Data Masking - ISO 27001 Annex A Control

ISO 27001 Annex A 8.11

Reduce the data, reduce the risk - masking is risk reduction by another name.

ISO 27001 Annex A 8.11 - Data Masking

Data masking replaces sensitive data with substitute values that preserve the format but not the content. The substitute may be random, deterministic, or context-aware. The point is to allow work to proceed without exposing the underlying data - typical uses include test environments, analytics, sharing with third parties, and showing data in user interfaces where the full value is not needed.

The choice of masking technique depends on the use case. Static masking creates a permanently substituted dataset for use in non-production environments. Dynamic masking applies at query time so that the underlying data remains intact but users only see masked values. Tokenisation replaces values with tokens that can be reversed by an authorised process. Each has its place.

For personal data, masking links closely to data minimisation and purpose limitation under UK data protection law. Where the full personal data is not needed for the purpose, masked or pseudonymised values reduce the risk and the regulatory exposure. The personal data register should record where masking is used and how.

The most common audit gap on data masking is test environments containing real personal data. The original justification - 'it makes testing more realistic' - does not hold up under scrutiny. The expectation is that test environments use masked or synthetic data unless there is a specific reason and a specific control regime around the exception.

Masking has another benefit beyond compliance - it reduces the blast radius of incidents. A test environment that gets compromised but contains masked data is a much smaller incident than one containing real customer data. Masking turns a potential breach into a non-event in the right circumstances.

Practical Compliance Guidance

Data masking is described in the IMS1 Manual in section 8.2 alongside the Information Security Policy. The personal data register records where masking applies.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit inclduing the IMS1 Manual, policies, procedures, registers and audit checklists.
F-IMS24 Personal Data Register	The personal data register listing data categories and processing arrangements. Use to record where masking, tokenisation or pseudonymisation applies to specific data collected.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Where should masking typically be applied?

In non-production environments (test, development, training), in analytics datasets where individual identification is not needed, in third-party data sharing where the full data is not required, and in user interfaces where the full value would be inappropriate to display. The decision should follow data minimisation principles.

What is the difference between masking and pseudonymisation?

Pseudonymisation typically allows the original data to be recovered through a separately-held key or reference table. Masking may be irreversible or reversible depending on the technique. Both reduce the immediate exposure of personal data but the recoverable nature of pseudonymisation means it remains personal data under UK GDPR.

Are there alternatives to masking?

Synthetic data (generated to match statistical properties of real data without containing real records) and aggregation (releasing only summary statistics) are alternatives in some scenarios. The choice depends on what the recipient actually needs the data for.

UK Legislation

Relevant UK legislation includes:

UK GDPR - data minimisation and pseudonymisation obligations
Data Protection Act 2018 - underpins the UK personal data regime

Further Resources