When to use this
Use this standard to define masking, pseudonymisation, tokenisation, anonymisation, full-data access, and re-identification controls.
Related controls
Method definitions
| Method | Definition | Reversible? | Approved use cases | Approval required |
|---|---|---|---|---|
| Masking | TBD | Yes/No | TBD | TBD |
| Pseudonymisation/tokenisation | TBD | Yes | TBD | TBD |
| Anonymisation | TBD | No | TBD | TBD |
Minimum checks
- Masking methods are defined.
- Full-data access roles are defined.
- Lookup tables/keys are segregated.
- Re-combination is authorized and logged.
- Re-identification risk is assessed.
- Re-combined data is deleted when no longer needed.
- Template
- Iso27001
- Technological controls
- Data masking
- Privacy
Note Metadata
Aliases: Masking Anonymisation Pseudonymisation Standard
Source: 90 Templates/Data Masking Standard.md
Related Notes
- ISO 27001 A.5.34 - Privacy and Protection of PII
- A.8.11 Audit Evidence Pack
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.3 - Information Access Restriction
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.8.11 Audit Checklist
- Data Masking Decision Register
- Templates MOC