ISO 27001 A.8.11

1 - In the new ISO 27001 control for A.8.11 Data Masking. Is there a need to mask or obfuscate the PII data in the internal system used by the company despite the implementation of role-based access?

The implementation of data masking in the internal systems, when you already have other controls implemented, will depend on the results of risk assessment (i.e., relevant risks), and the existence of applicable legal requirements (e.g., laws, regulations, or contracts).

In case you do not have relevant risks or legal requirements demanding the implementation of data masking, you do not need to implement the control.

This article will provide you with further explanation about applying controls:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

2 - When the data is actively used daily, how do we balance business operations and security implementation for data masking?

To balance security and business operations, you should evaluate the positive impact of data masking implementation (e.g., reduction of costs due to information security incidents) against negative effects (e.g., reduction in processes performance or productivity), so you can evaluate the extension on how to implement the control.

For example, for some processes, you may implement heavy masking practices and still have acceptable operational results, and for others, even the slighted practices won’t be worth it (and for these cases you may have to accept the risk, since applying the control will bring more problems than solving them).

Thank you, Rhand!  This is very insightful.