ISO 27001 Annex A 5.34 is a control that asks you to look after personal data. This control is called “Privacy and Protection of Personally Identifiable Information.” It means you must find and then meet all the rules for this type of data. These rules include laws, things you agree to in contracts, and official government rules.
Table of contents
What Is PII?
Personally identifiable information, or PII, is any data that can point to a specific person. You can think of it as details like your name, your home address, your phone number, or your birth date. This kind of information might also include biometric data, such as your fingerprints or facial scan.
Because PII can be used in crimes like identity theft, it is considered sensitive data. It is important for you to protect this information so that no one can access, use, share, change, or destroy it without permission.
Always remember that specific laws, like the General Data Protection Regulation (GDPR), cover how you must protect PII, and these laws are more important than any other simple rule.
If you have questions about protecting data, you should talk to an expert who specialises in data protection or GDPR.
What is ISO 27001 Annex A 5.34?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Privacy And Protection Of PII”.
What is the ISO 27001 Annex A 5.34 control objective?
The formal definition and control objective in the standard is: “The organisation should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. “
What is the purpose of ISO 27001 Annex A 5.34?
The purpose of ISO 27001 Annex A 5.34 is “to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection of personally identifiable information (PII) .“
Is ISO 27001 Annex A 5.34 Mandatory?
ISO 27001 Annex A control 5.34 (Privacy And Protection Of PII in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.34 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
1. Create a Policy for Personal Information
First, you will need a rule book, or policy, just for keeping personal information private and safe. This will be part of your main ISO 27001 rule book about how to sort and handle all your company’s information. It will clearly explain how to manage and protect Personally Identifiable Information (PII).
2. Set Up Ways to Manage Personal Information
Next, using the rules in your information policy, you will set up clear steps and ways of working. These steps, or procedures, will make sure that personal information stays correct and private.
3. Give People Specific Jobs
You will decide who is in charge of what. You must define and give out specific tasks and duties. You should think about assigning a Privacy Officer. This person would be the leader who guides everyone on their duties and how to follow the safety steps.
4. Use Technology and Company Rules
You will put in place good ways to protect personal information using both your technology and your company’s methods. These are the practical things you will do to keep the information safe.
5. Check Rules for Other Countries
You must remember that rules for protecting data and personal information are different around the world. You should follow the rules that apply to the places where you do business. This is already part of what you track in your ISO 27001 records, under the section for legal and contract rules.