ISO 27001 Privacy & PII Protection (A 5.34)

ISO 27001 Annex A 5.34 Privacy and Protection of PII is a security control that mandates the identification and fulfillment of legal data protection requirements. By establishing a formal PII register and specific technical safeguards, organizations achieve the business benefit of regulatory compliance and reduced litigation risk.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.34 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.34 Privacy and Protection of PII

ISO 27001 Annex A 5.34 requires organizations to identify and protect Personally Identifiable Information (PII) in accordance with applicable laws, regulations, and contracts. It acts as the bridge between your information security management system (ISMS) and privacy frameworks like GDPR, ensuring that personal data is not just “secure” but also handled legally.

Core requirements for compliance include:

Legal Register: You must clearly identify which privacy laws apply to you (e.g., GDPR in Europe, CCPA in California) and list them in your legal register.
Topic-Specific Policy: Create a dedicated policy for “Privacy and Protection of PII.” This should define how you classify, handle, and protect personal data specifically, separate from general company data.
Role Assignment: Appoint a responsible person, such as a Data Protection Officer (DPO) or Privacy Officer, to provide leadership.
Technical Measures: Implement specific controls to protect PII, such as encryption, access control, and data masking.

Audit Focus: Auditors will look for evidence that you understand why you are holding data. They will check your PII Register (or Record of Processing Activities) to see if you have defined a “Lawful Basis” for every type of personal data you store, whether it’s employee payroll, customer emails, or CCTV footage.

Practical Application: This control acknowledges that ISO 27001 is not a privacy standard by itself. It requires you to “consult with a professional” and potentially integrate with ISO 27701 (the privacy extension) if you process significant amounts of personal data.

What is PII?
What is ISO 27001 Annex A 5.34?
Watch the ISO 27001 Annex A 5.34 Tutorial
ISO 27001 Annex A 5.34 Podcast
ISO 27001 Annex 5.34 Implementation Guide
How to implement ISO 27001 Annex 5.34
PII Register Example
How to Audit ISO 27001 Annex A 5.34
Applicability of ISO 27001 Annex A 5.34 across different business models.
Fast Track ISO 27001 Annex A 5.34 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.34 FAQ
ISO 27001 Annex A 5.34 Applicable Laws and Related Standards
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values

ISO 27001 Certainty™: The Ultimate ISO 27001 Certification System & Toolkit

Learn More

Fay Barker - High Table - ISO27001 Director

What is PII?

Personally identifiable information (PII) is any information that can be used to identify a specific individual. This can include things like a person’s name, address, phone number, email address or date of birth. PII can also include things like a person’s biometric data, such as their fingerprints or facial recognition data.

PII is considered sensitive data because it can be used to commit identity theft, fraud, or other crimes. It is important to protect PII from unauthorised access, use, disclosure, disruption, modification, or destruction.

There are often specific laws, such as the GDPR that relate to the protection of PII and these take precedence over this clause.

Consult with a GDPR or Data Protection professional.

What is ISO 27001 Annex A 5.34?

ISO 27001 Annex A 5.34 Privacy and Protection of PII is an ISO 27001 control that wants you to protect personally identifiable information (PII). It requires you to identify and meet any requirements including those laid out in law, contracts and regulations.

What is the purpose of ISO 27001 Annex 5.34?

The purpose of ISO 27001 Annex A 5.34 Privacy and Protection of PII is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection of personally identifiable information (PII) .

Organisations should have a clear understanding of their obligations when it comes to the protection of PII and make sure that they adhere to those requirements.

What is the definition of ISO 27001 Annex 5.34?

The ISO 27001 standard defines ISO 27001 Annex A 5.34 as:

The organisation should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
ISO 27001:2022 Annex A 5.34 Privacy and Protection of PII

Watch the ISO 27001 Annex A 5.34 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.34 and how to pass the audit.

ISO 27001 Annex A 5.34 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.34 Privacy And Protection Of PII . The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex 5.34 Implementation Guide

Have a topic specific policy on privacy and protection of PII

You are going to implement an ISO 27001 Information Classification and Handling Policy that includes and specifically addresses as part of it, the protection and handling of PII.

