SlideShare a Scribd company logo
1 of 31
GDPR and ISO 27001
Compliance
Assentian
• A London based Cyber Security Practice
• Certified Information Security Auditors
• Certified ISO 27001 Implementors
• Members of the UK Cyber Security Forum
• Dr Ilesh Dattani – Member of the International Standards
Committees on
– Governance and Resilience (information security and business
continuity)
– Big Data – storage, access, use and sharing in a legal and
complaint way.
• Mr Jonathan Gay – CISA (Certified Information Security Auditor)
The changing face of Data Privacy and Information
Security
Traditional View
The domain of a System Administrator
Task of Purchasing a Firewall
Implementing Security Controls was not a compulsion
Modern View
The Domain of the Business Owner
Task of Finding out what is AT RISK and finding right solutions for the same
Business and Security can’t be separated
Security Team Consists of Top Management, IT Managers and a Dedicated
Information Security Manager/DPO
Plan, Do, Check and Act Model
Integration of Quality Systems Like ISO, CMMI etc with Information Security Models
Why is this important
More and More Dependence on Information Systems
Need for a long term and failure proof system for Securing
every form of Information Asset
Theft of Information can cause disasterous results for
companies
Projects are awarded to companies who have a sound
system to protect Information
International Laws like HIPPA and GDPR have set the
benchmark for protecting information being stolen or
tampered.
Type of Information
Information can be:
created
stored
destroyed
Used
Transmitted
Categories – Personal, Financial,
Operational, Client
Information format
Paper
Databases
Disk(ette)s
CD-ROMs
Tapes
(Design) drawings
Films
Conversations
…
Business Requirements for Information Security and
Data Protection
• Commercial requirements
• Legal requirements
• What is information security?
• Basic components
• Managing information
boundaries
• Sharing information with
partners
• Holistic approach
Components of Information Security
Confidentiality
Integrity
Ensuring that information is accessible only to
those authorised to have access.
Safeguarding the accuracy and
completeness of information
and processing methods
Availability
Ensuring that authorised
users have access to
information and associated
assets when required.
Integrity
Availability Confidentiality
In some organisations, integrity and / or
availability
may be more important than confidentiality.
Managing Information Boundaries
Intranet connections to other
business units,
Extranets to business partners,
Remote connections to staff working
off-site,
Virtual Private Networks (VPN’s),
Customer networks,
Supplier chains,
Service Level Agreements,
contracts, outsourcing arrangements,
Third Party access.
Sharing Information
Types of information covered by an information security
management system
Internal - information that you would not want your
competitors to know.
Customer / client / supplier - information that they would
not wish you to divulge.
Information that needs to be shared with other trading
partners.
(This may be one of the above, but may also be specific
information that would not otherwise exist in this
particular form)
It’s a International Standard for Information Security
Management
It consists of various Specification for information Security
Management
Code of Practice for Information Security Management
Basis for contractual relationship
Basis for third party certification
Can be Certified by Certification Bodies
Applicable to all industry Sectors
Emphasis on prevention
Five Mandatory requirements of the
standard
Section 4 – General and Documentation
requirement
- General requirements
- Establishing and maintaining an ISMS
- Documentation Requirements
“The Organization shall develop, implement,
maintain and continually improve a
documented ISMS within the context of the
organisations overall business activities and
risk. For the purposes of this standard the
process used is based on PDCA model…”
Interested
parties
Establish the
ISMS
Plan
Implement and
operate the ISMS
Do
Maintain and
improve the ISMS
Act
Monitor and
review the ISMS
Check
Interested
parties
Section 5 - Management Responsibility
Management Commitment
Resource Management
Section 6 – Internal ISMS Audits
Section 7 - Management Review of the ISMS
Review Input
Review Output
Section 8 - ISMS Improvement
Continual Improvement
Corrective Action
Preventive Action
Important Areas of Concern
ISO27001
Security policy (5)
Organization of information security (6)
Asset management(7)
Human resources security (8)
Physical and environmental security (9)
Communications and operations management (10)
Access control (11)
Information systems acquisition, development and
maintenance (12)
Information security incident management (13)
Business continuity (14) management
Compliance (15)
Asset Management - Data
Objective:
Responsibility for assets
Information classification
Covers:
Inventory of assets
Ownership of assets
Acceptable use of assets
Classification guidelines
Information labelling and handling
Third-Party Relationships
• As part of GDPR an organisation is required
to manage compliance of any suppliers that
it uses – what does that mean ?
– You must audit the supplier to make sure they
meet the requirements within the context of the
service they are providing
– If you are providing a service to a client and part
of that is then sub-contracted – you carry the
laibility and risk of non-compliance on the part of
