Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

ISO/IEC 27701 vs GDPR: What you need to know

As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.

Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.

The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.

The webinar covers:

- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification

Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be

  • Sé el primero en comentar

ISO/IEC 27701 vs GDPR: What you need to know

  1. 1. • Introduction • The GDPR view of the ISO/IEC 27701 • Mapping the GDPR to-do and the ISO27701 to-do list. • The ISO/IEC 27701 auditor mindset • Compliance AND/OR/XOR solid data protection? • Status of GDPR certification • Q & A Agenda
  2. 2. Introduction
  3. 3. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
  4. 4. Before we start… Previous session recap
  5. 5. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard • PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest- privacy-information-standard • Recording: https://youtu.be/ilw4UmMSlU4 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to- isoiec-27701-the-newest-privacy-information-standard • Check the past webinars on the PECB website at • https://pecb.com/past-webinars Previous session
  6. 6. • Best practices ≠ regulations • ISO Requirements (ref. audit) vs guidelines • Privacy ≠ Data Protection • Data protection ≠ Information Security • PII vs Personal Data • International vs. Regional Quick Recap
  7. 7. The GDPR view of the ISO/IEC 27701 Annex D: Mapping to GDPR
  8. 8. As initially designed • ISO 27001 is the baseline • + ISO 27701 on top (extra measures) • Focus on "privacy" GDPR flavor is … • Ref. Annex D: • Simply replace "privacy" with "data protection" terminology • Extend the ISO27001 mindset to GDPR mindset • Extended stakeholders/interested parties/external parties • Extended requirements The classic view
  9. 9. Annex D The GDPR mapping in ISO27701
  10. 10. At first sight • Nice overview, but… • Pretty Cryptic, because • Only Number mapping To use it • lookup article from ISO27701 (or do you know it by heart?) • lookup in GDPR (or do you kn…? Nevermind.) Would be handy to have • More explicit clear naming… • Reverse mapping (GDPR to ISO) Using the annex
  11. 11. Sorting the mapping by GDPR Article to see ISO27701? Something like…
  12. 12. Sorting the mapping by GDPR Article to see ISO27701? or…
  13. 13. Github • Direct download : http://ffwd2.me/ISO27701mapping LinkedIn Page with this session's collaterals • https://ffwd2.me/ISO27701Collaterals • (or find it via my LinkedIn profile > articles) Download
  14. 14. Mapping the GDPR and the ISO27701 To do-lists
  15. 15. Sorting the mapping by GDPR Article to see ISO27701 The GDPR check list in ISO27701
  16. 16. GDPR articles relevant to implementation See also • GDPR to ISO27001 mapping from ISO27001security.com • Free • GDPR-ISO27k mapping - ISO 27001 Security • https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.docx Other sources
  17. 17. • The practical approach of ISO gives you a kickstart • It's NOT a 1-off, but a cycle. • Plan… • Do… • Check… • Act or Adjust… • (and again) • No privacy … eh data protection, without information security • But you can have information security without data protection Please note
  18. 18. GDPR articles relevant to implementation • Mostly 1..49 (ref. Articles in ISO27701 Annex D.) For EU and DPAs • 50..99 Except a few articles… - Art. 83 fines ;) - Art. 86 Access to public documents - Art. 87 Processing of national ID - Art. 88 Employment context Please note
  19. 19. Enterprise first  ISO 27001 first + extension to personal data (GDPR) GDPR only  Scoping ISO27001 to GDPR only (with help from ISO27701) GDPR - Subject facing first How to start… some options… IMPORTANT: implementation is process based, it's an ISMS/PIMS, you cannot protect GDPR data only
  20. 20. 5.1. General '/../ The requirements of ISO/IEC 27001:2013 mentioning "information security" shall be extended to the protection of privacy as potentially affected by the processing of PII. NOTE In practice, where "information security" is used in ISO/IEC 27001:2013, "information security and privacy” applies instead (see Annex F)." GDPR : doesn't mention "privacy", but refers only to "data protection" Applying the ISO27701 approach to GDPR When applying GDPR: apply the same principle, extend "information security" to "information security and (personal) data protection"
  21. 21. PIMS/GDPR implementation Source: PECB ISO27701 Lead Auditor
