When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.
Audit checklist
- PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions.
- Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence.
- Senior privacy accountability and operational responsibilities are assigned and understood.
- Staff handling PII receive role-specific training and can explain responsibilities.
- Access to PII is role-based, reviewed, and limited to job need.
- Annual PII review verifies holdings, purpose, retention, access, transfers, and compliance with current requirements.
Evidence requested
- Inventory or register reviewed.
- Responsible owner interviewed.
- Sample records/systems selected.
- Evidence location recorded.
- Gaps converted into findings or corrective actions.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 34
Note Metadata
Aliases: A.5.34 Checklist
Source: 90 Templates/A.5.34 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.