the sub-contractor
Information Asset Classification
SrSr Asset CategoryAsset Category ClassificationClassification
1 Paper Assets Client Confidential
2 Electronic Data Company Confidential
3 Hardware Commercial in Confidence
4 Software Restricted
5 People Critical & Non Critical
Compliance
Objective
Compliance with legal requirements
Compliance with security policies and standards, and technical compliance
Information Systems audit considerations
Covers:
Identification of applicable legislation
Intellectual property rights (IPR)
Protection of organizational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities
Regulation of cryptographic controls
Compliance with security policies and standards
Technical compliance checking
Information systems audit controls
Protection of information system audit tools
ISO27001 and GDPR
ISO 27001 and GDPR
How does ISO 27001 Help
• ISO 27001 is a framework for information protection.
• According to GDPR, personal data is critical information
that all organizations need to protect.
• Extra to GDPR - supporting the rights of personal data
subjects: the right to be informed, the right to have their
data deleted, and data portability.
• But, if the implementation of ISO 27001 identifies
personal data as an information security asset, most of
the EU GDPR requirements will be covered.
ISO27001 and GDPR
• Risk Assessment – Because of the high fines defined in EU GDPR and the major financial impact
on organizations, it is only natural that the risk found during risk assessment regarding personal
data is too high not to be dealt with. On the other side, one of the new requirements of the EU
GDPR is the implementation of Data Protection Impact Assessments, where companies will have
to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while
implementing ISO 27001, personal data must be classified as high criticality, but according to the
control A.8.2.1 (Classification of information): “Information should be classified in terms of legal
requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
ISO 27001 and GDPR
• Compliance – By implementing ISO 27001, because of control A.18.1.1
(Identification of applicable legislation and contractual requirements), it is
mandatory to have a list of relevant legislative, statutory, regulatory, and
contractual requirements. If the organization needs to be compliant with EU GDPR
(see section above), this regulation will have to be part of this list. In any case,
even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy
and protection of personally identifiable information) of ISO 27001 guides
organizations through the implementation of a data policy and protection of
personally identifiable Information.
ISO 27001 and GDPR
• Breach notification – Companies will have to notify data authorities within 72 hours after a breach of
personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management
of information security incidents and improvements) will ensure “a consistent and effective approach
to the management of information security incidents, including communication on security events.”
According to EU GDPR, data subjects (“The Data Subject is a living individual to whom personal data
relates.”) will also have to be notified, but only if the data poses a “high risk to data subject’s rights
and freedom.” The implementation of incident management, which results in detection and reporting
of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
ISO 27001 and GDPR
• Asset Management – ISO 27001 control
A.8 (Asset Management) leads to
inclusion of personal data as information
security assets and allows organizations
to understand what personal data is
involved and where to store it, how long,
what is its origin, and who has access,
which are all requirements of EU GDPR.
ISO 27001 and GDPR
• Privacy by Design – The adoption of
Privacy by Design, another EU GDPR
requirement, becomes mandatory in the
development of products and systems.
ISO 27001 control A.14 (System
acquisitions, development and
maintenance) ensures that “information
security is an integral part of information
systems across the entire lifecycle.”
ISO 27001 and GDPR
• Supplier Relationships – ISO 27001 control
A.15.1 (Information security in supplier
relationships) requires the “protection of the
organization’s assets that are accessible by
suppliers.” According to GDPR, the
organization delegates suppliers’ processing
and storage of personal data; it shall require
compliance with the requirements of the
regulation through formal agreements.
ISO 27001 and GDPR
• conduct an EU GDPR GAP Analysis to
determine what remains to be done to
meet the EU GDPR requirements, and
then these requirements can be easily
added through the Information Security
Management System that is already set by
ISO 27001.
ISO 27001 and GDPR
• From the ISO 27000 family, ISO/IEC 27018
should also be consulted (Code of practice for
protection of personally identifiable information
(PII) in public clouds acting as PII processors) if
the organization stores/processes personal
data in the cloud. See the article ISO 27001 vs.
ISO 27018 – Standard for protecting privacy in
the cloud to learn more.
Compliance Service Offers
• ISO 27001 Management – Oversee Compliance Process
– Implementation and Certification
• Full ISO 27001 Compliance Service
• ISO 27001 Audit
• GDPR Gap Analysis
• ISO 27001 Default Procedures and Processes –
Advisory Services in implementation
• ISO 27001 and GDPR Training and Awareness

