Requirement
Requirement lens
This control asks whether data masking is used according to access control policy, related policies, business requirements, and applicable legislation.
“Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.”
Plain-language meaning
The organization should hide, replace, tokenize, pseudonymize, or anonymize sensitive data where full visibility is not needed. The goal is to let people or systems use data for legitimate purposes without exposing more sensitive information than necessary.
Data masking is not one technique. It includes temporary masking, pseudonymisation/tokenisation, and anonymisation. The difference is whether the original data still exists and whether it can be recovered.
Why this matters
Sensitive data is often copied into test, analytics, reporting, support, training, and development environments. If full data is visible where it is not needed, the organization increases confidentiality, privacy, fraud, and regulatory risk.
Poor anonymisation is also dangerous. Data that appears anonymous may still be identifiable when combined with other available data.
Implementation guidance
Implementer focus
Choose the masking method based on business need, legal requirement, reversibility, and re-identification risk.
1. Define masking methods
| Method | Plain-language meaning | Reversible? | Example use |
|---|---|---|---|
| Masking | Data is hidden from view but still exists | Usually yes | Show only last four digits |
| Pseudonymisation/tokenisation | Data is replaced with a token and can be re-linked using a lookup table | Yes, with lookup table | Payment token or customer token |
| Anonymisation | Identifying data is permanently removed | No, if done properly | Aggregated public statistics |
2. Define who can see full data
Roles permitted to view unmasked data should be explicitly defined and linked to business need. Re-combination or re-identification should require authorization, logging, and review.
3. Protect lookup tables and keys
For pseudonymisation/tokenisation, lookup tables, keys, or re-identification mechanisms should be logically and organizationally separated from tokenized data.
4. Manage re-identification risk
Potentially identifiable information should be assessed. Data may not contain names or direct identifiers but may still identify people when combined with location, role, dates, rare attributes, or public information.
5. Delete re-combined data when no longer needed
Where masked or tokenized data is re-combined into full data, that full data should be protected and deleted as soon as the business need ends.
Audit guidance
Auditor focus
Test whether masking is defined, applied, access-controlled, legally appropriate, and protected against unauthorized re-identification.
Auditors should verify:
- masking/anonymisation/pseudonymisation definitions;
- data masking policy or standard;
- business and legal basis for masking decisions;
- roles permitted to view full data;
- re-identification or re-combination process;
- logs/records of re-combination;
- protection and segregation of lookup tables or keys;
- deletion of re-combined data after use;
- assessment of potentially identifiable information;
- demonstrations of masking controls.
Auditors may test whether anonymised data can reasonably be re-identified using other available information.
Evidence examples
Evidence quality
Strong evidence proves masking choices are defined, technically enforced, legally considered, and re-identification is controlled.
| Evidence | What it proves |
|---|---|
| Data masking standard | Rules and method definitions exist |
| Sensitive data inventory | Data requiring masking is known |
| Role access matrix | Full-data access is restricted |
| Masking configuration/demo | Masking is implemented |
| Token lookup/key segregation evidence | Re-identification path is protected |
| Re-combination logs | Full-data restoration is controlled |
| Re-identification risk assessment | Potential identifiability is considered |
| Deletion records | Re-combined data is removed when no longer needed |
Strong evidence
- Masking methods are defined and matched to use cases.
- Roles allowed to view full data are approved.
- Token lookup tables are segregated.
- Re-combination is logged and authorized.
- Potential re-identification is assessed.
- Re-combined data is deleted after use.
Weak evidence
- “Anonymised” data can be re-identified through other fields.
- Lookup table is stored beside tokenized data.
- Developers use production data without masking.
- Full-data access is broad or undefined.
- Re-combination happens without logging.
- Masked exports are retained indefinitely.
Common failures
Implementation watchouts
A.8.11 fails when masking is cosmetic, reversible by too many people, or not tested for re-identification risk.
| Failure | Why it matters |
|---|---|
| Confusing masking with anonymisation | Wrong legal and risk assumptions are made |
| Lookup table not segregated | Tokenized data can be easily re-identified |
| No full-data role definition | Sensitive data is overexposed |
| Test data not masked | Non-production environments become breach paths |
| Re-combined data retained | Temporary access becomes permanent exposure |
| Potential identifiers ignored | “Anonymous” datasets remain identifiable |
Exam traps
Exam focus
A.8.11 distinguishes masking, pseudonymisation/tokenisation, and anonymisation. The key issue is whether full data can still be recovered or inferred.
| Trap | Correct interpretation |
|---|---|
| Masking deletes data | Masking hides data; the original usually still exists |
| Pseudonymised data is anonymous | It can be re-linked using a lookup table or key |
| Anonymisation is easy | True anonymisation is hard because combinations of fields can re-identify people |
| Lookup tables can stay with tokenized data | They should be segregated and protected |
| Re-combined data can be kept for convenience | It should be protected and deleted when no longer needed |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.3 Information Access Restriction
- A.8.10 Information Deletion
- A.5.34 Privacy and Protection of PII
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.15 Access Control
- PII Inventory and Privacy Requirements Matrix
- Information Classification and Handling Matrix
- Data Masking Standard
- Data Masking Decision Register
- Re-Identification Risk Assessment
- A.8.11 Audit Evidence Pack
- A.8.11 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.11 limits unnecessary exposure of sensitive data. Strong implementation defines masking methods, controls who can see full data, segregates re-identification mechanisms, assesses identifiability, and deletes re-combined data when no longer needed.
- Define masking, pseudonymisation/tokenisation, and anonymisation.
- Match masking method to business need and legal requirement.
- Restrict and log access to full data.
- Segregate lookup tables and keys.
- Test whether supposedly anonymous data can be re-identified.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Data masking
- Privacy
- Audit
Note Metadata
Aliases: A.8.11, Data Masking, Anonymisation, Pseudonymisation, Tokenisation
Source: 05 Annex A Technological Controls/A.8.11 Data Masking.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Control
ISO 27001 A.8.11 - Data MaskingRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.34 - Privacy and Protection of PII
- A.8.11 Audit Evidence Pack
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.33 - Test Information
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.11 Data Masking
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-031 - Deletion and Data Masking
- ISO 27002 Annex A Control Interpretation Map
- A.8.11 Audit Checklist
- Data Masking Decision Register
- Data Masking Standard
- Information Classification and Handling Matrix
- PII Inventory and Privacy Requirements Matrix
- Re-Identification Risk Assessment
- Test Data Protection Checklist
- Test Data Security Approval Record
- Annex A Controls MOC