SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

ISO 27001 A.8.11

  Quote
Liza Pacana Created:   Nov 17, 2022 Last commented:   Nov 21, 2022

ISO 27001 A.8.11

Hi Dejan,

In the new ISO 27001 control for A.8.11 Data Masking. Is there a need to mask or obfuscate the PII data in the internal system used by the company despite the implementation of role-based access?  When the data is actively used daily, how do we balance business operations and security implementation for data masking?

Thank you and I appreciate any advice on this.

Regards, 

Liza

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 21, 2022

1 - In the new ISO 27001 control for A.8.11 Data Masking. Is there a need to mask or obfuscate the PII data in the internal system used by the company despite the implementation of role-based access?

The implementation of data masking in the internal systems, when you already have other controls implemented, will depend on the results of risk assessment (i.e., relevant risks), and the existence of applicable legal requirements (e.g., laws, regulations, or contracts).

In case you do not have relevant risks or legal requirements demanding the implementation of data masking, you do not need to implement the control.

This article will provide you with further explanation about applying controls:

2 - When the data is actively used daily, how do we balance business operations and security implementation for data masking?

To balance security and business operations, you should evaluate the positive impact of data masking implementation (e.g., reduction of costs due to information security incidents) against negative effects (e.g., reduction in processes performance or productivity), so you can evaluate the extension on how to implement the control.

For example, for some processes, you may implement heavy masking practices and still have acceptable operational results, and for others, even the slighted practices won’t be worth it (and for these cases you may have to accept the risk, since applying the control will bring more problems than solving them).

Quote
0 1
Liza Pacana Nov 21, 2022

Thank you, Rhand!  This is very insightful.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 17, 2022

Nov 21, 2022

Suggested Topics