Implement Process and procedures for PII

Building on the ISO 27001 Information Classification and Handling Policy you will implement the processes and procedures to protect the preservation and privacy of PII.

Assign roles and responsibilities

Roles and responsibilities will be defined and assigned. Consideration will be given to appointing someone to be responsible such as a privacy officer who will provide that leadership and guidance to people on their responsibilities and the procedures to be followed.

Put in place technical and organisational measures

Appropriate measures for both the organisation and technology will be implemented to protect PII.

Ensure you cover different country requirements

There is a difference in the international approach to data protection and requirements on PII. These should be addressed based on where you are operating. This forms part of the ISO 27001 legal register and the requirements that we covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.

Use a data protection professional

The ISO 27001 standard is actually dabbling in other areas with this particular control. It is one isolated part of a bigger profession and requirement and as such for this and in more general terms we strongly recommend engaging the services of a data protection professional.

How to implement ISO 27001 Annex 5.34

Implementing ISO 27001 Annex A 5.34 ensures your organisation meets the rigorous legal and regulatory requirements for safeguarding Personally Identifiable Information (PII). As an ISO 27001 Lead Auditor, I look for a technical framework that balances statutory obligations, such as the UK GDPR, with robust security controls. Follow these ten technical steps to formalise your privacy framework and ensure PII remains protected throughout its entire lifecycle.

1. Formalise a Topic-Specific Policy on Privacy and PII Protection

Formalise a mandatory policy that defines the organisation’s approach to managing and protecting PII: result: establishes the legal and procedural baseline for both ISO 27001 compliance and data protection legislation.

Identify the specific legal, regulatory, and contractual requirements relevant to your jurisdiction.
Define clear roles and responsibilities, including the appointment of a Data Protection Officer (DPO) if required.
Document the consequences of policy violations to ensure staff accountability.

2. Provision PII Entities into the Organisational Asset Register

Provision the Asset Register to include specific entries for all PII data sets and information systems: result: provides the visibility required to apply granular security controls and track data ownership.

Identify the “Data Controller” and “Data Processor” status for every PII asset.
Record the location of PII, whether residing in cloud repositories, on-premise servers, or physical archives.
Link PII assets to your broader ISMS risk assessment process.

3. Implement Comprehensive Data Flow Mapping

Implement technical data flow mapping to visualise how PII enters, moves through, and leaves the organisation: result: identifies potential leakage points and ensures cross-border transfers are legally authorised.

Document the purpose of processing for every data flow identified.
Identify third-party recipients and the technical methods used for data transmission.
Verify that data retention periods are applied to each stage of the data flow.

4. Publish Transparent Privacy Notices and Consent Mechanisms

Publish clear, external-facing privacy notices that inform data subjects about how their PII is utilised: result: satisfies the statutory “right to be informed” and ensures processing is lawful and transparent.

Ensure notices are written in plain English and are easily accessible at the point of data collection.
Implement granular consent mechanisms that allow users to opt-in to specific processing activities.
Establish a process to update notices whenever processing activities change.

5. Deploy Encryption and Pseudonymisation Technologies

Deploy technical obfuscation measures, such as AES-256 encryption and pseudonymisation, to protect PII at rest and in transit: result: mitigates the impact of data breaches by rendering intercepted data unintelligible.

Enforce full-disk encryption on all mobile devices and laptops handling PII.
Utilise pseudonymisation for testing and development environments to reduce the risk of accidental exposure.
Manage cryptographic keys securely using a formalised Key Management Policy.

6. Restrict Access via Role-Based Identity and Access Management (IAM)

Restrict access to PII repositories using strict IAM roles and the principle of least privilege: result: ensures that only authorised personnel with a legitimate business need can interact with sensitive data.

Mandate Multi-Factor Authentication (MFA) for all administrative and remote access to PII.
Perform quarterly access reviews to revoke permissions for users who have changed roles or left the organisation.
Implement automated logging of all access attempts to PII data sets.

7. Establish Data Subject Access Request (DSAR) Procedures

Establish a formalised workflow for managing and responding to Data Subject Access Requests: result: ensures the organisation can meet the 30-day statutory response deadline and respect individual privacy rights.

Create a secure portal or dedicated email address for receiving DSARs.
Train specific staff members on the technical extraction and redaction of data.
Maintain a log of all requests and the organisational response to provide audit evidence.

