UnixTime

Research Note

ISO 27001 A.8.11 - Data Masking

The organization should hide, replace, tokenize, pseudonymize, or anonymize sensitive data where full visibility is not needed. The goal is to let people or systems use data for...

On this page

Requirement

Requirement lens

This control asks whether data masking is used according to access control policy, related policies, business requirements, and applicable legislation.

“Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.”

Plain-language meaning

The organization should hide, replace, tokenize, pseudonymize, or anonymize sensitive data where full visibility is not needed. The goal is to let people or systems use data for legitimate purposes without exposing more sensitive information than necessary.

Data masking is not one technique. It includes temporary masking, pseudonymisation/tokenisation, and anonymisation. The difference is whether the original data still exists and whether it can be recovered.

Why this matters

Sensitive data is often copied into test, analytics, reporting, support, training, and development environments. If full data is visible where it is not needed, the organization increases confidentiality, privacy, fraud, and regulatory risk.

Poor anonymisation is also dangerous. Data that appears anonymous may still be identifiable when combined with other available data.

Implementation guidance

Implementer focus

Choose the masking method based on business need, legal requirement, reversibility, and re-identification risk.

1. Define masking methods

Method Plain-language meaning Reversible? Example use
Masking Data is hidden from view but still exists Usually yes Show only last four digits
Pseudonymisation/tokenisation Data is replaced with a token and can be re-linked using a lookup table Yes, with lookup table Payment token or customer token
Anonymisation Identifying data is permanently removed No, if done properly Aggregated public statistics

2. Define who can see full data

Roles permitted to view unmasked data should be explicitly defined and linked to business need. Re-combination or re-identification should require authorization, logging, and review.

3. Protect lookup tables and keys

For pseudonymisation/tokenisation, lookup tables, keys, or re-identification mechanisms should be logically and organizationally separated from tokenized data.

4. Manage re-identification risk

Potentially identifiable information should be assessed. Data may not contain names or direct identifiers but may still identify people when combined with location, role, dates, rare attributes, or public information.

5. Delete re-combined data when no longer needed

Where masked or tokenized data is re-combined into full data, that full data should be protected and deleted as soon as the business need ends.

Audit guidance

Auditor focus

Test whether masking is defined, applied, access-controlled, legally appropriate, and protected against unauthorized re-identification.

Auditors should verify:

  • masking/anonymisation/pseudonymisation definitions;
  • data masking policy or standard;
  • business and legal basis for masking decisions;
  • roles permitted to view full data;
  • re-identification or re-combination process;
  • logs/records of re-combination;
  • protection and segregation of lookup tables or keys;
  • deletion of re-combined data after use;
  • assessment of potentially identifiable information;
  • demonstrations of masking controls.

Auditors may test whether anonymised data can reasonably be re-identified using other available information.

Evidence examples

Evidence quality

Strong evidence proves masking choices are defined, technically enforced, legally considered, and re-identification is controlled.

Evidence What it proves
Data masking standard Rules and method definitions exist
Sensitive data inventory Data requiring masking is known
Role access matrix Full-data access is restricted
Masking configuration/demo Masking is implemented
Token lookup/key segregation evidence Re-identification path is protected
Re-combination logs Full-data restoration is controlled
Re-identification risk assessment Potential identifiability is considered
Deletion records Re-combined data is removed when no longer needed

Strong evidence

  • Masking methods are defined and matched to use cases.
  • Roles allowed to view full data are approved.
  • Token lookup tables are segregated.
  • Re-combination is logged and authorized.
  • Potential re-identification is assessed.
  • Re-combined data is deleted after use.

Weak evidence

  • “Anonymised” data can be re-identified through other fields.
  • Lookup table is stored beside tokenized data.
  • Developers use production data without masking.
  • Full-data access is broad or undefined.
  • Re-combination happens without logging.
  • Masked exports are retained indefinitely.

Common failures

Implementation watchouts

A.8.11 fails when masking is cosmetic, reversible by too many people, or not tested for re-identification risk.

Failure Why it matters
Confusing masking with anonymisation Wrong legal and risk assumptions are made
Lookup table not segregated Tokenized data can be easily re-identified
No full-data role definition Sensitive data is overexposed
Test data not masked Non-production environments become breach paths
Re-combined data retained Temporary access becomes permanent exposure
Potential identifiers ignored “Anonymous” datasets remain identifiable

Exam traps

Exam focus

A.8.11 distinguishes masking, pseudonymisation/tokenisation, and anonymisation. The key issue is whether full data can still be recovered or inferred.

Trap Correct interpretation
Masking deletes data Masking hides data; the original usually still exists
Pseudonymised data is anonymous It can be re-linked using a lookup table or key
Anonymisation is easy True anonymisation is hard because combinations of fields can re-identify people
Lookup tables can stay with tokenized data They should be segregated and protected
Re-combined data can be kept for convenience It should be protected and deleted when no longer needed

KB-ready summary

Mentor takeaway

A.8.11 limits unnecessary exposure of sensitive data. Strong implementation defines masking methods, controls who can see full data, segregates re-identification mechanisms, assesses identifiability, and deletes re-combined data when no longer needed.

  • Define masking, pseudonymisation/tokenisation, and anonymisation.
  • Match masking method to business need and legal requirement.
  • Restrict and log access to full data.
  • Segregate lookup tables and keys.
  • Test whether supposedly anonymous data can be re-identified.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Data masking
  • Privacy
  • Audit

Note Metadata

Aliases: A.8.11, Data Masking, Anonymisation, Pseudonymisation, Tokenisation

Source: 05 Annex A Technological Controls/A.8.11 Data Masking.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence