top of page

ISO27001:2022─Data masking

Personal information protection has always been the focus of auditing information security management systems, which is reflected in A.18.1.4 Privacy and Protection of Personally Identifiable Information in Legal Compliance and A.14.3.1 Protection of Test Data in practice. In the new version of ISO27001:2022, these two requirements correspond to A.5.34 Privacy and Personal Information Protection and A.8.33 Test Data respectively.

A.8.11 Data masking in the new version of ISO27001:2022 requires organizations to perform data masking according to the needs of regulations, business and different themes to avoid exposure of sensitive data such as personal information; compared with the 2013 version, for sensitive data The requirements for data masking are more specific, and the spirit of compliance with laws and regulations is more emphasized. It is not difficult to see the impact of the EU GDPR (General Data Protection Regulation) and the US CCPA (California Consumer Privacy Act) on the ISO management system in recent years.

In addition, ISO27002:2022 provides a series of technical guidelines for data masking methods, including encryption, deletion/replacement of characters, and hashing, etc., to remove personal data or so-called personally identifiable information (PII). De-identification.

In general, there are two ways of de-identification: Anonymization - masking, masking some characters/symbols so that they cannot be identified as PII. Pseudonymization - new characters generated by random numbers, algorithms, etc., replace the original recognized characters, making it impossible to identify the subject of personal information without additional information. ISO27001:2022 does not mandate which set of methods must be used for de-identification, but it mentions that anonymization has a strong de-identification effect, and requires that if pseudonymization is used, additional information that can compare the subject of personal information must be cut. store. Finally, since A.8.11 Data masking also requires compliance with relevant laws and regulations, when establishing ISMS and performing audit activities, you should pay special attention to the national laws and regulations involved in the scope of verification, including from individual, rom the perspectives of data, de-identification, anonymization, and pseudonymization, how to set up and execute data masking procedures.


bottom of page