Expert Advice Community

Guest

A.8.11 Data Masking

  Quote
Guest
Guest user Created:   Nov 21, 2022 Last commented:   Nov 21, 2022

A.8.11 Data Masking

In the new ISO 27001 control for A.8.11 Data Masking.  It is a good practice or a requirement to mask the PII in the internal system despite the role-based access is implemented?

Also, how will it balance with the business day to day operation?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 21, 2022

The implementation of data masking as a good practice or to fulfill a requirement will depend on the results of risk assessment (i.e., relevant risks), and the existence of applicable legal requirements (e.g., laws, regulations, or contracts).

In case you have relevant risks or legal requirements demanding the implementation of data masking, implementing control A.8.1.1 control would be a requirement, otherwise, its implementation could be seen as a good practice.

Regarding its balance with the business day to day operation, you should evaluate the positive impact of its implementation (e.g., reduction of costs due to information security incidents) against negative effects (e.g., reduction in processes performance or productivity), so you can evaluate the extension on ho implement the control.

For example, for some processes, you may implement heavy masking practices and still have acceptable operational results, and for others, even the slighted practices won’t be worth it (and for these cases you may have to accept the risk, since applying the control will bring more problems than solving them).

This article will provide you with further explanation about applying controls:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 21, 2022

Nov 21, 2022

Suggested Topics

Guest user Created:   Nov 25, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO27001 Toolkit materials

Guest user Created:   Nov 23, 2022 ISO 27001 & 22301
Replies: 1
0 0

Cybersecurity

Guest user Created:   Nov 18, 2022 ISO 27001 & 22301
Replies: 1
0 0

Clause reference