Series: New Controls in ISO/IEC 27001:2022 Annex A

Data Masking

In this article series, we are analyzing the implementation aspects of the 11 new controls of ISO/IEC 27001:2022 Annex A. The seventh article of the series explores the new technological control 8.11 (Data masking).

Control

Control 8.11 (Data masking) defines the best practices for masking of sensitive data, like personally identifiable information (PII), in order to limit their exposure and comply with legal and contractual requirements.

Attributes

Implementation of this control would help an organization prevent unnecessary exposure of sensitive information and hence, protect their confidentiality. It would also help the organization comply with legal and contractual requirements for data protection.

Implementation

The organization should define processes for hiding or obfuscating sensitive information as per its security and privacy requirements. Information can be hidden by using data masking, pseudonymization or anonymization techniques. Anonymization renders the data principal unidentifiable by altering its PII. On the other hand, pseudonymization replaces the PII with an alias. Data masking techniques include encryption, substitution of characters, hashing etc. These techniques can be applied on data-at-rest as well as on data-in-motion.

The data obfuscation techniques should be selected in accordance with business requirements, perceived risks, and relevant laws and regulations. Access restrictions and agreements on the usage of processed data should be considered while implementing data obfuscation.

Artefacts

The contents and implementation of the following security policies and procedures may be impacted by the above control:

Information Classification and Handling Policy – This policy ensures that sensitive information is protected from unauthorized use and disclosure. It helps to facilitate the identification of information that need to be masked.

Data Protection Policy – This policy ensures that data is gathered, stored and handled securely, with respect towards individual rights. It defines the responsibilities for data masking.

Secure Development Policy – This policy establishes best practices for secure software development, including the techniques for data masking.

Access Control Policy – The access control policy should include rules for accessing masked data as per the security requirements of the organization.

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.