Table of contents
What is PII?
Personally identifiable information (PII) is any information that can be used to identify a specific individual. This can include things like a person’s name, address, phone number, email address or date of birth. PII can also include things like a person’s biometric data, such as their fingerprints or facial recognition data.
PII is considered sensitive data because it can be used to commit identity theft, fraud, or other crimes. It is important to protect PII from unauthorised access, use, disclosure, disruption, modification, or destruction.
There are often specific laws, such as the GDPR that relate to the protection of PII and these take precedence over this clause.
Consult with a GDPR or Data Protection professional.
ISO 27001 Privacy And Protection Of PII
ISO 27001 Annex A 5.34 Privacy and Protection of PII is an ISO 27001 control that wants you to protect personally identifiable information (PII). It requires you to identify and meet any requirements including those laid out in law, contracts and regulations.
Purpose
The purpose of ISO 27001 Annex A 5.34 Privacy and Protection of PII is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection of personally identifiable information (PII) .
Organisations should have a clear understanding of their obligations when it comes to the protection of PII and make sure that they adhere to those requirements.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.34 as:
The organisation should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
ISO 27001:2022 Annex A 5.34 Privacy and Protection of PII
How do you implement it?
1. Have a topic specific policy on privacy and protection of PII
You are going to implement an ISO 27001 Information Classification and Handling Policy that includes and specifically addresses as part of it, the protection and handling of PII.
2. Implement Process and procedures for PII
Building on the ISO 27001 Information Classification and Handling Policy you will implement the processes and procedures to protect the preservation and privacy of PII.
3. Assign roles and responsibilities
Roles and responsibilities will be defined and assigned. Consideration will be given to appointing someone to be responsible such as a privacy officer who will provide that leadership and guidance to people on their responsibilities and the procedures to be followed.
4. Put in place technical and organisational measures
Appropriate measures for both the organisation and technology will be implemented to protect PII.
5. Ensure you cover different country requirements
There is a difference in the international approach to data protection and requirements on PII. These should be addressed based on where you are operating. This forms part of the ISO 27001 legal register and the requirements that we covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.
What other standards apply?
There are a number of additional standards that support this particular requirement. I am not saying you have to implement them or certify to them but they are for consideration.
- ISO/IEC 29100 – provides guidance on the protection of Personal Identifiable Information (PII) within Information and Communications Technology (ICT) systems.
- ISO/IEC 27701 – provides a framework for privacy information management systems
- ISO/IEC 27018 – provides specific information regarding privacy information management for public clouds acting as PII processors
- ISO/IEC 29134 – provides guidelines for privacy impact assessments (PIA)
Do you need a data protection professional?
The ISO 27001 standard is actually dabbling in other areas with this particular control. It is one isolated part of a bigger profession and requirement and as such for this and in more general terms we strongly recommend engaging the services of a data protection professional.
How can the ISO 27001 toolkit help?
The ISO 27001 toolkit is a collection of pre-made documents, templates, and guides. It’s like a shortcut to getting certified! It can save you hundreds of hours by providing you with the framework you need to create your own procedures, policies, and records.
ISO 27001 Annex A 5.34 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.34 Privacy and Protection of PII:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that protects PII
Reduced risk: You will reduce the information security risks to PII
Improved compliance: Standards and regulations require you to protect PII
Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract protection of PII process in place will reduce the potential for fines and reduce the PR impact of an event
PII is valuable to criminals and is often used to commit any number of crimes from identity theft to fraud. The consequences to the individual can be devastating. You are entrusted with their personal information to cary out the products and services that you provide but you have a moral, societal, legal, regulatory, statutory and compliance requirement to protect it. Getting it wrong can lead to massive fines under frameworks such as the GDPR.
Related ISO 27001 Controls
ISO 27001 Annex A 5.37 Documented Operating Procedures
ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing
Further Reading
ISO 27001 Privacy and Personally Identifiable Information (PII): Your Complete FAQ Guide
ISO 27001 Data Protection Policy Template
