Back to all documents
    Annex A & Operational Policies
    policy
    data-protection
    privacy

    Data Protection Policy

    Privacy and personal data protection (Annex A 5.34).

    Failed to load preview.

    About this Data Protection Policy

    The Data Protection Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.34 of the ISO 27001 Annex A control set.

    Privacy and personal data protection (Annex A 5.34). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to Annex A 5.34
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Annex A 5.34 - Privacy and protection of PII
    • Annex A 5.12 - Classification of information
    • Annex A 5.13 - Labelling of information
    • Annex A 8.10 - Information deletion
    • Annex A 8.11 - Data masking

    How to customise

    • - Insert the data categories you process and their lawful bases (if GDPR-relevant).
    • - Define retention periods and deletion methods.
    • - Reference data subject rights handling procedure.
    • - Identify the DPO or accountable owner.

    Evidence auditors may expect

    • - Approved data protection policy
    • - Record of processing activities (ROPA) where applicable
    • - Retention schedule and evidence of deletion
    • - Data subject request log

    Auditor may ask

    Q.What personal data is processed and on what basis?
    Q.How long is data retained and how is it deleted?
    Q.How are data subject rights handled?
    Q.How is privacy considered in new projects or changes?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Data Protection Policy

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).