ISO 27001 In The Age Of Privacy

© 2019 ControlCase All Rights Reserved
ISO 27001 & ISO 27701 In the
Age of Privacy

Agenda 2
4
2
3
Your IT Compliance
Partner –
Go beyond the
checklist
Introductions
Introduction to ISO 27001, ISO 27701
and ISMS
What is the Certification Process
5
1
Common Challenges
Q&A

Introductions – ControlCase and KUMA1

ControlCase Snapshot 4
Certification and ContinuousCompliance Services
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and
maintaining IT compliance
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
• Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden
to a trusted compliance partner
1000+
Clients
275+
Security Experts
10,000+
IT Security Certifications

Certification Services 5
OneAudit – Collect Once, Certify Many
PCI DSS ISO 27001 &
27002
SOC 1, SOC 2, SOC 3,
& SOC for Cybersecurity HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
“You have 27 seconds to make a
first impression. And after our
initial meeting, it became clear
that they were more interested
in helping our business and
building a relationship, not just
getting the business.”
Sr. Director, Information Risk &
Compliance, Large Merchant
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services

About Kuma 6
An IndustryLeader in Privacy, Security and Digital Identity Space
Security and Privacy Reimagined:
Proven expertise coupled with extensive subject matter expertise that delivers
value beyond compliance
• Redefine your Privacy Risk Management
and demonstrate value in addition to
meeting compliance requirements
• Unlock business value with our expertise
• Tailored risk management processes
• Superior compliance outcomes coupled
with business value beyond the best
practice.
200,000+
Client Hours
2,000+
Expert Opinions
12,000+
Reviews Conducted

Risk Management Consulting Services of Kuma 7

More About KUMA 8
National Strategy for Trusted Identities in Cyberspace
 Supported the development of the White House Strategy
NIST Privacy Risk Assessment Methodology & NIST Privacy Framework
 Supported the development of the PRAM
 Premier national expert in PRAM
 Implementation of NIST Privacy Framework – first in the nation
Security and Privacy Requirements, Identity Ecosystem Framework
 Supported the development of the Identity Ecosystem Steering Group’s Security and
Privacy Requirements
Assessment and Audit Expertise
 Certified Federal Identity, Credential and Access Management (US FICAM) Auditor
 Certified HIPAA Privacy Security Expert (CHPSE)
 Numerous technology audits and risk assessments including ISO27000, FedRamp,
HITRUST, etc.
Sought-after public speakers for national and international forums

Introduction to ISO 27001, ISO 27701 and ISMS2

Introduction to ISO 27001, ISO 27701 and ISMS ? 10
• Necessary modifications to the ISMS (Clause 5)
PIMS-specific guidance related to ISO/IEC 27001
• Additional information security controls (Clause 6)
PIMS-specific guidance related to ISO/IEC 27002
• Additional controls for PII controllers (Clause 7)
PIMS-specific guidance for PII controllers
• ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards.
• ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 and provides additional
guidance for the protection of privacy, which is potentially affected by the collection and processing of
personal information.
• An ISMS (Information Security Management Systems) is a framework of policies and procedures that
includes all legal, physical and technical controls involved in an organization's information risk
management processes.
• Additional controls for PII processors
(Clause 8)
PIMS-specific guidance for PII processors
• Informative Mappings
Part of the 6 Annexes to the standard
Structure of ISO/IEC 27701
A Brief about the Standards

What's covered in ISO 27001 11
Information Security Policies
Organization of Information Security
Human resource security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
SDLC
Supplier relationships
Incident management
Business continuity
Compliance

Privacy Add-on Assessment (ISO 27701) 12
 Additional assessment time required
 Depends on the entity being a PII controller or PII
processor or both
 PII Controller
 Covers areas like contracts and obligations to consumer
 Covers retention and disposal objectives
 PII Processor
Covers areas such as marketing and advertising use
Covers inter-organization and inter-country rules of PII

ControlCase/KUMA Certification Process5

ControlCase/ KUMA Certification Methodology 14
KUMA
Readiness and
Pre-
Assessment
• Consolidated Pre-Assessment (ControlCase 250 Assessment)
• Using SkyCAM and Integrated Checklist
• Evaluation of policies and procedures
• Exit this phase only once you are fully ready for Stage 1 and Stage 2
Phase 2a
ISO Stage 1
Audit
• Stage 1 Onsite
Phase 2b
ISO Stage 2
Audit
• Stage 2 Onsite
Deliverables • ISO Certificate issued
• Extension Documents

Readiness: Getting Ready for Privacy Leadership with ISO 27701 15
• PII Management based on a global standard
- Standardized requirements ensure consistency
- Globally recognized way of managing PII
• Trustworthy PII management & reduced complexity
- Enhances stakeholder and end user trust
- Provides an ability to integrate with ISMS
An organization's Privacy risk management bar can be significantly raised by aligning the privacy practices
with ISO 27701. Along with streamlined PII management, aligning to the standard can bring myriad benefits
that can enable the state of the art at the organization.
• Effective business agreements & Transparency
- Evidence related to PII management speaks for itself
- Enhanced transparency for business & stakeholders
• Superior compliance outcomes & multi-party collaboration
- Well defined artefacts, roles and responsibilities
- Seamless direct alignment with global requirements such as GDPR
Superior Outcomes
Planning &
Scoping
Readiness
Assessment
Evaluate
Implementation
of ISMS
Report on
Findings and
remediation
tasks
1 2 3 4 5 6
Evaluate
Implementation
of Controls
Evaluate
Implementation
of ISO 27701
specific controls

