All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Privacy and protection of personal identifiable information (PII)

Annex A control 5.34 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 18.1.4

Control 5.34 covers the protection of Personal Identifiable Information, otherwise known as PII. In particular, it focuses on three key areas: privacy, protection, and preservation.

The control is designed as a preventative measure to help keep risks at bay, outlining guidelines and procedures to meet legal, regulatory, statutory and contractual obligations surrounding the storage, privacy, and protection of PII in all forms.

What is PII?

PII is a term used to describe any data which can be used to identify a person or persons. This may include a driver’s licence, medical records, address, financial information such as bank accounts, and a National Insurance Number or Social Security Number.

Any data oversight plan conducted by an organisation must take the protection of PII into account, considering the vast array of regulatory, legislative and contractual dangers attached to shared PII.

Guidelines for Annex A Control 5.34

PII protection is a specialised business practice and requires distinct policies to cover the kinds of PII most commonly encountered in the organisation on a day-to-day basis. Control 5.34 describes how organisations must compile, formulate and execute policies dedicated to protecting PII. They must also ensure that all staff working with PII are made aware of these policies and stick to them.

Policies should take into account individual roles, responsibilities and data controls across the organisation, offering a top-down approach in which a dedicated Privacy Officer guides employees and third party organisations through the process of complying with PII obligations.

In order to effectively manage PII while within the business, organisations must adhere to legislative, regulatory and contractual regulations.

Overseas use of control 5.34

It’s important to research relevant legislation concerning PII, as it can change from one country, region, or sector to another. Organisations must review their PII handling requirements, especially when it comes to data shared across different countries.

ISO 27001:2022 does not contain any specific information on how to handle this, but other ISO documents do, including ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 27018.

What’s changed since 2013?

Annex A control 5.34 replaces ISO 27001:2013 18.1.4 and is almost identical bar two key differences. The first of these is that control 5.34 recommends organisations contemplate a subject-specific policy when developing and implementing PII policies and procedures. The second is that control 5.34 puts greater emphasis on safeguarding PII alongside standard privacy and protection regulations.