ISO Show

#111 What is data masking?


ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the technological category, is something called Data Masking. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into data masking to explain what it is, why it’s so important and details a few of the different types of data masking

You’ll learn

  • What is data masking?
  • Why is data masking important?
  • How does data masking work?
  • What are the different types of data masking?


In this episode, we talk about:

[01:33] The purpose of data masking according to ISO 27002 – Now more clearly defined when compared to earlier versions

[02:55] A brief overview of PII (Personally Identifiable Information)     

[03:52] A summary of the defined attributes of data masking     

[05:25] What is data masking? Including definitions for obfuscation, data anonymization and pseudonymisation

[08:50] The benefits of having a more clearly defined control for protecting PII

[09:35] Other standards where data masking is applicable – ISO 27017, ISO 27018 and ISO 27701  

[11:27] Why data masking is so important currently

[12:40] How data masking works in practice  

[13:10] Static data masking –  data is masked in an original database then duplicated into a test environment

[13:34] Dynamic data masking – The original sensitive data remains in the repository. Data is never exposed to unauthorised users, contents are shuffled in real-time on-demand to make the contents masked

[14:50] On the fly data masking – Masking data while it is transferred from production systems to test or development systems before the data is saved to disk.

[15:55] Techniques for data masking include – Substitution – Businesses substitute the original data with random data from supplied or customised lookup file.

[16:15] Shuffling – Businesses substitute original data with another authentic-looking data but they shuffle the entities in the same column randomly.   

[17:09] Number and date variances – For financial and date-driven data sets, applying the same variance to create a new dataset doesn’t change the accuracy of the dataset while masking data.

[17:56] Encryption is still the number one method for data masking

[18:40] Character scrambling – This method involves randomly rearranging the order of characters. This process is irreversible so that the original data cannot be obtained from the scrambled data.

[19:50] Other forms of data to take into consideration – Protected health information, Payment card information, Intellectual property and Company specific Information

[23:02] How GDPR promotes data masking

Download our ISO 27002 changes Quick Guide here:

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISO Download

Download the ISO Standards Blueprint

A step-by-step checklist for getting ISO certified

Share this Podcast:

Subscribe to keep up-to-date with our latest episodes:

SoundCloud Spotify iTunes Stitcher Stitcher YouTube Amazon Music