Stage 1, Stage 2 and Surveillance Audits 16
• Stage 1 Onsite Audit
- 2 to 5 days
- To be done in Year 1 Only
• Stage 2 Onsite Audit
- 1 to 3 days
- To be done in Year 1
• Surveillance Audits
- 1 to 3 days
- To be done in Year 2 and 3
ISO 27001 certifications have been happening for a long time. ISO 27701 (privacy) is a recent
add-on/extension.

ControlCase ISO 27001/27701 Questions
17
Common ISO Scoping
Questions
(6 questions)
ISO 27001 Assessment
Questions
(98 questions)
ISO 27701 Addon
Assessment Questions
(54 questions)
Document Release
Questions
(4 questions)
Total : 162
questions

Common Challenges6

Compliance Challenges In General
Proving and maintaining compliance places a significant burden on organizations
Takes people away
from their core
responsibilities
Strains already
taxed resources
Organizations struggle with:
Dealing with multiple
regulations
Keeping up with changing
regulations & compliance
requirements
Understanding & translating
compliance frameworks
The time spent
preparing for audits
The lack of visibility
into their
compliance posture

Common Challenges to ISO 27001/27701 20
Business Associate
• Agreements to be formalized
• Vendor management process
Vulnerability Management
• Periodic vulnerability management
• Patching devices
• Application code rewrite
Logging & Monitoring
• 24X7X365 monitoring
• Managing volume of logs
Encryption
• Encryption of PII
PII Policies and Training
• Annual training
• Documented PII policies and procedures

Why ControlCase/Kuma5

Why Kuma: One stop shop for Privacy and security
expertise
22
• Extensive experience with ISO standards
- Experience of ISO standardization across industries
- End-to-end ISO PDCA cycle experience
• Certified ISO Lead Auditors & Resources
- Availability of inhouse ISO Lead Auditors
- Gold standard privacy certified professionals
• Cross-domain expertise: Privacy & Security
- Ability to cross-walk between multiple domains
- Tighter integration between Privacy and Security aspects
Kuma specializes in transforming the risk posture of its clients by implementing globally
renowned ISO standards. With end to end capabilities in the standardization space, Kuma is
poised to deliver unmatched value.

Kuma’s Value Delivery with ISO 27701 23
• Redefine your Privacy Risk Management
- Proven risk management methodology
- Benchmarked PII management process
• Unlock business value with our expertise
- Reap value from the gold standard
- Business enabler & qualification criteria
• Optimize the organization’s resources
- Tailored privacy risk management process
- Continuity from strategy to operations
Kuma brings industry leading expertise that redefines the way your organization handles privacy
risk. Superior compliance outcomes coupled with business value can be derived when you look
beyond the best practice. Optimized resources are just another spin-off of the value delivery.

ControlCase Certification Outcomes 24
“It’s a challenge keeping up with the
changing compliance landscape. Given
that we had GDPR and now the
California data privacy law, not to
mention HIPAA and others, there are a
lot of regulations and frameworks to
keep up with and a lot of time spent
preparing for audits. That puts a lot of
overhead and strain on me and my
team. We don’t just don’t have the
expertise or time to keep up.
Before
ControlCase
“We cut audit prep time by 70% using KUMA. It
was their partner approach to us; a combination
of their expertise, their responsiveness and
automation. They brought us great ideas on how
to streamline our process, and we were able to
take advantage of automated data collection.
And, their IT Compliance Portal gave us visibility
throughout the entire process.
Another thing - We don’t look at compliance as a
once a year event, and now, with ControlCase’s
Continuous Compliance services, we have the
visibility into what’s in compliance and what’s not
all year long. We can quickly remediate an issue
before it becomes a security threat.”
With KUMA
Cut audit prep time by 70%

Summary – Why ControlCase 25
“They provide excellent service, expertise and technology. And, the
visibility into my compliance throughout the year and during the audit
process provide a lot of value to us.”
Dir. of Compliance, SaaS company
Your IT Compliance Partner –
Go beyond the auditor’s checklist
Partnership
Approach
SkyCAM
IT
Compliance
Portal
Automation
driven Continuous Compliance
Services

Email
contact@controlcase.com
Telephone
Americas +1.703-483-6383
India: +91.22.50323006
Social Media
Conection Suport
www.facebook.com/user
www.linkin.com/user
Visit our website
www.controlcase.com
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO
YOUR
IT COMPLIANCE PROGRAM

ISO 27001 In The Age Of Privacy

More Related Content

What's hot

Similar to ISO 27001 In The Age Of Privacy

More from ControlCase

Recently uploaded

ISO 27001 In The Age Of Privacy