8. Conduct Data Protection Impact Assessments (DPIA)

Conduct a DPIA for any new technical project or change in processing that involves high-risk PII: result: identifies and mitigates privacy risks before processing begins, supporting the “Privacy by Design” principle.

Utilise a standardised DPIA template to ensure consistency in risk identification.
Involve the DPO or legal lead early in the project lifecycle.
Document the technical and organisational measures implemented to reduce identified risks.

9. Validate Third-Party Data Processing Agreements (DPA)

Validate that all third-party suppliers handling PII have signed a formal Data Processing Agreement: result: ensures that suppliers are contractually obligated to provide the same level of protection as your organisation.

Include “Right to Audit” clauses in all supplier contracts.
Review the Rules of Engagement (ROE) for third parties to ensure they understand their PII protection obligations.
Perform due diligence on the supplier’s security certifications, such as ISO 27001 or SOC 2.

10. Audit PII Handling and Incident Response Logs

Audit the effectiveness of PII controls through regular internal reviews and monitoring of security logs: result: provides the continuous assurance required for certification and demonstrates regulatory compliance.

Test the incident response plan specifically for PII breach scenarios, including mandatory 72-hour notification windows.
Review Data Loss Prevention (DLP) logs to identify attempted unauthorised transfers.
Document all audit findings in the Corrective Action Log to drive continuous improvement.

I’ve sat in the Auditor’s chair for 30 years. Use the exact system and tools I use to guarantee a pass.

Learn More

Stuart Barker - High Table - ISO27001 Director

PII Register Example

Data Category (PII)	Data Controller/Owner	Lawful Basis (UK GDPR)	Technical Retention Period	ISO 27001:2022 Mapping
Employee Payroll	HR Manager	Contractual Necessity	7 Years (Tax Law).	5.34 (PII Protection)
Customer Email	Sales Lead	Consent (Marketing)	Until Unsubscribed/Withdrawal.	5.34 (PII Protection)
CCTV Footage	Facilities Manager	Legitimate Interest	30 Days.	8.10 (Information Deletion)
Medical Record	Health and Safety Officer	Legal Obligation	40 Years.	5.34 (PII Protection)

How to Audit ISO 27001 Annex A 5.34

Auditing ISO 27001 Annex A 5.34 requires a meticulous examination of how your organisation identifies, processes, and safeguards Personally Identifiable Information. As a Lead Auditor, I look for technical evidence that privacy is embedded into the system architecture, not just the policy. Use this 10 step technical roadmap to ensure your PII controls withstand the scrutiny of a rigorous certification audit.

1. Audit the Privacy and PII Protection Policy

Audit the topic-specific policy for privacy and PII protection to confirm it defines the organisational approach to managing personal data: result: establishes the legal and procedural baseline for both ISO 27001 and statutory data protection compliance.

Verify that the policy explicitly references relevant legislation, such as the UK GDPR and Data Protection Act 2018.
Check for clear definitions of PII and sensitive personal data within the organisational context.
Confirm the policy is reviewed annually and carries executive-level sign-off.

2. Inspect the Asset Register for PII Mapping

Inspect the organisational Asset Register to ensure all PII data sets and processing systems are identified and classified: result: provides the visibility required to apply granular security controls and determine data ownership.

Review entries for employee data, customer databases, and marketing lists.
Verify that the classification levels, such as “Highly Confidential,” align with the sensitivity of the PII.
Confirm that an “Asset Owner” or Data Custodian is assigned to every PII category.

3. Review Data Flow Documentation and Processing Maps

Review the technical data flow mapping to visualise how PII enters, moves through, and leaves the organisation: result: identifies potential leakage points and verifies the lawfulness of cross-border data transfers.

Inspect the maps for third-party processing points and external storage locations.
Verify that international transfers are supported by appropriate legal mechanisms, such as Standard Contractual Clauses or the UK Addendum.
Check that data flows align with the purposes documented in the privacy notice.

4. Audit Privacy Notices and Consent Mechanisms

Audit external-facing privacy notices and the technical mechanisms used to capture consent: result: confirms the organisation meets transparency requirements and maintains a lawful basis for processing.

