Skip to content
AuditFront
A.8.11 ISO 27001

ISO 27001 A.8.11: Data masking

What This Control Requires

Data masking shall be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking into consideration applicable legislation.

In Plain Language

Your test environment probably has a copy of production data in it right now. If that data includes customer names, email addresses, or payment details, you have a problem - test environments rarely have the same security controls as production, and a breach there is just as reportable. Data masking solves this by replacing sensitive data with realistic but fictitious values. The data still looks and behaves like real data so your applications work correctly, but there is nothing to steal. This control, new in ISO 27001:2022, makes masking an explicit requirement. Masking is also useful for display purposes (showing only the last four digits of a card number), for analytics where you need patterns but not individual identities, and for sharing data with third parties who do not need to see the real values.

How to Implement

Start by mapping where data masking is needed. The usual suspects: non-production environments (dev, test, staging, training), analytics and reporting that do not need individual-level sensitive data, application display screens showing partial information, data shared with third parties, and anywhere data minimisation regulations apply. Choose the right masking technique for each scenario. Static data masking creates a permanently masked copy for non-production use. Dynamic data masking applies masking in real-time at the access layer without changing stored data. Format-preserving encryption keeps the data format intact while making content unreadable. Tokenisation replaces data with tokens mapped to the original via a secure vault - particularly useful for payment card data. For non-production environments, build automated masking pipelines. Never copy production data directly to dev or test without masking it first. Make sure masked data keeps referential integrity and correct formats so applications still function. Verify that the masking is truly irreversible without access to the masking keys. Implement display masking in your applications. Configure screens to show only partial sensitive data to users who do not need the full value. A customer service agent seeing the last four digits of a card number can still verify a transaction. Build proper access controls for the few roles that genuinely need to see unmasked data. Document your masking rules clearly. Define which data elements require masking, what technique applies to each, who may access unmasked data, and how masked datasets are created. Review these rules regularly as your data usage patterns change. Test that your masking actually works. Verify masked data cannot be reversed or re-identified through cross-referencing. Check that masked datasets keep the statistical properties needed for their purpose. Validate that applications run correctly against masked data in non-production environments.

Evidence Your Auditor Will Request

  • Data masking policy defining requirements and techniques
  • Records of masked data environments and the masking methods used
  • Masking rules documentation for each sensitive data type
  • Verification records showing masking effectiveness and irreversibility
  • Non-production environment records showing masked data usage instead of production data

Common Mistakes

  • Production data is copied to non-production environments without masking
  • Masking is inconsistent allowing re-identification through cross-referencing
  • Masked data does not maintain referential integrity breaking applications
  • No policy defining when and how data masking should be applied
  • Display masking is not implemented in applications for sensitive data fields

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.1 Partial overlap
GDPR Art.25 Related
GDPR Art.32 Related

Frequently Asked Questions

Is this control new in ISO 27001:2022?
Yes, one of the 11 new controls. It was added because the practice of dumping production data into test environments is incredibly common and incredibly risky. The 2022 revision makes it clear that organisations need a structured approach to masking sensitive data wherever the full values are not actually required.
What is the difference between data masking and encryption?
Encryption scrambles data but is reversible with the right key - great for protecting data in storage and transit where you need the original back. Static data masking replaces values with fictitious ones and is typically irreversible, making it ideal for non-production environments where you never need the real data. Tokenisation sits in the middle: tokens map back to original values through a secure vault, which is handy for payment card scenarios where you need to reference the original occasionally but do not want it stored in your systems.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment