If you are comparing the ISO 27001:2013 standard to the 2022 update, you might be looking for the predecessor to Annex A 8.11. The short answer? It didn’t exist. Annex A 8.11: Data Masking is a brand-new control introduced in the 2022 revision to address the growing global focus on data privacy and the protection of Personally Identifiable Information (PII).
In the 2013 version, data protection was largely covered by general access controls and encryption. However, as regulations like GDPR and CCPA became the norm, it became clear that organisations needed a specific technical standard for “hiding” data without necessarily encrypting the entire database. That is why Annex A 8.11 was born.
Table of contents
The Evolution: Why Data Masking is Now Mandatory
In the 2013 standard, if you wanted to protect sensitive data in a testing environment, you might have relied on Control 14.3.1 (Protection of test data). While this touched on the subject, it wasn’t a comprehensive requirement for the regular masking of data in production or business analytics.
ISO 27001:2022 has consolidated the previous 114 controls into 93 and grouped them into four themes. Annex A 8.11 is categorised as a Technological Control. According to Hightable.io, the introduction of this control is a response to the “identity-first” security era, where limiting the exposure of data to only what is necessary for a specific task is considered a baseline requirement.
What Exactly is Annex A 8.11 Data Masking?
The objective of Annex A 8.11 is simple: to limit the exposure of sensitive data and ensure compliance with legal, statutory, regulatory, and contractual requirements. Data masking involves using techniques to obscure or replace original data with functional but fictitious data.
The standard highlights three primary methods for achieving this:
- Anonymisation: Irreversibly altering data so the individual can no longer be identified.
- Pseudonymisation: Replacing private identifiers with “fake” ones (aliases) that can only be re-linked with a secure key.
- Obfuscation: Using techniques like “X-ing out” parts of a credit card number or masking characters with symbols.
Key Requirements of the New 8.11 Control
Because this is a new control, you cannot simply update an old process. You must build a topic-specific policy on data masking. The 2022 standard expects you to consider the following:
- Risk-Based Implementation: You don’t need to mask everything. You must identify which data is sensitive (PII, financial, etc.) and apply masking based on the level of risk.
- Business Requirement Alignment: Masking shouldn’t break your business. You must ensure that masked data remains “functional” for the people who need it, for example, developers might need a database that “looks” real to test code, but doesn’t contain real customer names.
- Access Control Integration: Data masking is now viewed as an extension of your Access Control Policy (A 5.15). Who can see the “unmasked” data must be strictly limited to those with a specific business need.
- Non-Live Environments: A huge focus of A 8.11 is ensuring that real, unmasked data is never used in development, staging, or testing environments.
The Role of Attributes in Annex A 8.11
The ISO 27001:2022 update introduced “Attributes” to help you categorize and filter your controls. For Annex A 8.11, the attributes provided by the standard help you understand its strategic position:
| Attribute | Value for Annex A 8.11 |
|---|---|
| Control Type | Preventative |
| Information Security Property | Confidentiality |
| Cybersecurity Concept | Protect |
| Operational Capability | Information Protection |
Practical Steps for Compliance
Transitioning your ISMS to include Annex A 8.11 requires a mix of policy and technology. Hightable.io emphasizes that auditors will look for evidence of implementation, not just a written policy. Here is how to get started:
- Create a Data Masking Policy: Define what data needs to be masked, which techniques will be used, and who is authorized to see raw data.
- Map Your Data Flows: Identify where sensitive data enters your system and where it is copied (e.g., from production to a test environment).
- Choose Your Tools: Implement technical solutions like Dynamic Data Masking (DDM) for databases or Static Data Masking (SDM) for backups and test environments.
- Document Exceptions: If there are areas where masking is not technically feasible, you must document the risk assessment and obtain formal management sign-off.
Why the Change Matters
The update to Annex A 8.11 reflects the reality that most modern data breaches aren’t just about “hacking into a server” – they are often about seeing data that should have been hidden. By making data masking a dedicated control, ISO 27001:2022 helps organisations reduce their “data footprint” and significantly lowers the stakes of a potential breach.
As Hightable.io points out, A 8.11 is one of the most effective ways to show an auditor (and your customers) that you take the “Privacy” part of the new standard’s title, Information Security, Cybersecurity and Privacy Protection, seriously.
Final Thoughts on the Transition
The jump from the 2013 version to the 2022 version’s Annex A 8.11 is a significant but necessary step for any modern business. While it requires new technical effort, it aligns your security posture with global privacy laws and best practices. By focusing on pseudonymisation and anonymisation, you can protect your most sensitive assets while still allowing your teams to work effectively.