ISO 27001 Annex A 5.34

Personal data has its own legal regime on top of information security.

ISO 27001 Annex A 5.34 - Privacy and Protection of PII

Personally identifiable information sits at the intersection of information security and data protection. The control sits inside ISO 27001 but most of the substance comes from data protection law - UK GDPR and the Data Protection Act 2018 in the UK. The control asks the organisation to identify the legal requirements that apply, build them into the management system, and demonstrate compliance.

The starting point is identification. What personal data is held, for what purpose, on what lawful basis, for how long, with what controls. Most of this is documented in the records of processing required under UK GDPR, which sits naturally alongside the information assets register and the personal data register. The two together give the organisation a clear picture of personal data handled.

Implementation goes beyond documentation. Data subject rights have to be supported - subject access, rectification, erasure, restriction. Privacy by design has to be embedded in projects under Annex A 5.8. Personal data breaches have to be detected, reported and managed under the incident process. Where personal data is shared with processors or transferred internationally, the legal basis and contractual protections have to be in place.

The audit test for this control is whether the organisation can answer the basic privacy questions. What personal data do you hold. On what lawful basis. For how long. Who has access. What happens if a subject access request comes in tomorrow. If the answers are quick and consistent the control is in place. If they are vague or different people give different answers, that is the finding.

Practical Compliance Guidance

Privacy and personal data protection is described in the IMS1 manual at section 8.5 alongside the topic-specific Privacy and Protection of PII Policy. The personal data register and the legal register hold the practical record.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS24 Personal Data Register	The personal data register holding records of processing activities including purpose, lawful basis, retention, sharing and security arrangements. This sits alongside the wider information assets register.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a separate Data Protection Officer?

UK GDPR requires a DPO for public authorities and for organisations whose core activities involve large-scale monitoring of individuals or processing of special category data. Most other organisations are not legally required to appoint one but may choose to designate someone with day-to-day data protection responsibility. The role can be combined with other duties where the size of the organisation allows.

What is the relationship between ISO 27001 and UK GDPR?

UK GDPR sets specific legal obligations for personal data. ISO 27001 provides a framework for managing information security generally including personal data. They overlap significantly - good information security supports compliance with the security requirements in UK GDPR Article 32 - but they are separate frameworks with separate scopes. ISO 27001 certification does not equal UK GDPR compliance.

How are personal data breaches handled?

Through the incident management process under A.5.24 to A.5.27. UK GDPR adds specific obligations on top - notification to the ICO within 72 hours where there is likely risk to individuals, and notification to affected individuals where the risk is high. The incident process should include the specific personal data breach assessment and notification steps.

UK Legislation

The privacy and PII protection control is closely tied to UK data protection law. The principal legislation includes:

Further Resources