The basics
ISO 27001 control A.8.11 Data masking requires companies to hide data in order to limit the exposure of sensitive information. This is a completely new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.8.11 Data masking can be documented through 3 documents:
- Information Classification Policy to determine which data are sensitive and what categories of data need to be masked, and
- Access Control Policy to define who can access what type of masked or unmasked data, and
- Secure Development Policy to define the technology of masking the data
These policies are not mandatory but are recommended for all companies.
Implementation
In order to comply with control A.8.11 Data masking you might implement the following:
- Technology — the technology to enable data masking could include diverse software tools — for example, companies can use tools for pseudonymization or anonymization in order to mask data if this is required by privacy or other regulations. Other methods like encryption or obfuscation can also be used.
- Organization/processes — you should set up a process for determining which data need to be masked, and which methods will be used to mask the data. You can document those processes through an Information Classification Policy, a Secure Development Policy, a Privacy Policy / Personal Data Protection Policy, or an Anonymization and Pseudonymization Policy.
- People — make employees aware of why masking data is needed, and train them on which data needs to be masked and how.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.11 Data masking: if data masking is used according to relevant policies, business requirements, and applicable legislation.
