The basics
ISO 27001 control A.5.34 Privacy and protection of PII requires companies to ensure personal data or data that can be used to personally identify someone is protected in order to fulfill applicable legal requirements.
Documentation
ISO 27001 control A.5.34 Privacy and protection of PII can be documented by writing a Privacy Policy.
This policy is not a mandatory document but is recommended for all companies.
Implementation
In order to comply with control A.5.34 Privacy and protection of PII you might implement the following:
- Technology — the technology to enable the protection of privacy and personally identifiable information (PII) may include software (e.g., access control software, backup software, digital signatures, document management system, etc.) and hardware (e.g., secure cabinets).
- Organization/processes — you should set up a process for defining how PII must be organized, what safeguards need to be implemented, and who is responsible for the protection of PII. You can document those processes through a Privacy Policy.
- People — make employees aware of why the protection of PII is needed, and train them on how to protect PII under their responsibility.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.34 Privacy and protection of PII: if personal data or data that can be used to personally identify someone is protected.