More Related Content

What's hot

ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 

What's hot (20)

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Overview of Microsoft Teams and Data Loss Prevention(DLP)
Overview of Microsoft Teams  and Data Loss Prevention(DLP)Overview of Microsoft Teams  and Data Loss Prevention(DLP)
Overview of Microsoft Teams and Data Loss Prevention(DLP)
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
ISO 27002-2022.pdf
ISO 27002-2022.pdfISO 27002-2022.pdf
ISO 27002-2022.pdf
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
What is iso iec 20000
What is iso iec 20000What is iso iec 20000
What is iso iec 20000
 

Similar to GDPR and ISO 27001 - how to be compliant

CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
Shadi A. Razak
 
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
ekyklos Κύκλος Ιδεών για τη Εθνική Ανασυγκρότηση
 

Similar to GDPR and ISO 27001 - how to be compliant (20)

CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information Protection
 
Data Protection and Data Privacy
Data Protection and Data PrivacyData Protection and Data Privacy
Data Protection and Data Privacy
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPR
 
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) planCWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
 
Flash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPRFlash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPR
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 

Recently uploaded (20)

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 

GDPR and ISO 27001 - how to be compliant

  • 1. GDPR and ISO 27001 Compliance
  • 2. Assentian • A London based Cyber Security Practice • Certified Information Security Auditors • Certified ISO 27001 Implementors • Members of the UK Cyber Security Forum • Dr Ilesh Dattani – Member of the International Standards Committees on – Governance and Resilience (information security and business continuity) – Big Data – storage, access, use and sharing in a legal and complaint way. • Mr Jonathan Gay – CISA (Certified Information Security Auditor)
  • 3. The changing face of Data Privacy and Information Security Traditional View The domain of a System Administrator Task of Purchasing a Firewall Implementing Security Controls was not a compulsion Modern View The Domain of the Business Owner Task of Finding out what is AT RISK and finding right solutions for the same Business and Security can’t be separated Security Team Consists of Top Management, IT Managers and a Dedicated Information Security Manager/DPO Plan, Do, Check and Act Model Integration of Quality Systems Like ISO, CMMI etc with Information Security Models
  • 4. Why is this important More and More Dependence on Information Systems Need for a long term and failure proof system for Securing every form of Information Asset Theft of Information can cause disasterous results for companies Projects are awarded to companies who have a sound system to protect Information International Laws like HIPPA and GDPR have set the benchmark for protecting information being stolen or tampered.
  • 5. Type of Information Information can be: created stored destroyed Used Transmitted Categories – Personal, Financial, Operational, Client Information format Paper Databases Disk(ette)s CD-ROMs Tapes (Design) drawings Films Conversations …
  • 6. Business Requirements for Information Security and Data Protection • Commercial requirements • Legal requirements • What is information security? • Basic components • Managing information boundaries • Sharing information with partners • Holistic approach
  • 7. Components of Information Security Confidentiality Integrity Ensuring that information is accessible only to those authorised to have access. Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that authorised users have access to information and associated assets when required.
  • 8. Integrity Availability Confidentiality In some organisations, integrity and / or availability may be more important than confidentiality.
  • 9. Managing Information Boundaries Intranet connections to other business units, Extranets to business partners, Remote connections to staff working off-site, Virtual Private Networks (VPN’s), Customer networks, Supplier chains, Service Level Agreements, contracts, outsourcing arrangements, Third Party access.
  • 10. Sharing Information Types of information covered by an information security management system Internal - information that you would not want your competitors to know. Customer / client / supplier - information that they would not wish you to divulge. Information that needs to be shared with other trading partners. (This may be one of the above, but may also be specific information that would not otherwise exist in this particular form)
  • 11. It’s a International Standard for Information Security Management It consists of various Specification for information Security Management Code of Practice for Information Security Management Basis for contractual relationship Basis for third party certification Can be Certified by Certification Bodies Applicable to all industry Sectors Emphasis on prevention
  • 12. Five Mandatory requirements of the standard Section 4 – General and Documentation requirement - General requirements - Establishing and maintaining an ISMS - Documentation Requirements “The Organization shall develop, implement, maintain and continually improve a documented ISMS within the context of the organisations overall business activities and risk. For the purposes of this standard the process used is based on PDCA model…”
