email-svg
Get in touch
info@canadiancyber.ca

ISO 27001 Control 5.35: Privacy and Protection of PII Because Data Belongs to People, Not Just Systems

ISO 27001 Control 5.35 ensures personal data is handled with care, transparency, and compliance. Learn how Canadian Cyber helps organizations strengthen privacy, align with ISO 27701, and build lasting trust.

Main Hero Image

Introduction

We often talk about protecting “data,” but behind every record is a real person an employee, a customer, a partner.

When you collect personal information, you take on a responsibility that goes beyond security it’s about trust.

That’s why ISO 27001 Control 5.35 Privacy and Protection of Personally Identifiable Information (PII) exists.
It ensures organizations handle personal data with care, accountability, and compliance reducing the risk of breaches, lawsuits, and loss of reputation.

Why This Control Matters

Personal data is everywhere in HR systems, CRMs, logs, emails, and even backups.
When mishandled, it can lead to identity theft, regulatory fines, or public backlash.

Control 5.35, defined in ISO/IEC 27002:2022 Section 5.35, is an Organizational control that’s both preventive and corrective.
It protects Confidentiality and Integrity through the Protect and Comply cybersecurity concepts.

It connects ISO 27001 with privacy frameworks such as:

  • ISO 27701 – Privacy Information Management

  • ISO 27018 – Cloud Privacy

  • GDPR / PIPEDA – Data protection and consent-based governance

What This Control Involves

1. Identify Personal Data

Understand what personal data your organization collects, stores, or processes.

2. Define Purpose and Consent

Collect only what’s necessary, and make sure data subjects know why.

3. Apply Security Controls

Encrypt, restrict access, and monitor how personal data moves across systems.

4. Limit Retention and Access

Store data only as long as needed — then securely delete or anonymize it.

5. Respond to Privacy Incidents

Have clear processes for breach notification and subject access requests (SARs).

6. Review and Improve

Conduct privacy impact assessments (PIAs) and regular reviews of handling practices.

Common Privacy Pitfalls

🚫 Collecting more data than needed (“just in case”)
🚫 Storing unencrypted PII in test or backup environments
🚫 No clear consent tracking or deletion process
🚫 Assuming “compliance = security” (they’re not the same)

Canadian Cyber’s Take

At Canadian Cyber, we help organizations go beyond compliance checkboxes toward privacy by design.

We work with clients to map data flows, minimize collection, and implement controls that balance business needs with individual rights.

Our team also supports compliance with ISO 27018 and ISO 27701, bridging the gap between cybersecurity and data privacy.

Because protecting personal data isn’t just a legal obligation it’s a promise.

Takeaway

Privacy is the human side of security.
ISO 27001 Control 5.35 ensures organizations treat personal data with the care, transparency, and protection it deserves.

It’s how businesses earn trust and keep it.

How Canadian Cyber Can Help

At Canadian Cyber, we provide:

ISO 27001 and ISO 27701 Implementation Support

Privacy Impact Assessments (PIAs)

ISO 27018 Cloud Privacy Guidance

Internal Audit and Readiness Reviews

👉 Ready to strengthen privacy within your ISMS? Book a free consultation here.

🔗 Stay connected with the latest privacy and security insights:
LinkedIn, Instagram, Facebook, and YouTube.

Related Post

blog thum
2025
Nov

ISO 27001 Control 5.50: Data Masking for Privacy Protection

Data masking helps protect privacy without losing data’s business value. Learn how ISO 27001 Control 5.50 ensures secure, compliant, and usable information management with Canadian Cyber’s expert guidance.
blog thum
2025
Nov

ISO 27001 Control 5.49: Secure Information Deletion

Data that’s no longer needed can still be dangerous. Learn how ISO 27001 Control 5.49 helps organizations securely delete information, stay compliant, and protect privacy with Canadian Cyber’s expert framework.
blog thum
2025
Oct

ISO 27001 Risk Management for SaaS Companies

For SaaS providers, risk management isn’t just about compliance it’s about credibility. Learn how to implement an ISO 27001-aligned risk management process that protects data, builds trust, and keeps your business audit-ready.
blog thum
2025
Oct

ISO 27001 Information Security Policy for SaaS Companies

For SaaS companies, data protection equals customer trust. Learn how to build an ISO 27001-compliant security policy that strengthens compliance, security, and reputation with Canadian Cyber.
blog thum
2025
Oct

ISO 27001 Risk Management for MSPs Made Simple

For MSPs, cybersecurity isn’t just IT it’s trust. Learn how to build a structured, auditable ISO 27001 risk management process with Canadian Cyber’s expert approach.
blog thum
2025
Oct

DIY ISO 27001 Implementation That Gets You Certified Faster

ISO 27001 certification doesn’t have to cost a fortune. Learn how to build your ISMS in-house with AI tools, templates, and smart workflows the Canadian Cyber way.
blog thum
2025
Oct

Hybrid ISO 27001 Model for Faster Certification Success

ISO 27001 doesn’t have to mean burnout or big budgets. Learn how Canadian Cyber’s hybrid model blends DIY control with expert guidance to achieve certification faster and with confidence.
blog thum
2025
Oct

Your ISO 27001 Portal to Stay Organized and Audit-Ready

Managing ISO 27001 doesn’t have to be stressful. Discover how the Canadian Cyber SharePoint ISMS App keeps your policies, risks, and evidence organized, automated, and audit-ready every day.
blog thum
2025
Oct

Smart ISO 27001 Starter Kit to Build Your ISMS Faster

Starting ISO 27001 doesn’t have to be overwhelming. Learn how to use templates, automation, and small wins to build your ISMS faster with Canadian Cyber.