Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation

In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.

Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.

The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle

Recorded webinar: https://youtu.be/HL-VUiCj4Ew

  • Sé el primero en comentar

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation

  1. 1. • Introduction • Before we start… • ISO27001 implementation vs audit • ISMS vs PIMS, in practice • The implementer view • The auditor view • Q & A Agenda
  2. 2. Introduction
  3. 3. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
  4. 4. Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
  5. 5. Before we start… Previous session recap
  6. 6. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard • PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest- privacy-information-standard • Recording: https://youtu.be/ilw4UmMSlU4 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to- isoiec-27701-the-newest-privacy-information-standard • ISO/IEC 27701 vs GDPR - What you need to know • PECB: https://pecb.com/past-webinars/isoiec-27701-vs-gdpr-what-you-need-to- know • Recording: https://www.youtube.com/watch?v=P80So3ryvJ8 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/isoiec-27701-vs- gdpr-what-you-need-to-know For other webinars, see: https://pecb.com/en/webinars Recap: Previous sessions
  7. 7. • Remember ISO27001 • ISMS, Information Security (Management System) • 10 Clauses • 114 controls • Based on PDCA Recap: ISO27001 structure
  8. 8. Act Plan DoCheck ISO27001 main principle: PDCA Time Quality Improvement Quality Assurance Standard Quality Assurance StandardAct Plan DoCheck
  9. 9. Source: ISO9001-2015 Did you know…
  10. 10. Source: PECB ISO27001 Lead Implementer PDCA in ISO27001 clause 6 Planning clause 9 Performance evaluation clause 10 Improvement clause 8 Operation Clause 4 Context of the organization Clause 7 Support Clause 5 Leadership Annex A - Control objectives and controls
  11. 11. Extension to ISO27001 (ISMS) • Information security Management system • + Extension to privacy • + interpretation for GDPR = PIMS (Privacy Information Management system) ISO27701 (PIMS)
  12. 12. Naming convention To avoid any confusion: • ISMS refers to ISO27001 • PIMS refers to ISO27701 (on top of ISO27001) For this session…
  13. 13. ISMS implementation vs audit Opposite or complementary?
  14. 14. Officially starts with external audit but…. • You can use the audit techniques during initial implementation • Implement pre-stage audit • Internal audit is needed (official requirement) • System must have sufficient track record before initial audit After initial audit • Yearly surveillance • 3 year cycle to renewal • Continuous maintenance (also for internal audit) • Continuous improvement The ISO audit lifecycle…
  15. 15. Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (+ recertification) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… The ISO audit lifecycle…
  16. 16. Starts long before the external audit • To use the audit techniques during initial • Pre-stage audit • Internal audit needed (official requirement) Doesn’t stop after initial external audit • Maintenance The implementation lifecycle…
  17. 17. When starting in ISMS implementation • It takes time to adapt business processes to ISO approach • Focus on evidence.. • Not only documentation, • but also operational results that can be tracked • People that know how ISMS plugs in to their work Audit • Not just a check list, but focus on results • Based on evidence (double evidence) • Advisory function (but not consulting) Hints and tips
  18. 18. ISMS to PIMS, in practice. Getting the mind shift right…
  19. 19. When shifting from ISMS to PIMS • It’s no more about “enterprise only” data • It’s ALSO about “personal data’ • On top of it… Meaning, you’re in the lead with enterprise data, in ISMS. The subject is in the lead when handling personal data… in PIMS (Strong legislation giving power to subject.) Fundamental change in approach
  20. 20. ISMS Fundamental change in mindset & environment ISMS ISMS PIMS
  21. 21. The implementer/audit view of PIMS Recap from previous sessions.
  22. 22. Auditor vs implementer • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
  23. 23. • The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
  24. 24. • Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
  25. 25. • Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Find the right auditor for you, YOU choose • Experience, expertise • Right mindset (continuous improvement) • Focus on getting results • CMMI: 1… 2… 3… 4… 5… Some practical hints
