ISO 27001:2022 Annex A Control 5.34: Privacy and Protection of PII

Control 5.34 covers the protection of Personal Identifiable Information, otherwise known as PII. In particular, it focuses on three key areas: privacy, protection, and preservation.

The control is designed as a preventative measure to help keep risks at bay, outlining guidelines and procedures to meet legal, regulatory, statutory and contractual obligations surrounding the storage, privacy, and protection of PII in all forms.

What is PII?

PII is a term used to describe any data which can be used to identify a person or persons. This may include a driver’s licence, medical records, address, financial information such as bank accounts, and a National Insurance Number or Social Security Number.

Any data oversight plan conducted by an organisation must take the protection of PII into account, considering the vast array of regulatory, legislative and contractual dangers attached to shared PII.

Guidelines for Annex A Control 5.34

PII protection is a specialised business practice and requires distinct policies to cover the kinds of PII most commonly encountered in the organisation on a day-to-day basis. Control 5.34 describes how organisations must compile, formulate and execute policies dedicated to protecting PII. They must also ensure that all staff working with PII are made aware of these policies and stick to them.

Policies should take into account individual roles, responsibilities and data controls across the organisation, offering a top-down approach in which a dedicated Privacy Officer guides employees and third-party organisations through the process of complying with PII obligations.

In order to effectively manage PII while within the business, organisations must adhere to legislative, regulatory and contractual regulations.

Overseas use of control 5.34

It’s important to research relevant legislation concerning PII, as it can change from one country, region, or sector to another. Organisations must review their PII handling requirements, especially when it comes to data shared across different countries.

ISO 27001:2022 does not contain any specific information on how to handle this, but other ISO documents do, including ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 27018.

What’s changed since 2013?

Annex A control 5.34 replaces ISO 27001:2013 18.1.4 and is almost identical bar two key differences. The first of these is that control 5.34 recommends organisations contemplate a subject-specific policy when developing and implementing PII policies and procedures. The second is that control 5.34 puts greater emphasis on safeguarding PII alongside standard privacy and protection regulations.