  • 13. Interested parties Establish the ISMS Plan Implement and operate the ISMS Do Maintain and improve the ISMS Act Monitor and review the ISMS Check Interested parties
  • 14. Section 5 - Management Responsibility Management Commitment Resource Management Section 6 – Internal ISMS Audits Section 7 - Management Review of the ISMS Review Input Review Output Section 8 - ISMS Improvement Continual Improvement Corrective Action Preventive Action
  • 15. Important Areas of Concern ISO27001 Security policy (5) Organization of information security (6) Asset management(7) Human resources security (8) Physical and environmental security (9) Communications and operations management (10) Access control (11) Information systems acquisition, development and maintenance (12) Information security incident management (13) Business continuity (14) management Compliance (15)
  • 16. Asset Management - Data Objective: Responsibility for assets Information classification Covers: Inventory of assets Ownership of assets Acceptable use of assets Classification guidelines Information labelling and handling
  • 17. Third-Party Relationships • As part of GDPR an organisation is required to manage compliance of any suppliers that it uses – what does that mean ? – You must audit the supplier to make sure they meet the requirements within the context of the service they are providing – If you are providing a service to a client and part of that is then sub-contracted – you carry the laibility and risk of non-compliance on the part of the sub-contractor
  • 18. Information Asset Classification SrSr Asset CategoryAsset Category ClassificationClassification 1 Paper Assets Client Confidential 2 Electronic Data Company Confidential 3 Hardware Commercial in Confidence 4 Software Restricted 5 People Critical & Non Critical
  • 19. Compliance Objective Compliance with legal requirements Compliance with security policies and standards, and technical compliance Information Systems audit considerations Covers: Identification of applicable legislation Intellectual property rights (IPR) Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Compliance with security policies and standards Technical compliance checking Information systems audit controls Protection of information system audit tools
  • 22. How does ISO 27001 Help • ISO 27001 is a framework for information protection. • According to GDPR, personal data is critical information that all organizations need to protect. • Extra to GDPR - supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. • But, if the implementation of ISO 27001 identifies personal data as an information security asset, most of the EU GDPR requirements will be covered.
  • 23. ISO27001 and GDPR • Risk Assessment – Because of the high fines defined in EU GDPR and the major financial impact on organizations, it is only natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information): “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
  • 24. ISO 27001 and GDPR • Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations through the implementation of a data policy and protection of personally identifiable Information.
  • 25. ISO 27001 and GDPR • Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” According to EU GDPR, data subjects (“The Data Subject is a living individual to whom personal data relates.”) will also have to be notified, but only if the data poses a “high risk to data subject’s rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
  • 26. ISO 27001 and GDPR • Asset Management – ISO 27001 control A.8 (Asset Management) leads to inclusion of personal data as information security assets and allows organizations to understand what personal data is involved and where to store it, how long, what is its origin, and who has access, which are all requirements of EU GDPR.
  • 27. ISO 27001 and GDPR • Privacy by Design – The adoption of Privacy by Design, another EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.”
  • 28. ISO 27001 and GDPR • Supplier Relationships – ISO 27001 control A.15.1 (Information security in supplier relationships) requires the “protection of the organization’s assets that are accessible by suppliers.” According to GDPR, the organization delegates suppliers’ processing and storage of personal data; it shall require compliance with the requirements of the regulation through formal agreements.
  • 29. ISO 27001 and GDPR • conduct an EU GDPR GAP Analysis to determine what remains to be done to meet the EU GDPR requirements, and then these requirements can be easily added through the Information Security Management System that is already set by ISO 27001.
  • 30. ISO 27001 and GDPR • From the ISO 27000 family, ISO/IEC 27018 should also be consulted (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) if the organization stores/processes personal data in the cloud. See the article ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud to learn more.
  • 31. Compliance Service Offers • ISO 27001 Management – Oversee Compliance Process – Implementation and Certification • Full ISO 27001 Compliance Service • ISO 27001 Audit • GDPR Gap Analysis • ISO 27001 Default Procedures and Processes – Advisory Services in implementation • ISO 27001 and GDPR Training and Awareness