  26. 26. Recap: ISO27701 mapping to ISO27001 4.3 ISO27001 requirements (ISO27701 Clause 5) ISO27701 Topic ISO27001 Remark 5.2 Context of organisation 4 Changed 5.3 Leadership 5 Direct 5.4 Planning 6 Changed 5.5 Support 7 Direct 5.6 Operation 8 Direct 5.7 Performance evaluation 9 Direct 5.8 Improvement 10 Direct
  27. 27. Recap: ISO27701 mapping to ISO27001 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.2 Policies 5 Changed 6.3 Organisation 6 Changed 6.4 HR 7 Changed 6.5 Asset Management 8 Changed 6.6 Access Control 9 Changed 6.7 Cryptography 10 Changed 6.8 Physical and environment 11 Changed
  28. 28. Recap: ISO27701 mapping to ISO27001 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.9 Operations 12 Changed 6.10 Communications 13 Changed 6.11 Acquisition, Dev & mainten. 14 Changed 6.12 Suppliers 15 Changed 6.13 Incident Mgmt 16 Changed 6.14 Business Continuity 17 Direct 6.15 Compliance 18 Changed
  29. 29. The implementer view of ISO27701 Quick tour: special attention
  30. 30. Interested parties • ISMS: Mainly enterprise, contractual, customers, … bit of employee • PIMS: strong focus on subject data, in any type Different approach • High impact regulation • Worldwide • Very powerful individual • Define goal, vision, mission & strategy • Documentation! PIMS 5.2 / ISMS 4 (Context) Implementer
  31. 31. Interested parties • ISMS: vision, commitment, policy, RACI, • PIMS: accountability (ref. GDPR) Make sure to • Organize regular management meetings • Plan agenda, take notes, … • Register Decisions taken • Plan Communication, incl. all interested parties (incl. external) • Make sure mgmt. takes responsibility. • Make them accountable, … PIMS 5.3 / ISMS 5 (Leadership) Implementer
  32. 32. EXTREMELY IMPORTANT • ISMS: risk management is CORE requirement • PIMS: PIA, DPIA (GDPR) You must • Have a risk register • Setup Risk management system (not the software, but the process) • Maintain risk management HINT: how to assess risk in EXISTING environment? (New processes, update of existing processes and regular basis) PIMS 5.4 / ISMS 6 (Planning) Implementer
  33. 33. ISMS = PIMS, you must have • resources • Competence • Awareness, communication & education • Documentation You need • Budget • People • Time PIMS 5.5 / ISMS 7 (Support) Implementer
  34. 34. PIMS 5.6/5.7/5.8 = ISMS 8/9/10 • Operations • Performance • Improvement You need • Operations: Info security / Data protection / Privacy in your DNA • Performance: plan for metrics and measure (CMMI 4) • Improvement: CONTINUOUSLY Other clauses Implementer
  35. 35. Policies • ISMS ISO27002 (114 controls + …) • PIMS ISO27002 + ISO27701 • ISMS prefix “A” = ISO27002 • Measures • Controls • For security we need PPT = people, process & technology PIMS 6 / ISMS Annex
  36. 36. Policies • ISMS ISO27002 (114 controls + …) • PIMS ISO27002 + ISO27002 ;.. Tasks • Setup policies / documentation • Approve policies • Execute policies • Update policies on a regular basis PIMS 6.2 / ISMS A5 Implementer
  37. 37. ISMS PIMS Serving Management Team idem Enterprise Risk Management Team idem Enterprise Info Sec team idem Enterprise IT operations team idem Enterprise Business idem Enterprise Legal support idem Enterprise / DPO or similar Subject PIMS 6.3 / ISMS A6 (IS Org.) Implementer
  38. 38. Info • PIMS: privacy & data protection in • contracting • awareness. Special attention to • Reference of data protection in contracting • People are lazy (maintain awareness) • Training IMPORTANT: everyone must be onboard to protect personal data! PIMS 6.4 / ISMS A7 (HR) General
  39. 39. Make sure to implement • Asset inventory / CMDB • Not only HW • Also processes • People & knowledge Special attention to • Classification PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
  40. 40. ISMS labels categ. PIMS lables Serving 0 - Public Non PII/GDPR Enterprise 1 – Internal Enterprise 2 - Strict internal Enterprise 3 - Critical Enterprise (4 – Secret) Enterprise PII Subject Sensitive PII Subject PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
  41. 41. Must have • Access control policy • User (de)registration Special attention to • PIMS: identity management • PIMS EXPLICIT: • DO NOT RE-USE user IDs PIMS 6.6 / ISMS A9 (Access ctrl.) Implementer
  42. 42. Contains • Crypto policy • Special attention to PII treatment Special attention to • Subject information about crypto in • Website, HR, registration systems, storage, backup, … • Disposal of data ! • Evolution of technology in crypto! PIMS 6.7 / ISMS A10 (Crypto) General
  43. 43. Must have • Physical security • Security perimeters • Layered security Special attention to • Core protection, starts with physical • Layered security like • Street, outside, perimeter, • public zone, internal zone, restricted zone, high protection core, … • Define : “who can do what and where (and when)” PIMS 6.8 / ISMS A11 (Physicl Sec.) Implementer
