UnixTime

Research Note

ISO 27001 A.5.34 - Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.”

Plain-language meaning

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.

Why this matters

PII mishandling can trigger regulatory penalties, breach notification duties, contract breaches, customer harm, reputational damage, and loss of trust. Privacy is not just confidentiality; it also involves lawful purpose, minimization, access, retention, rights, transfer, processing changes, and accountability.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

  1. Create and maintain a PII inventory that identifies where PII is located, what categories are held, purposes of use, legal/contractual basis or justification, retention, transfers, access roles, systems, suppliers, and jurisdictions.
  2. Identify applicable laws, regulations, and contractual requirements for collection, processing, access, protection, transfer, retention, breach notification, and disposal of PII.
  3. Assign senior accountability for privacy/PII compliance and operational responsibility for handling PII in systems and processes.
  4. Define and communicate privacy/PII policies and procedures, including collection limits, purpose limitation, access control, transmission, retention, disposal, breach reporting, and change approval.
  5. Train staff who handle PII and verify they understand specific controls and reporting obligations.
  6. Manage changes in PII use through approval and inventory updates, especially new purposes, new systems, new suppliers, new transfers, or new jurisdictions.
  7. Review PII holdings at least annually and verify compliance against applicable legal, regulatory, and contractual requirements.
  8. Maintain a matrix that maps PII protections back to source requirements so changes in law or contract can update controls quickly.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that the organization knows where PII is located, understands applicable legal/regulatory/contractual requirements, has implemented policies and controls, trains relevant staff, controls access and transfer, reviews PII holdings, and monitors changing requirements. Auditors should avoid relying only on policy statements and should sample actual systems, roles, transfers, suppliers, and records.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions. Supports design, implementation, operation, or review
Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence. Supports design, implementation, operation, or review
Senior privacy accountability and operational responsibilities Shows privacy ownership is assigned and understood
Staff handling PII receive role-specific training and can explain responsibilities. Supports design, implementation, operation, or review
PII access review records Shows access is role-based, reviewed, and limited to job need

Strong evidence

  • PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions.
  • Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence.
  • Senior privacy accountability and operational responsibilities are assigned and understood.
  • Staff handling PII receive role-specific training and can explain responsibilities.
  • Access to PII is role-based, reviewed, and limited to job need.
  • Annual PII review verifies holdings, purpose, retention, access, transfers, and compliance with current requirements.
  • Breach notification obligations and procedures are documented and tested or exercised where appropriate.

Weak evidence

  • PII is discussed generally but no inventory exists.
  • The organization knows main customer databases but ignores spreadsheets, exports, logs, support tickets, backups, or supplier platforms.
  • Privacy policy exists but does not map to laws, contracts, systems, or controls.
  • Access to PII is broad or not reviewed.
  • Staff handling PII receive only generic security awareness.
  • New PII use cases are launched without approval or inventory updates.
  • Breach notification requirements are unclear.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
PII inventory is incomplete The organization cannot protect or comply for data it does not know exists
Purpose and retention are not justified PII may be collected or retained without a valid business or legal reason
Access to PII is excessive More people can view or export personal data than their job requires
PII transfers are not tracked Cross-border, supplier, or customer contractual obligations may be missed
Privacy requirement changes are not monitored Controls can fall behind new legal or contractual deadlines
Breach notification obligations are unclear The organization may miss legally required reporting timescales

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • A.5.34 is about identifying and meeting privacy/PII requirements from laws, regulations, and contracts.
  • A PII inventory should include purpose, justification, retention, location, access, transfers, systems, suppliers, and jurisdiction context.
  • A senior role should be accountable for privacy/PII compliance.
  • Staff handling PII need specific awareness of responsibilities and controls.
  • PII use changes should be approved, recorded, and reflected in the asset/PII inventory.
  • Privacy requirements can change quickly; monitoring and timely implementation matter.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.34 requires practical protection of legally or operationally important information. The audit question is whether the organization can show what must be protected, why, where it is, who owns it, how long it is retained, who can access it, and how protection remains effective over time.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Compliance
  • Audit
  • Privacy
  • Pii
  • Data protection
  • Personal data

Note Metadata

Aliases: A.5.34, Privacy and Protection of PII

Source: 02 Annex A Organizational Controls/A.5.34 Privacy and Protection of PII.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.