Check that notices are provided at the point of data collection and include all mandatory disclosures.
Verify that consent logs are stored securely and demonstrate an active “opt-in” for specific processing activities.
Confirm that mechanisms for withdrawing consent are as easy to use as the mechanisms for providing it.

5. Verify Data Subject Rights Procedures and DSAR Logs

Verify the procedures for managing Data Subject Access Requests and other individual rights, such as deletion or portability: result: ensures the organisation can respond to legal requests within the 30-day statutory window.

Review the DSAR log for completion rates and response timestamps.
Inspect the technical process for redaction to ensure the privacy of third parties is protected during data release.
Verify that staff are trained to recognise and escalate a data subject request immediately.

6. Inspect Encryption and Anonymisation Configurations

Inspect the technical configuration for PII at rest and in transit to verify that obfuscation measures meet industry standards: result: mitigates the impact of unauthorised access by rendering intercepted PII unintelligible.

Audit the implementation of AES-256 encryption on servers and end-user devices.
Verify that pseudonymisation or anonymisation is utilised for testing and development environments.
Check the Key Management Policy to ensure cryptographic keys are stored separately from the PII they protect.

7. Audit IAM Roles and MFA Enforcement

Audit Identity and Access Management roles to verify that the Principle of Least Privilege is applied to all PII repositories: result: prevents internal data breaches and ensures only authorised personnel can access sensitive information.

Inspect access control lists for HR systems, CRM platforms, and financial databases.
Verify that Multi-Factor Authentication is mandated for all administrative and remote access points.
Review logs for orphaned accounts or excessive permissions granted to temporary staff or contractors.

8. Review Data Processing Agreements with Third Parties

Review the Data Processing Agreements and Rules of Engagement for all suppliers handling organisational PII: result: confirms that third-party risks are contractually mitigated and that suppliers provide adequate security guarantees.

Verify that contracts include “Right to Audit” clauses and mandatory breach notification timeframes.
Check that sub-processors are explicitly authorised and held to the same security standards.
Inspect the due diligence records for key suppliers, including their own ISO 27001 certifications.

9. Audit Data Protection Impact Assessments

Audit the records of Data Protection Impact Assessments performed for high-risk processing activities: result: provides evidence that the organisation follows a “Privacy by Design” approach to mitigate risks early in the lifecycle.

Review DPIA documents for new product launches or significant system migrations.
Verify that identified risks have been addressed through documented technical or organisational controls.
Confirm that the DPO or privacy lead was consulted during the assessment process.

10. Verify PII Retention and Secure Disposal Logs

Verify that PII is retained only as long as necessary and that disposal logs confirm secure destruction: result: reduces the organisational attack surface and prevents the storage of redundant, high-risk data.

Compare the actual stored data against the timeframes defined in the Retention Schedule.
Inspect certificates of destruction for physical media and shredding services.
Verify that automated data purging rules are functioning correctly within cloud storage environments.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.

Applicability of ISO 27001 Annex A 5.34 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Highly applicable for meeting basic GDPR or local privacy obligations. The focus is on identifying where customer and employee data (PII) is stored and ensuring it is handled with a clear “Lawful Basis.”	Maintaining a PII Register that lists all personal data held, such as employee payroll and customer contact lists. Enforcing a 7-year retention period for financial PII in line with tax laws, with automated deletion thereafter. Appointing the Office Manager as the internal “Privacy Lead” to oversee basic data subject access requests (DSARs).
Tech Startups	Critical for protecting high volumes of user data and ensuring compliance across multiple jurisdictions (e.g., GDPR and CCPA). Focus is on technical safeguards and privacy-by-design during development.	Implementing Data Masking or pseudonymization in development and testing environments to prevent developer exposure to real user PII. Integrating Data Protection Impact Assessments (DPIA) into the change management process for any new product feature that processes personal data. Enforcing AES-256 encryption for all cloud databases containing sensitive user PII.
AI Companies	Vital for protecting specialized AI datasets that may contain “Special Category” PII. Focus is on ensuring that training data pipelines do not ingest or leak sensitive personal information.	Utilizing automated Data Discovery Tools to scan large AI training datasets for accidental inclusion of biometrics or medical PII. Establishing strict “Model Training Privacy” protocols that ensure proprietary model weights do not inadvertently memorize PII from the training set. Formalizing Data Processing Agreements (DPAs) with all sub-processors and cloud GPU providers who handle research datasets.

