For some, this ISO27001 control is possibly one of the most important controls of all. Why? Because it goes to the heart of what the standard is about.  It’s the protection of personal data.

Before we look at the control in detail, we think it’s important to clarify a few points.  Firstly, the use of the term ‘PII’ refers to Personal Identifiable Information. This term is a broadly accepted term used in the USA, but one which isn’t often used in the EU, and isn’t one that is referenced within the General Data Protection Regulation (GDPR). The GDPR makes specific reference to Personal Data.

So what’s the difference?

Firstly, GDPR defines 'personal data' to mean;

“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” – GDPR Article 4(1),

As PII is a term often used in the US, it’s worth noting that this is defined by the US Office of Privacy and Open Government as :

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

Where personal data has a broad definition and context, PII has a narrower focus on individual data points that can be used to identify an individual. For example this could include passport number, driver’s licence, and email address.

We’re making this point because in the course of complying with this control you’re most likely going to speak to Data Protection specialists, and they prefer the term personal data, rather than PII (some people have a very strong reaction to the term PII! You have been warned!). 

What does the standard require?

The standard states that “The organisation shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.” (A5.34 – Privacy and protection of PII).

In the face of it, this control is rather simple, bland and ordinary, but it belies a truth that goes to the heart of ISO27001.

Why is this required?

We often forget that the data we process often relates to real people. Email addresses are people. Home addresses are where they live, and of course financial and medical records are collections of sensitive data related to real people.

Consultants Like Us often say that ISO27001 is about the pro-active protection of a businesses most important assets. If that’s the case, could there be any more important ‘asset’ than people?

We could provide a plethora of examples here, of how a data breach has affected an individual, but we think it should be pretty clear to you how damaging it could be to an individual if there was breach of their personal data. 

Almost every major cyber attack that has made the mainstream headlines over the last few years has been in relation to a loss that affects real people. From financial institutions to medical associations being breached, real people have their lives turned upside down by hackers, cyber criminals and scammers.

If you still need convincing that this is an important area, consider what the impact would be on your businesses’ reputation, following a breach where you need to inform all your customers? Would they likely to use your services or products again? You would also need to inform the Information Commissioner's Office (ICO), who might state that you need to stop processing data until they have investigated the cause of the breach, or they might impose a fine on your business. Therefore, the financial and operational impact could be significant.

What the auditor is looking for

In a similar way to Annex A control A5.33 - Protection of records, the auditor will be looking at various controls that evidence you are considering the protection of personal data.

In A5.33 we provide an outline of the controls you should ensure can be evidence.  In addition to these, the auditor will look for evidence of a legal register which outlines your legal, regulatory and contractual obligations – (A5.31 – Identification of legal, statutory, regulatory and contractual requirements).

The auditor will be looking for specific requirements related to the protection of personal data, and how you have complied with this.  For example, the auditor will want to see your Data Retention Policy and scheme, which defines how long your will retain personal data and how it will be destroyed.  The auditor will therefore expect to see results of audits

or actions that show you have complied with your own retention policy.

Other evidence can include the completion of Data Protection Impact Assessments (DPIA), Records of Processing Activities (RoPA) and introducing them to your Data Protection Officer (DPO) if you have one.

What do you need to do?

You need to ensure you have a legal register in place which specifically references requirements related to the protection of personal data. For example, in the UK you should ensure you reference the EU GDPR and UK DPA 2018. You should pay careful consideration to other legal and regulatory requirements in your region and include these on your register, and then outline what you do to comply with them.

Ensure you have a privacy notice on your website which complies with the requirements of your regions laws. Explaining what needs to go into a privacy notice here is beyond the scope of this post, and you should seek legal advice to ensure you cover all the important aspects for the region(s) you operate in.  Remember that a privacy notice is a visible representation of how you treat personal data, so don’t leave this to chance – it’s also one of the places most auditors will check (you’ll be surprised/shocked at how many companies still reference the Data Protection Act 1998(!) on their websites. Even those that say “Data Protection is important to us”!

If you have access to a DPO, ask them about the RoPA and DPIA process and how this has been completed. If are lucky enough to have a DPO then you need to work closely with them, not only for this control, but because you are both trying to achieve the same thing.

Q & A

Is it possible to get this wrong?

Yes – By not including the requirements to protect personal data on your legal register, and not demonstrating you have implemented the controls to protect personal data. For example, you need to evidence that audits to comply with your own data retention policy have been undertaken (this is why working with your DPO is important, as they most likely are doing this).

Difficulty rating

We rate this a 2 out of 5 difficulty rating. This control isn’t complicated, but it can be complex if you process a lot of personal data.  There is certainly work to do, which includes development of the data retention scheme and conducting reviews and audits of legal, regulatory and contractual requirements related to personal data.  This might need specialist knowledge, but will most certainly require that you speak to your business. As ever, keep it simple and keep it focused on personal data to ensure compliance with this control.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.