  22. 22. • Terminology • no "privacy" but info security and data protection) • EVERYONE on board • Internal (employees, interims, and … contractors) • External (customers, prospects, visitors,… subjects) • Policies • Communication • information notice • Responding to subjects • Incident & Crisis management • Continuous improvement • ISO27001 : Clause 1 • GDPR: "state of the art" protection Pay special attention to
  23. 23. • GDPR & ISO27701 is a combined job for • Business • Legal • IT • HR, CRM, … • External parties… • Required expertise for ALL these areas, for every company. • Mind Murphy's law • What can go wrong, will go wrong • In cyber & GDPR: it's not "IF", but "when",… • you only need 1 mouseclick for disaster Pay special attention to
  24. 24. • Protect the subject and his/her data • Protect your company data as subject data • Get in control (especially working with vendors) • Stay in control, even when something goes wrong • Keep up to speed, everything is moving (even law) • Keep improving The goals Companies will be judged not because they were hacked, but how prepared they were and how they handled and communicated about the breach...". (Jan De Bondt)
  25. 25. The ISO27701 auditor mindset Looking from a different angle
  26. 26. Auditor vs implementer • If you know how the audit works, you know better what to implement • Both In the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
  27. 27. • The audit cycle pushes the implementation of PDCA • Continous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
  28. 28. Compliance vs data protection AND & OR | XOR ^ ?
  29. 29. • Mostly a religious discussion • Compliance does not guarantee security • …but it helps • Complementary • It's about the mindset • Getting results • Continous improvement • Start small, grow big, step-by-step • It's not about the checklist but about the results Compliance vs data protection
  30. 30. Typical feedback • "Old" framework? • "too general" • "Not fit" for current evolutions? Advantages • General • Best practice • Flexible, pluggable • Universal & uniform • Extremely Compatible with other frameworks ISO27001 vs security & data protection
  31. 31. GDPR certification Status anno 2020
  32. 32. Context Certification Certification GDPR & NIS ISO27001 Cyber Act
  33. 33. Articles • Art. 42 - Certification • Art. 43 - Certification bodies Art. 42 • Demonstrating compliance • Voluntary (ref ISO) • Board will publish register Art. 43 • Ref to ISO17065 (accreditation) • Art. 43.2 refers to ISO17021 principles (processes, procedures, mgmt, …) GPDR certification
  34. 34. ISO27001 • International, • Standardized • Mutual recognition GDPR • EU Regulation, BUT… • Certification controlled by • National DPA • Accreditation bodies • + EDPB.. Why is this important?
  35. 35. NIS • Directive (not regulation) • National law implementation required • Different implementations… not consistent Cyber Act • EU (only) • Regulation Why is this important? (Cont'd)
  36. 36. GDPR certification • In progress… first consultations for tech scheme started • EDPB published guidelines… nothing more • All countries must publish certifation schema to proceed… (28) • No scheme planned at launch • ISO27701 could be guideline but requires adoption of certification scheme Cyber Act • EU (only) • Regulation • Starts with scheme… existing schemes available for adoption Current status
  37. 37. ISO certification • ISO27001 certification • With ISO27701 extension Possible risk • Mismatch with National or EU scheme IF they choose different scheme (small risk) The only option today…
  38. 38. Ramping up… Relevant PECB Training courses
  39. 39. Relevant Training PIMS • PECB ISO 27701 Foundation • PECB ISO 27701 LI • PECB ISO 27701 LA Information Security • PECB ISO 27001 LI • PECB ISO 27001 LA • PECB ISO 27002 LM
  40. 40. Relevant Training Data protection • PECB Certified Data protection Officer (GDPR) Privacy • PECB ISO29100 LI
  41. 41. Other Relevant Training Incident Management • PECB ISO 27035 LI Risk Management • PECB ISO 27005 LI
  42. 42. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  43. 43. Appendix
  44. 44. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
  45. 45. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  46. 46. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  47. 47. Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
  48. 48. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  49. 49. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  50. 50. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  51. 51. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
  52. 52. THANK YOU ? info@cyberminute.com CyberMinute

×