Data Protection Policy
Privacy and personal data protection (Annex A 5.34).
Failed to load preview.
About this Data Protection Policy
The Data Protection Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.34 of the ISO 27001 Annex A control set.
Privacy and personal data protection (Annex A 5.34). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.
What's inside
- - Pre-written purpose, scope and policy statements
- - Roles and responsibilities aligned with ISO 27001:2022
- - Control requirements mapped to Annex A 5.34
- - Review, approval and version-control sections
- - Editable Word (.docx) version in the Document Pack
Who is this for
- - Companies pursuing ISO 27001:2022 certification
- - ISMS managers and information security leads
- - Consultants delivering ISO 27001 implementations
- - Auditors preparing evidence packs for Stage 1 / Stage 2
- - SaaS and tech teams formalizing security policies
ISO 27001:2022 relevance
- Annex A 5.34 - Privacy and protection of PII
- Annex A 5.12 - Classification of information
- Annex A 5.13 - Labelling of information
- Annex A 8.10 - Information deletion
- Annex A 8.11 - Data masking
How to customise
- - Insert the data categories you process and their lawful bases (if GDPR-relevant).
- - Define retention periods and deletion methods.
- - Reference data subject rights handling procedure.
- - Identify the DPO or accountable owner.
Evidence auditors may expect
- - Approved data protection policy
- - Record of processing activities (ROPA) where applicable
- - Retention schedule and evidence of deletion
- - Data subject request log
Auditor may ask
These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.
Related ISO 27001 documents
Data Classification & Handling Policy
Classification scheme and handling rules (Annex A 5.12/5.13).
Privacy Policy
Privacy commitments to data subjects.
Supplier Relationship Security Policy
Supplier and third-party security (Annex A 5.19-5.22).
Statement of Applicability (SoA)
Lists all Annex A controls with applicability and justification. Mandatory under clause 6.1.3 d).
Acceptable Use Policy
Rules for acceptable use of information and assets (Annex A 5.10).
Access Control Policy
Logical and physical access management (Annex A 5.15).
Get the editable Data Protection Policy
Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).
