1. Framework FAQs

ISO 27001: 2022 A.8.11 Data masking

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.11 Data masking.

ISO 27001: 2022 Control Description

Data masking shall be used in accordance with the organization’s  topic-specific policy on access control and other related topic-specific  policies, and business requirements, taking applicable legislation into  consideration.

Purpose

To limit the exposure of sensitive data, including Personally Identifiable Information (PII), and ensure compliance with legal, statutory, regulatory, and contractual requirements.

Guidance on implementation

When dealing with sensitive data such as PII, it’s important to consider techniques like data masking, pseudonymisation, or anonymisation to protect that information. Here’s how to approach these methods:

Data Masking and Protection Techniques

  1. Pseudonymisation and Anonymisation:
    • These techniques hide PII or sensitive information by either replacing it with aliases (pseudonymisation) or permanently removing any link to the identity (anonymisation). Ensure that the data is thoroughly anonymised or pseudonymised to prevent any possibility of identifying individuals indirectly.
  2. Other Data Masking Techniques:
    • Encryption: Protects data by requiring authorised users to have a key.
    • Nulling or Deletion: Removes or obscures characters to prevent unauthorised access to full data.
    • Varying Numbers and Dates: Alters specific details to hide the original information.
    • Substitution: Replaces sensitive data with alternative values.
    • Hashing: Converts data into a fixed code, which can be used to obscure sensitive values.

Implementing Data Masking

When implementing data masking techniques, consider the following:

  1. Minimising Data Access:
    • Design queries and masks so that users only see the minimum amount of data necessary for their role.
  2. Selective Data Obfuscation:
    • Implement mechanisms to obfuscate data in specific cases. For example, in a hospital setting, if a patient wishes to restrict access to certain records, staff may only see partially obfuscated data. Full access should be limited to those with specific roles.
  3. Double Obfuscation:
    • Provide options for PII principals (like patients) to further obfuscate the data so that even the obfuscation itself is hidden. This might be used in sensitive cases, such as hiding the fact that certain medical tests or conditions are being concealed.
  4. Legal and Regulatory Compliance:
    • Ensure that data masking meets any legal or regulatory requirements, such as masking payment card details during processing or storage.

Considerations for Data Masking, Pseudonymisation, and Anonymisation

When using these techniques, consider:

  1. Strength of Protection:
    • The level of data masking, pseudonymisation, or anonymisation should align with the sensitivity and intended use of the processed data.
  2. Access Controls:
    • Ensure strict access controls are in place for the processed data.
  3. Usage Agreements:
    • Implement agreements or restrictions on how processed data can be used, ensuring that it cannot be combined with other information to re-identify individuals.
  4. Tracking Data Handling:
    • Keep records of who provides and receives the processed data to ensure proper handling.

Anonymisation vs Pseudonymisation

  • Anonymisation: Irreversibly alters PII so that individuals cannot be identified, either directly or indirectly.
  • Pseudonymisation: Replaces identifying information with an alias, but can still allow for some level of re-identification if the pseudonymisation algorithm (or “additional information”) is known. This additional information must be kept separate and secured.

Additional Information

  • Data Masking Methods:
    • Static Masking: Data is masked in the original database.
    • Dynamic Masking: Data is secured in real-time using automation and rules.
    • On-the-Fly Masking: Data is masked in an application’s memory.
  • Hashing: When using hash functions for anonymisation, always combine them with a salt function to prevent attacks that could reverse the anonymisation.
  • Resource Identifiers: Avoid or anonymise PII in resource identifiers like file names or URLs.