Más contenido relacionado
La actualidad más candente (19)
Similar a Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly (20)
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
- 1. How ISO 27001 can assist with your GDPR
compliance
GDPR Summit
May 30th 2018
Sharon O’ Reilly IT Governance Ltd
www.itgovernance.co.uk
- 2. Introduction: Speaker Background
– GRC/GDPR Consultant Ireland – IT Governance
– Certified Data Protection Practitioner and Practitioner Course Trainer
– Certified Trainer: Data Protection, Information Security, Management Systems
– Certified ISO 27001 Lead Auditor and Lead Implementer
– 16Years experience as a consultant to Irish Industry
– Specialising in ISO 27001, Data Protection ,PCI DSS consultancy
– Have consulted to organisations across multiple sectors
– Experienced auditor and compliance systems implementer and contract manager
– Engaged by clients to audit key suppliers and act as lead for external certification and client audits
– BSc and MSc Analytical Science
– 10 Years experience in the pharmaceutical regulatory and compliance areas
2
© IT Governance Ltd 2018
- 3. Overview
Overview
The GDPR is with us as of Friday 25th May but it is widely
acknowledged that there is much still to be done to achieve
compliance.
The purpose of this presentation is to explain clearly and simply how
ISO 27001 can help you in your quest to achieve and maintain
GDPR compliance.
3
© IT Governance Ltd 2018
- 4. Overview
GDPR: EU General Data Protection Regulation. This Regulation
needs to be considered alongside the new Irish Data Protection Act
which was signed into law on Thursday 24th May 2018.
ISO 27001:2013: Information Security Management Systems
Standard (current version issued in 2013) and is the international
gold standard in the information security management sphere.
4
© IT Governance Ltd 2018
- 5. Overview
But what has ISO 27001 got to do with GDPR compliance????
Quite a lot actually……..
5
© IT Governance Ltd 2018
- 6. GOOD NEWS!!
Many organisations have been struggling with their GDPR
compliance programmes……why is there no standard we can
use???
There is…..ISO 27001 is all about creating robust and practical
information security management systems and creating a culture of
security.
While this does not cover all aspects of GDPR compliance it does
cover many key areas.
6
© IT Governance Ltd 2018
- 7. Overview
GDPR compliance is a legal necessity.
Information Security Management is a business essential.
Put them together and you have a very valuable framework which
will allow you to manage GDPR compliance going forward and
maintain best practise in information security.
7
© IT Governance Ltd 2018
- 9. ISO 27001 and GDPR
9
KEY REQUIREMENTS GDPR ISO
27001
Risk-based approach
Systematic approach to information
security
Data Processing Principles 4 - 6
Accountability
Security of Processing
Continual Improvement
√
√
√ √
√
√
√ √
√ √
√ √© IT Governance Ltd 2018
- 10. RISK-BASED APPROACH
The GDPR requires organisations to adopt
appropriate policies, procedures and
processes to protect the personal data they
hold.
This involves taking a risk-based approach
to data protection and building a workplace
culture of data privacy and security.
10
© IT Governance Ltd 2018
- 11. SYSTEMATIC APPROACH TO
INFORMATION SECURITY
ISO 27001 provides exactly that – a
systematic approach to information security
management with mandatory systems or
processes which “manage/control the
controls”.
It is a management systems standard.
11
© IT Governance Ltd 2018
- 12. GDPR PRINCIPLES OF PROCESSING
12
• Processed lawfully, fairly and in a transparent
manner
1
• Collected for specified, explicit and legitimate
purposes
2
• Adequate, relevant and limited to what is
necessary
3
• Accurate and, where necessary, kept up to date
(ISO 27001)
4
• Retained only for as long as necessary (ISO
27001)
5
• Processed in an appropriate manner to maintain
security (ISO 27001)
6
Accountability
© IT Governance Ltd 2018
- 13. ACCOUNTABILITY
The (GDPR) introduces a new principle- that
of accountability. The GDPR requires that
your organisation can demonstrate
compliance with all the principles.
So, your organisation needs to build such a
culture and to be able to demonstrate
accountability
13
© IT Governance Ltd 2018
- 15. SECURITY OF PROCESSING
Article 32 of the GDPR says that technical
and organisational measures must be taken
to “ensure a level of security appropriate to
the risk”.
ISO 27001 mandates risk management to
identify such measures and Annex A
identifies specific control measures.
15
© IT Governance Ltd 2018
- 16. CONTINUAL IMPROVEMENT
The GDPR refers to “regularly testing,
assessing and evaluating the effectiveness
of technical and organisational measures for
ensuring the security of the processing”
(Article 32).
16
© IT Governance Ltd 2018
- 17. CONTINUAL IMPROVEMENT
An ISO 27001-aligned ISMS provides
measures to “continually improve the
suitability, adequacy and effectiveness of
the ISMS. Applying this approach to
continual improvement also supports
compliance with the GDPR.
17
© IT Governance Ltd 2018
- 18. More good news…..added extras
Using ISO 27001 as a framework for managing GDPR compliance
not only makes GDPR compliance simpler both at the
implementation phase and on a continuous and sustainable basis
but also gives us many more extra benefits…….
18
© IT Governance Ltd 2018
- 19. More good news…..added extras
- Protection of all information – not just personal data
- Assurance to the outside world – “we take security seriously”
- Reduced reputational risks – “bad headline avoidance”
19
© IT Governance Ltd 2018