A.8.11 Data Masking
In the new ISO 27001 control for A.8.11 Data Masking. It is a good practice or a requirement to mask the PII in the internal system despite the role-based access is implemented?
Also, how will it balance with the business day to day operation?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The implementation of data masking as a good practice or to fulfill a requirement will depend on the results of risk assessment (i.e., relevant risks), and the existence of applicable legal requirements (e.g., laws, regulations, or contracts).
In case you have relevant risks or legal requirements demanding the implementation of data masking, implementing control A.8.1.1 control would be a requirement, otherwise, its implementation could be seen as a good practice.
Regarding its balance with the business day to day operation, you should evaluate the positive impact of its implementation (e.g., reduction of costs due to information security incidents) against negative effects (e.g., reduction in processes performance or productivity), so you can evaluate the extension on ho implement the control.
For example, for some processes, you may implement heavy masking practices and still have acceptable operational results, and for others, even the slighted practices won’t be worth it (and for these cases you may have to accept the risk, since applying the control will bring more problems than solving them).
This article will provide you with further explanation about applying controls:
Comment as guest or Sign in
Nov 21, 2022