Fast Track ISO 27001 Annex A 5.34 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.34 (Privacy and protection of PII), the requirement is to identify and meet requirements regarding the preservation of privacy and protection of Personally Identifiable Information (PII) according to laws (like GDPR), regulations, and contracts. This control bridges the gap between security and legal data protection.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Data Ownership	Rents access to your privacy records; if you cancel the subscription, your documented PII registers and history vanish.	Total Ownership: Your policies, standards, and logs stay on your secure servers. You own the IP forever.	A localized “PII Inventory” stored on your secure server defining data types and specific retention periods.
Legal Implementation	Attempts to “automate” privacy via dashboards that cannot determine Lawful Basis or assess Legitimate Interest.	Governance-First: Formalizes your existing data processing into an auditor-ready framework (GDPR/CCPA compliant).	A completed “Record of Processing Activities” (ROPA) proving you have identified the legal basis for all PII.
Cost Efficiency	Charges a “Privacy Record Tax” that scales costs based on the number of data subjects or records monitored.	One-Off Fee: A single payment covers your privacy governance for 100 records or 100,000.	Allocating budget to advanced encryption tools or legal counsel rather than monthly “dashboard” subscription fees.
Jurisdictional Freedom	Mandates rigid reporting structures that may not align with multi-jurisdictional legal requirements or niche industry rules.	100% Agnostic: Procedures adapt to any legal mix (GDPR, HIPAA, etc.) and any operating model without technical limits.	The ability to evolve your data strategy and cross-border transfer methods without reconfiguring a rigid SaaS module.

The Impact of Artificial Intelligence (AI) on PII Protection

As a Lead Auditor, the biggest shift I have seen in recent years is the collision between Artificial Intelligence and data privacy. AI models are exceptionally hungry for data, and organisations are rushing to deploy Large Language Models (LLMs) and Machine Learning (ML) tools without considering ISO 27001 Annex A 5.34.

Key AI Privacy Threats

Training Data Memorisation: AI models can inadvertently memorise PII included in their training data and regurgitate it to unauthorised users during prompting.
Prompt Injection and Leakage: Employees uploading customer datasets or confidential PII into public AI tools constitutes an immediate data breach.
Automated Decision Making: Using AI to process PII for recruitment or credit scoring triggers strict regulatory requirements under GDPR.
Retrieval-Augmented Generation (RAG) Flaws: AI assistants must respect existing Identity and Access Management (IAM) permissions within connected databases.

Common Pitfalls and Auditor Red Flags

Auditor Red Flag	The Problem	How to Fix It (The Audit Solution)
The “Orphaned” PII Register	The register was last updated two years ago and does not reflect new cloud software or AI tools.	Schedule mandatory quarterly reviews of the PII register and tie it to your change management process.
Confusing Security with Privacy	Assuming that because a database is encrypted, it meets privacy requirements.	Document the “Lawful Basis” for every PII entry regardless of the technical security level.
Shadow IT Data Processing	Marketing using unauthorised SaaS platforms to run email campaigns without IT knowledge.	Implement regular audits of employee expense claims and network traffic to identify unauthorised processing.
Ignoring Paper Records	A hyper-focus on cybersecurity while leaving visitor logbooks or printed CVs unsecured on desks.	Enforce a strict Clear Desk and Clear Screen policy and utilize secure shredding bins.

RACI Matrix for PII Protection

Task / Activity	Responsible	Accountable	Consulted	Informed
Updating the PII Register	Department Heads	DPO	Legal Team	Security Manager
Conducting a DPIA	Project Manager	DPO	IT Leads	Executive Board
Managing a DSAR	Privacy / HR Team	DPO	IT Operations	The Data Subject
Reviewing Third-Party DPAs	Procurement	CISO	Legal Team	Department Heads

How to Measure Success: KPIs for Annex A 5.34

Key Performance Indicator (KPI)	Target Metric	Why Auditors Look For It
DSAR Response Time	100% within 30 days.	Proves speed in locating and extracting PII quickly.
DPIA Completion Rate	100% for high-risk.	Demonstrates “Privacy by Design” as an active process.
PII Inventory Accuracy	Reviewed quarterly.	Shows the Asset Register is a living document.
Third-Party DPA Coverage	100% of PII suppliers.	Confirms the supply chain is legally bound.
Privacy Training Completion	95% annually.	Ensures people handling data understand the rules.

