Privacy and Protection of Personally Identifiable Information
Ensure privacy and PII protection according to laws and contracts.
Plain language
This control is all about making sure your business handles people's personal information in a way that respects their privacy and complies with laws. If you don't take this seriously, you could face hefty fines and lose the trust of your customers if their private information gets mishandled or exposed.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
Why it matters
Mishandling PII can lead to significant fines and brand damage, eroding customer trust and exposing the organisation to legal actions.
Operational notes
Regularly audit data handling processes for compliance with privacy laws and ensure all staff are trained on the latest PII protection practices.
Implementation tips
- The IT manager should develop a privacy policy specifically focusing on protecting personally identifiable information (PII). Start by reviewing the Privacy Act 1988 and relevant Australian legislation to create a policy that aligns with legal requirements and company practices.
- The HR department should ensure all employees are informed and trained on the privacy policy and PII protection procedures. Conduct regular training sessions and provide materials that make it easy for everyone to understand their role in safeguarding personal information.
- A designated privacy officer should be appointed to oversee PII protection. This person will guide team members on handling PII, monitor compliance with policies, and be the go-to contact for any privacy-related questions or issues.
- The compliance officer should regularly review and update procedures to ensure they match current laws and regulations. Check the Office of the Australian Information Commissioner's (OAIC) updates for any changes in data protection requirements and adjust processes accordingly.
- The technical team should implement protective measures like encryption and access controls to secure PII. Use software tools to ensure data stored digitally is protected and only accessible to authorised personnel.
Audit / evidence tips
-
AskRequest the organisation's privacy policy documents.
GoodA comprehensive policy is available, reflecting compliance with the Privacy Act and detailing procedures for protecting PII.
-
AskAsk for training records and materials about PII protection.
GoodRegularly updated training sessions are recorded, and employees can demonstrate knowledge of privacy procedures.
-
AskRequest records detailing the appointment and roles of a privacy officer.
GoodA privacy officer is formally designated, with clear responsibilities outlined and communicated across the organisation.
-
AskAsk for compliance check reports with current laws regarding PII.
GoodFrequent reviews are documented, with policy adjustments tracked against changes in laws.
-
AskRequest information on technical measures used to protect PII.
GoodThe organisation uses recognised technologies to secure PII, with logs showing controlled access to sensitive information.
Cross-framework mappings
How Annex A 5.34 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1395 | ISM-1395 requires service providers to apply appropriate protection to data entrusted to them or their services | |
| ISM-1880 | Annex A 5.34 requires the organisation to identify and meet applicable legal, regulatory, and contractual requirements for privacy and pr... | |
| ISM-2021 | ISM-2021 requires system owners to limit data collection and storage to what is necessary, reducing exposure from excessive retained info... | |
| handshake Supports (7) expand_less | ||
| ISM-0821 | Annex A 5.34 requires the organisation to meet privacy and PII requirements, including preventing inappropriate disclosure | |
| ISM-1268 | ISM-1268 requires enforcing need-to-know for database contents and includes controls like minimum privileges and tokenisation to limit ex... | |
| ISM-1478 | Annex A 5.34 requires compliance with privacy and PII protection requirements derived from laws and contracts | |
| ISM-1626 | Annex A 5.34 requires identifying and meeting privacy and PII protection requirements under applicable law | |
| ISM-2002 | Annex A 5.34 requires the organisation to comply with privacy and PII obligations arising from laws and regulations | |
| ISM-2046 | ISM-2046 requires sensitive data not to be logged and ensures that permissions are set appropriately in software that allows user imperso... | |
| ISM-2103 | ISM-2103 requires that organisational data produced or handled by AI applications is not used to train, fine-tune, or improve AI models u... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.