Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.”
Plain-language meaning
The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.
Why this matters
PII mishandling can trigger regulatory penalties, breach notification duties, contract breaches, customer harm, reputational damage, and loss of trust. Privacy is not just confidentiality; it also involves lawful purpose, minimization, access, retention, rights, transfer, processing changes, and accountability.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
- Create and maintain a PII inventory that identifies where PII is located, what categories are held, purposes of use, legal/contractual basis or justification, retention, transfers, access roles, systems, suppliers, and jurisdictions.
- Identify applicable laws, regulations, and contractual requirements for collection, processing, access, protection, transfer, retention, breach notification, and disposal of PII.
- Assign senior accountability for privacy/PII compliance and operational responsibility for handling PII in systems and processes.
- Define and communicate privacy/PII policies and procedures, including collection limits, purpose limitation, access control, transmission, retention, disposal, breach reporting, and change approval.
- Train staff who handle PII and verify they understand specific controls and reporting obligations.
- Manage changes in PII use through approval and inventory updates, especially new purposes, new systems, new suppliers, new transfers, or new jurisdictions.
- Review PII holdings at least annually and verify compliance against applicable legal, regulatory, and contractual requirements.
- Maintain a matrix that maps PII protections back to source requirements so changes in law or contract can update controls quickly.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that the organization knows where PII is located, understands applicable legal/regulatory/contractual requirements, has implemented policies and controls, trains relevant staff, controls access and transfer, reviews PII holdings, and monitors changing requirements. Auditors should avoid relying only on policy statements and should sample actual systems, roles, transfers, suppliers, and records.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions. | Supports design, implementation, operation, or review |
| Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence. | Supports design, implementation, operation, or review |
| Senior privacy accountability and operational responsibilities | Shows privacy ownership is assigned and understood |
| Staff handling PII receive role-specific training and can explain responsibilities. | Supports design, implementation, operation, or review |
| PII access review records | Shows access is role-based, reviewed, and limited to job need |
Strong evidence
- PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions.
- Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence.
- Senior privacy accountability and operational responsibilities are assigned and understood.
- Staff handling PII receive role-specific training and can explain responsibilities.
- Access to PII is role-based, reviewed, and limited to job need.
- Annual PII review verifies holdings, purpose, retention, access, transfers, and compliance with current requirements.
- Breach notification obligations and procedures are documented and tested or exercised where appropriate.
Weak evidence
- PII is discussed generally but no inventory exists.
- The organization knows main customer databases but ignores spreadsheets, exports, logs, support tickets, backups, or supplier platforms.
- Privacy policy exists but does not map to laws, contracts, systems, or controls.
- Access to PII is broad or not reviewed.
- Staff handling PII receive only generic security awareness.
- New PII use cases are launched without approval or inventory updates.
- Breach notification requirements are unclear.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| PII inventory is incomplete | The organization cannot protect or comply for data it does not know exists |
| Purpose and retention are not justified | PII may be collected or retained without a valid business or legal reason |
| Access to PII is excessive | More people can view or export personal data than their job requires |
| PII transfers are not tracked | Cross-border, supplier, or customer contractual obligations may be missed |
| Privacy requirement changes are not monitored | Controls can fall behind new legal or contractual deadlines |
| Breach notification obligations are unclear | The organization may miss legally required reporting timescales |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.34 is about identifying and meeting privacy/PII requirements from laws, regulations, and contracts.
- A PII inventory should include purpose, justification, retention, location, access, transfers, systems, suppliers, and jurisdiction context.
- A senior role should be accountable for privacy/PII compliance.
- Staff handling PII need specific awareness of responsibilities and controls.
- PII use changes should be approved, recorded, and reflected in the asset/PII inventory.
- Privacy requirements can change quickly; monitoring and timely implementation matter.
Related controls and concepts
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.33 Protection of Records
- Information and Associated Asset Inventory
- Risk Assessment
- Internal Audit
- Management Review
- Legal and Contractual Requirements Register
- Evidence Request List
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.34 requires practical protection of legally or operationally important information. The audit question is whether the organization can show what must be protected, why, where it is, who owns it, how long it is retained, who can access it, and how protection remains effective over time.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Compliance
- Audit
- Privacy
- Pii
- Data protection
- Personal data
Note Metadata
Aliases: A.5.34, Privacy and Protection of PII
Source: 02 Annex A Organizational Controls/A.5.34 Privacy and Protection of PII.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Internal Audit
- Management Review
- Risk Assessment
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.33 - Protection of Records
- A.5 Organizational Controls MOC
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.6 People Controls MOC
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- A.5.34 Audit Evidence Pack
- A.6.1 Audit Evidence Pack
- A.6.2 Audit Evidence Pack
- AQ-ISO27001-A.5.34 Privacy and Protection of PII
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.33 - Test Information
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.34 Privacy and Protection of PII
- A.5 Controls Implementation Audit Risk Mapping
- GDPR to ISO 27001 Engineering Crosswalk
- EXAM-014 - Records, Privacy, and PII
- ISO 27002 Annex A Control Interpretation Map
- A.5.34 Audit Checklist
- Background Verification Checklist
- Data Masking Standard
- Template - Evidence Request List
- Information and Associated Asset Inventory
- Information Retention and Deletion Rules
- Legal and Contractual Requirements Register
- Personnel Screening Register
- PII Handling and Access Review Checklist
- PII Inventory and Privacy Requirements Matrix
- Privacy Breach Notification Readiness Checklist
- Re-Identification Risk Assessment
- Security Training Record
- Sensitive Data Transfer Approval Record
- Annex A Controls MOC