ISO 27001 Annex A 5.34 FAQ

What is ISO 27001 Annex A 5.34?

ISO 27001 Annex A 5.34 is an organisational control requiring that Personally Identifiable Information (PII) be protected in accordance with relevant laws, such as the UK GDPR. It ensures that 100% of sensitive data sets are identified and safeguarded through a combination of technical measures, including AES-256 encryption and strict Identity and Access Management (IAM).

Is a Data Protection Impact Assessment (DPIA) mandatory for Annex A 5.34?

Yes, a DPIA is mandatory under Annex A 5.34 for any processing activity deemed high-risk to individual privacy rights. This technical assessment identifies potential leakage points before a project begins; failing to conduct a DPIA can result in regulatory fines from the ICO of up to £17.5 million or 4% of global annual turnover.

How does ISO 27001 Annex A 5.34 align with GDPR?

Annex A 5.34 serves as the technical bridge to GDPR compliance by providing the organisational framework for “Privacy by Design.” While GDPR sets the legal requirements, ISO 27001 5.34 mandates the implementation of specific controls to meet those requirements, such as data flow mapping, retention schedules, and Multi-Factor Authentication (MFA).

What are the PII breach notification rules for ISO 27001?

Organisations must report a PII breach within a strict 72-hour window to the relevant supervisory authority once they become aware of it. Statistics indicate that organisations with a formalised incident response plan, as required by Annex A 5.34, reduce the financial impact of a breach by approximately 35% through faster containment.

Can we use cloud storage for PII under ISO 27001?

Yes, cloud storage is permitted for PII provided that the provider meets the high security thresholds mandated by Annex A 5.34 and the UK Data (Use and Access) Act 2025. You must verify end-to-end encryption and that your Data Processing Agreement (DPA) includes a “Right to Audit” clause.

Standard / Law	Relevant Control / Article	Mapping and Requirements
GDPR / UK GDPR	Articles 5, 24, 25, 30, 32, 35	Direct Alignment: Requires Privacy by Design, security of processing, and Data Protection Impact Assessments (DPIA). Annex A 5.34 provides the technical implementation for these legal mandates.
NIST CSF v2.0	GV.PO-01, PR.PS-01	Privacy Governance: CSF v2.0 integrates privacy via Governance (GV) and Protective Technology (PR) categories to ensure PII is identified and managed.
UK Data (Use and Access) Act 2025	Smart Data & Portability Clauses	Modernised GDPR: Focuses on Smart Data schemes. Requires high security thresholds for data sharing while reducing administrative burdens for smaller firms.
NIS2 Directive (EU)	Article 21	Cyber Risk Management: Includes the protection of personal data as a fundamental component of cybersecurity risk management for essential and important entities.
DORA (EU)	Articles 8, 9, 10	Financial Data Integrity: Mandates that ICT systems in the financial sector protect the integrity and confidentiality of all data, specifically client PII.
SOC 2 (AICPA)	Privacy Trust Services Criteria (TSC)	Privacy Criteria: Directly maps to the Privacy category, focusing on Notice, Choice, Collection, Use, Retention, Access, and Disclosure of personal information.
EU AI Act	Articles 10, 15, 53	AI Data Governance: Requires high-risk AI systems to use high-quality datasets. Annex A 5.34 ensures training data containing PII is pseudonymised to prevent model leakage.
ISO/IEC 42001 (AI)	Annex A.4 (Data for AI)	AI Privacy Management: Addresses the protection of PII within the AI lifecycle, particularly regarding data acquisition and dataset curation.
UK Cyber Security & Resilience Bill	MSP Reporting Obligations	Expanded Scope: Expands NIS2-style reporting to Managed Service Providers (MSPs). Breaches involving PII within an MSP environment trigger mandatory reporting.
CIRCIA (USA)	Section 2242	Incident Reporting: Critical infrastructure entities must report significant cyber incidents (including PII exfiltration) to CISA within 72 hours.
EU Product Liability Directive (PLD) Update	Article 4 (Defectiveness)	Strict Liability: Classifies software as a product. A lack of Annex A 5.34 privacy controls leading to a breach can be evidence of a product defect.
ECCF (European Cybersecurity Certification Framework)	Harmonised Labels	Consumer Trust: Annex A 5.34 compliance serves as a baseline for achieving harmonised security labels (Basic, Substantial, High) for products and services.
HIPAA (USA)	Privacy Rule (45 CFR § 164.500)	Health Data: Aligns with the protection of Protected Health Information (PHI). Provides the administrative and technical safeguards required for healthcare data.
CCPA / CPRA (California)	Sections 1798.100 – 1798.199	Consumer Rights: Mapping for data subject rights (access, deletion, opt-out) and the requirement for reasonable security to protect Sensitive PII.

