This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
GDPR compliance and information security: Reducing data breach risks
1. Presented by:
• Alan Calder, CEO and Executive Chairman
• IT Governance Ltd
• 5 April 2018
GDPR COMPLIANCE AND INFORMATION
SECURITY: REDUCING DATA BREACH RISKS
2. • The GDPR – an overview
• How an ISO 27001-aligned ISMS can support GDPR compliance
• The top risks that result in data breaches
• The benefits of implementing an ISMS
• The technical and organisational requirements to achieve GDPR compliance
• How to improve your overall information security in line with the GDPR’s requirements
Today’s discussion
Copyright IT Governance Ltd - v 0.1
4. What is the GDPR?
• The EU General Data Protection Regulation (GDPR) comes into effect
on 25 May 2018, superseding the UK Data Protection Act 1998.
• The new Regulation gives individuals more control over how their
information is collected and processed, while putting pressure on
organisations that process EU residents’ personal data to tighten their
data protection processes.
• The GDPR requires organisations to adopt appropriate policies,
procedures and processes to protect the personal data they hold. This
involves taking a risk-based approach to data protection, and building
a workplace culture of data privacy and security.
Copyright IT Governance Ltd - v 0.1
5. HOW AN ISO 27001-ALIGNED ISMS CAN
SUPPORT GDPR COMPLIANCE
6. How an ISO 27001-aligned ISMS can support GDPR compliance
• GDPR requirement: demonstrate compliance with its data processing principles.
• An information security management system (ISMS) is a cost-effective system that helps to manage,
monitor, audit and continually improve an organisation’s information security practices.
• ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for
implementing an ISMS.
• An ISMS ensures your organisation’s confidential or sensitive information, including personal data,
remains secure by managing information security risks in line with larger business objectives.
• ISO/IEC 27002:2013 (and ISO 27002) provides guidance for implementing appropriate measures to
mitigate information security risks.
• The systematic approach – relying on three pillars: people, processes and technology – helps
organisations comply with the GDPR’s requirements.
8. What are the leading causes of breaches?1
Copyright IT Governance Ltd – v 0.1
75% perpetrated by
outsiders
51% involved
organised criminal
groups
25% involved internal
actors
18% conducted by
state-affiliated actors
1 2 3 4
1 The 2017 Data Breach Investigations Report - Verizon
9. • 62% of breaches featured hacking
• 51% included malware
• 81% of hacking-related breaches leveraged stolen and/or weak
passwords
• 43% were social engineering attacks
• 14% were caused by errors and privilege misuse
• 8% featured physical actions
Copyright IT Governance Ltd – v 0.1
2 The 2017 Data Breach Investigations Report - Verizon
What are the most common tactics used?2
11. The benefits of ISO 27001 compliance
Secures your
information in all
its forms
Helps win new
business and retain
existing customers
Provides an
independent
assessment of your
security posture
Reduces the need
for frequent audits
Helps respond to
evolving security
threats
Reduces costs
associated with
information
security
Protects
confidentiality,
integrity and
availability of data
Improves company
culture, structure
and focus
Facilitates
compliance with
laws and
regulations
12. THE IMPORTANCE OF PEOPLE, PROCESSES, AND
TECHNOLOGY IN INFORMATION SECURITY
Securing organization-wide commitmentSecuring organization-wide commitment
Three pillars of information security
13. THE TECHNICAL AND ORGANISATIONAL
REQUIREMENTS TO ACHIEVE GDPR
COMPLIANCE
14. The technical and organisational requirements to achieve GDPR
compliance
Article 32 of the GDPR specifically requires organisations to, as appropriate:
• Take measures to pseudonymise and encrypt personal data;
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and
services;
• Restore the availability and access to personal data in a timely manner in the event of a physical or
technical incident; and/or
• Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of processing.
An effective ISMS that conforms to ISO 27001 will meet all the above requirements
16. What does ‘good’ security look like?
Copyright IT Governance Ltd - v 0.1
• Board/leadership support and commitment
• Involves the entire organisation
• Built around a business-focused risk assessment
• People, process and technology risks
• Protects all data (not just personal data) – C, I, A
• Lends itself to regular reviews and continual improvement
• Can be audited by an external entity
• Includes incident monitoring, logging and response planning
• Follows proven best practice
• Is internationally accepted and supported
18. The nine-step approach to implementing an ISMS
1) Project mandate
Assemble information
Establish senior-level commitment
Review senior-level commitment
Set information security goals
2) Project initiation
Set up a project team
Assemble project team
Draw up a RACI matrix
3) ISMS initiation
Establish documentation structure
4) Management framework
Identify the scope of the ISMS
Formalise an information security policy
Define communication strategy
Identify competence requirements
5) Baseline security criteria
Identify the practices you already
have in place, assess their effectiveness,
and ensure that they continue
6) Risk management
Establish risk assessment framework
Select risk management options
Define risk acceptance criteria
Create a Statement of Applicability (SoA)
7) Implementation
Conduct a needs analysis
Establish a staff awareness programme
8) Measure, monitor and review
Monitoring, measurement, analysis
and evaluation
Internal audit
Management review
9) Certification
Ensure documentation is complete,
comprehensive and available
Ensure you have records of internal
audits and testing
Ensure management involvement
19. Risk assessments and controls
Copyright IT Governance Ltd - v 0.1
Risk assessment
• An information security risk assessment is
a formal, top management-driven process,
and sits at the core of an ISO 27001 ISMS.
• A risk assessment should be repeatable,
transparent, traceable and consistent.
• There are four ways to treat risks: avoid,
modify, share, or retain.
Controls
• The risk assessment process determines the
controls that have to be deployed in your ISMS.
• ISO 27001 includes a set of 114 controls in Annex A
that are designed to mitigate information security
risks.
• These controls are divided into 14 different
categories.
• The Standard does not specify that you should use
these controls, but you should justify their inclusion/
exclusion.
• You must complete an SoA and risk treatment plan.
20. A.5 Information security
policies
A.8 Asset management
A.6 Organisation of
information security
A.9 Access control
A.7 Human resource
security
A.10 Cryptography
A.11 Physical and environmental security
Copyright IT Governance Ltd – v 0.1
A.12 Operations security A.15 Supplier
relationships
A.13 Communications
security
A.16 Information security
incident management
A.14 System acquisition,
development and
maintenance
A.17 Information security
aspects of business
continuity management
A.18 Compliance
14 control sets of Annex A
21. IT Governance: one-stop shop
Get started now with these best-selling resources and tools
ISO 27001 standard Must-have implementation
guidance
ISO 27001 training courses Policies and procedures
documentation toolkit
ISO 27001 consultancy Risk assessment software
ISO 27001 DIY packages
22. Copyright IT Governance Ltd - v 0.1
IT Governance ISO 27001 courses
ISO27001 Certified
ISMS Foundation
ISO27001 Certified
ISMS Lead Implementer
ISO27001 Foundation and Lead
Implementer Combination Course
SPECIAL OFFER
Receive a free ISO 27001 Cybersecurity
Documentation Toolkit worth $799 when
you book this course
Ways to learn
23. How to get in touch
Copyright IT Governance Ltd - v 0.1
Call us
+44 (0)333 800 7000
Email us
servicecentre@itgovernance.co.uk
Visit our website
https://www.itgovernance.co.uk/
Like us on Facebook
/ITGovernanceLtd
Follow us on Twitter
@ITGovernance
Join us on LinkedIn
IT Governance Ltd
Contact an ISO 27001 specialist
www.itgovernance.co.uk/speak-to-an-iso-27001-expert