Data Compliance

ISO/IEC 27001:2022 Makes Data Masking a Global Security Standard

ISO/IEC 27001:2022 has been updated to reflect information security's latest developments while also addressing evolving threats, and one of the key changes is a new requirement for data masking.

Pritesh Parekh

May 15, 2023

Table Of Contents

    ISO/IEC 27001:2022 is the latest version of the international standard for information security management systems (ISMS). The previous version, ISO/IEC 27001:2013, has been updated to reflect the evolving threat landscape and to ensure that organizations are better equipped to manage the risks associated with information security. Among the additions in the new version is Annex 8.11 for Data Masking. 

    In this article, we will discuss the changes made to ISO/IEC 27001:2022 (hereinafter referred to as ISO 27001, unless greater specificity is required) and focus on the new data masking requirement.

    What is ISO 27001?

    ISO 27001 is a globally recognized standard for information security management systems. It provides a systematic approach to managing and protecting sensitive information through the use of risk management processes. The standard is applicable to all types of organizations, regardless of their size or industry sector. Compliance with ISO 27001 helps organizations demonstrate their commitment to protecting their information assets, which can be a valuable asset in terms of customer trust and confidence.

    What has changed since ISO/IEC 27001:2013?

    ISO/IEC 27001:2022 has been updated to reflect the latest developments in information security and to address the evolving threat landscape. Some of the key changes in the new version include:

    • A greater focus on risk management: ISO/IEC 27001:2022 places a greater emphasis on risk management, including the identification, assessment, and treatment of information security risks.

    • Greater alignment with other ISO standards: The new version of ISO 27001 has been designed to be more aligned with other ISO standards, such as ISO 31000 for risk management and ISO 22301 for business continuity management.

    • A more flexible approach to documentation: The new version of the standard provides more flexibility in terms of the documentation required, which should make it easier for organizations to implement and maintain their ISMS.

    • Improved emphasis on leadership: The new standard places a greater emphasis on the role of leadership in the implementation and maintenance of the ISMS.

    What is the new data masking requirement?

    One of the key changes in ISO 27001 is the new requirement for data masking. Data masking is a technique used to protect sensitive data by replacing it with fictitious but realistic data. The purpose of data masking is to prevent unauthorized access to sensitive data and to ensure that only authorized individuals have access to the actual data.

    The new requirement for PII data masking in ISO 27001 is aimed at helping organizations better protect their sensitive information, especially personal information such as identity details, health records, and financial data. This requirement states that organizations should implement data masking techniques for all sensitive data based on a risk assessment. In other words, masking should be implemented appropriately according to the level of risk associated with the data.

    To comply with this requirement, organizations should take the following steps:

    1. Identify sensitive data: The first step is to identify all sensitive data within the organization, including personal data, financial data, and other confidential information. What comprises sensitive data will depend on your company, industry, customers, and other factors. To get a sense of where Delphix starts in identifying sensitive data, see our user documentation that discusses our masking profile sets

    2. Assess risks: Organizations should assess the risks associated with the sensitive data to determine the appropriate level of data masking required. This assessment should take into account the potential impact of a data breach or unauthorized access to the sensitive data.

    3. Determine data masking techniques: Based on the risk assessment, organizations should determine the appropriate data masking techniques to use. These techniques may include methods such as data encryption, tokenization, or anonymization. Compare data masking vs. data encryption in more detail.

    4. Implement data masking: Once the appropriate data masking techniques have been identified, organizations should implement them to protect sensitive data. This may involve working with third-party vendors to implement data masking solutions or developing in-house solutions.

    5. Monitor and review: Organizations should monitor and review their data masking solutions on an ongoing basis to ensure they are effective in protecting sensitive data. This may involve regular testing and auditing of data masking solutions to ensure they are working as intended.

    Overall, the requirement for data masking in ISO 27001 is an important measure for protecting sensitive information. By implementing appropriate data masking techniques, organizations can minimize the risk of unauthorized access to sensitive data and demonstrate their commitment to information security.

    2024 Masking Insights: Revealed and Analyzed by the Delphix Experts

    How are you protecting sensitive data in non-production environments? In our recent State of Data Compliance and Security Report, 66% cited use of static data masking. Discover other masking insights, including how to use masking for data compliance — without making trade-offs for quality or speed!

    Watch the on-demand webinar to learn more.

    Watch masking insights >>

    Who must comply with ISO 27001?

    Like its predecessors from 2013 and before, ISO/IEC 27001:2022 is a globally recognized standard applicable to all types of organizations, regardless of their size, industry sector, or location. Any organization that processes, stores, or transmits sensitive information should consider implementing ISO 27001 to better manage and protect their information assets.

    Compliance with ISO 27001 is not mandatory. However, there may be legal, regulatory, or contractual requirements that mandate compliance with the standard or which may be satisfied by ISO 27001 compliance. For example, some industries or jurisdictions may require organizations to comply with specific information security standards, and ISO 27001 may be recognized as a suitable standard for compliance.

    Additionally, compliance with ISO 27001 can provide a competitive advantage by demonstrating to customers, partners, and other stakeholders that an organization is committed to protecting sensitive information. It can also help organizations meet the requirements of data protection regulations such as GDPR, CCPA, or HIPAA.

    An untold number of companies have been certified for ISO 27001 compliance, including tech companies such as Microsoft and Apple, banks such as Bank of America and HSBC, and healthcare providers such as Mayo Clinic and Cedars Sinai, to name a few. 

    Where can data masking be applied in modern environments?

    Data masking can be applied in a variety of settings to protect sensitive information from unauthorized access, use, disclosure, or modification. Here are some examples of where data masking can be applied:

    • Production databases: Data masking can be applied to databases to protect sensitive data such as personal information, financial data, or intellectual property. In production environments (i.e., those used for normal operations of the business), masking options may be limited based on the use cases and other factors. More often, production data is masked or hidden at the application level, such as redacting the credit card number of customers in the account management interface.

    • Test and development environments: Data masking can be applied in test and development environments to protect sensitive data during the software development process. This is often done as part of a formalized test data management process, including those provided by automated DevOps pipelines. This can help ensure that developers and testers are working with realistic data without risking the exposure of sensitive information.

    • Cloud services: Data masking can be applied to cloud services to protect sensitive data stored in the cloud. This is especially important when dealing with data residency requirements or third-party concerns, such as providing test data to offshore service providers.

    • Analytics and business intelligence: Data masking can be applied to data used for analytics and business intelligence to protect sensitive information. Oftentimes analysts need realistic data but have no legitimate need or clearance to access sensitive fields. Masking can solve this problem.

    • AI/ML algorithms: Protecting sensitive data is often cited as a challenge to AI/ML adoption. Data masking can be used to provide realistic but protected versions of data to AI/ML engineers to support training and testing algorithms.

    Overall, data masking can be applied in any setting where sensitive information needs to be protected from unauthorized access, use, disclosure, or modification. By using data masking techniques, organizations can minimize the risk of data breaches, cyberattacks, and other information security risks.

    The 2024 State of Data Compliance and Security Report

    66% of organizations we surveyed are using static data masking to protect non-production data. Discover insights from 250 global leaders around sensitive data, compliance, masking, AI, and more.

    Get the Data Compliance Report >>