When to use this
Use this checklist during an internal audit of masking, pseudonymisation, tokenisation, anonymisation, re-combination, and re-identification controls.
Related controls
- A.8.11 Data Masking
- A.8.11 Audit Evidence Pack
- Data Masking Standard
- Data Masking Decision Register
- Re-Identification Risk Assessment
Audit checklist
- Review data masking standard.
- Review sensitive data inventory and masking decisions.
- Confirm roles permitted to view full data.
- Review masking/tokenisation/anonymisation configuration.
- Check lookup table/key segregation.
- Review re-combination authorization and logs.
- Review deletion of re-combined data.
- Assess potentially identifiable information.
- Test a sample masked/anonymised data set for re-identification risk.
Findings table
| Data set/use case | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 11
Note Metadata
Aliases: A.8.11 Data Masking Audit Checklist
Source: 90 Templates/A.8.11 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.