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability Confidentiality Integrity	Identify Protect	Legal and compliance Information protection	Protection

Availability, Confidentiality, Identify, Information Protection, Integrity, Legal and Compliance, Preventive, Protect, Protection

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Privacy and Protection of PII | Annex A 5.34 | The Lead Auditor’s Implementation and Audit Guide

Table of contents

ISO 27001 Certainty™: The Ultimate ISO 27001 Certification System & Toolkit

What is PII?

What is ISO 27001 Annex A 5.34?

What is the purpose of ISO 27001 Annex 5.34?

What is the definition of ISO 27001 Annex 5.34?

Watch the ISO 27001 Annex A 5.34 Tutorial

ISO 27001 Annex A 5.34 Podcast

ISO 27001 Annex 5.34 Implementation Guide

Have a topic specific policy on privacy and protection of PII

Implement Process and procedures for PII

Assign roles and responsibilities

Put in place technical and organisational measures

Ensure you cover different country requirements

Use a data protection professional

How to implement ISO 27001 Annex 5.34

1. Formalise a Topic-Specific Policy on Privacy and PII Protection

2. Provision PII Entities into the Organisational Asset Register

3. Implement Comprehensive Data Flow Mapping

4. Publish Transparent Privacy Notices and Consent Mechanisms

5. Deploy Encryption and Pseudonymisation Technologies

6. Restrict Access via Role-Based Identity and Access Management (IAM)

7. Establish Data Subject Access Request (DSAR) Procedures

8. Conduct Data Protection Impact Assessments (DPIA)

9. Validate Third-Party Data Processing Agreements (DPA)

10. Audit PII Handling and Incident Response Logs

I’ve sat in the Auditor’s chair for 30 years. Use the exact system and tools I use to guarantee a pass.

PII Register Example

How to Audit ISO 27001 Annex A 5.34

1. Audit the Privacy and PII Protection Policy

2. Inspect the Asset Register for PII Mapping

3. Review Data Flow Documentation and Processing Maps

4. Audit Privacy Notices and Consent Mechanisms

5. Verify Data Subject Rights Procedures and DSAR Logs

6. Inspect Encryption and Anonymisation Configurations

7. Audit IAM Roles and MFA Enforcement

8. Review Data Processing Agreements with Third Parties

9. Audit Data Protection Impact Assessments

10. Verify PII Retention and Secure Disposal Logs

The Tools We Use.

Applicability of ISO 27001 Annex A 5.34 across different business models.

Fast Track ISO 27001 Annex A 5.34 Compliance with the ISO 27001 Toolkit

The Impact of Artificial Intelligence (AI) on PII Protection

Key AI Privacy Threats

Common Pitfalls and Auditor Red Flags

RACI Matrix for PII Protection

How to Measure Success: KPIs for Annex A 5.34

ISO 27001 Annex A 5.34 FAQ

What is ISO 27001 Annex A 5.34?

Is a Data Protection Impact Assessment (DPIA) mandatory for Annex A 5.34?

How does ISO 27001 Annex A 5.34 align with GDPR?

What are the PII breach notification rules for ISO 27001?

Can we use cloud storage for PII under ISO 27001?

ISO 27001 Annex A 5.34 Applicable Laws and Related Standards

Related ISO 27001 Controls

Further Reading

ISO 27001 Controls and Attribute values

About the author

Stuart Barker