  44. 44. Special attention to (See previous sessions on PIMS) • Backup • Event logging • Log protection PIMS 6.9 / ISMS A12 (Operations) Implementer Do what you say, say what you do, … … and prove it
  45. 45. Make sure to have • Information transfer policy • Vendor / 3rd party / Data processor policy Special attention to • Vendor/processor • Confidentiality • NDA • Incident reporting & feedback PIMS 6.10 / ISMS A13 (Comm.) General
  46. 46. Contains • Development policies • SW acquisition requirements Special attention to • Own responsibility • Vendor/processor responsibility • Sec/DP/Privacy by design • Sec/DP/privacy by default PIMS explicit: no PII for testing purposes! PIMS 6.11 / ISMS A14 (Build or buy) Implement
  47. 47. Important • Compensate for lack of physical control • Legal control • PIMS : High risk! Special attention to • Policy • Contracts • Expert legal support • Right to audit! PIMS 6.12 / ISMS A15 (Supplier) Implementer
  48. 48. Important • Incident register • Incident = failure of system (opportunity for improvement) • PIMS : High risk for data breaches! Special attention to • Policy • Tracking & improvement • Escalation tracks • Exercise, exercise! PIMS 6.13 / ISMS A16 (Incident) Implementer
  49. 49. Important • Maintaining data protection & privacy during disaster • BCM vs DRP Special attention to • Exercise • Testing • Vendors PIMS 6.14 / ISMS A17 (BCM) Implementer
  50. 50. Pay attention to • Legislation • Contract obligations • Company responsibility (protect yourself) • Subject rights Evidence • Anything we discussed today… PIMS 6.15 / ISMS A18 (Compliance) General
  51. 51. The audit view of ISO27701 Focus on evidence
  52. 52. Interested parties • ISMS: documentation on business model, mission, vision, … • PIMS: ISMS documentation, privacy notices, .. Type of community What evidence to find? • Mission/Vision • Community • Business model, processes, type of data • Talking to business & customer dept. PIMS 5.2 / ISMS 4 (Context) Auditor
  53. 53. Interested parties • ISMS: documentation on business model, mission, vision, … • PIMS: ISMS documentation, privacy notices, .. Type of community How to audit? • Management meetings, agenda, notes, … • Decisions taken • Communication • Approvals & signature of policies, … PIMS 5.3 / ISMS 5 (Leadership) Auditor
  54. 54. Look for • ISMS = Risk management • PIMS = Risk management + PIA/DPIA Evidence • Risk sources: incident register, incident reporting, • Track solution of incident • Data breach reporting (confirmed incidents) • Risk register (setup, up to date, ownership, RACI, …) PIMS 5.4 / ISMS 6 (Planning) Auditor
  55. 55. ISMS = PIMS • Check for management support • Check for education plan • Check for awareness Evidence • Interview • Management planning • Education, awareness & communication PIMS 5.5 / ISMS 7 (Support) Auditor
  56. 56. PIMS 5.6/5.7/5.8 = ISMS 8/9/10 • Operations • Performance • Improvement Evidence • Operations: processed, procedures, … on the floor • Performance: Find the metrics • Improvement: internal audit, new projects, updates, … Other clauses Auditor
  57. 57. To check • Policies • SOA Evidence • Setup policies / documentation • Approval of policies • Execution policies • Updates PIMS 6.2 / ISMS A5 Auditor
  58. 58. Check for • organigram • Company organisation • RACI • Segregation of duties Evidence • Roles & responsibilities description • Function description incl. ISMS/PIMS tasks • People IN/OUT PIMS 6.3 / ISMS A6 Auditor
  59. 59. Info • PIMS: privacy & data protection in • contracting • awareness. Special attention to • Reference of data protection in contracting • People are laze (maintain awareness) • Training IMPORTANT: everyone must be onboard to protect personal data! PIMS 6.4 / ISMS A7 (HR) General
  60. 60. Pay attention to • HR IN/OUT vs. IT IN/OUT Evidence • HR • IT security • Privileged account management • General accounts • In/out events • Regular reviews (x times /yr) PIMS 6.6 / ISMS A9 (Access ctrl.) Auditor
  61. 61. Contains • Crypto policy • Special attention to PII treatment Special attention to • Subject information about crypto in • Website, HR, registration systems, storage, backup, … • Disposal of data ! PIMS 6.7 / ISMS A10 (Crypto) General
  62. 62. Pay attention to • Building • Locations • Entry, • Zones • Equipment, cabling, • 3rd party (!) Evidence • On site visit PIMS 6.8 / ISMS A11 (Physical) Auditor
  63. 63. Pay attention to • Tracing of ISMS/PIMS on the floor • People Evidence • Logs • Processes & procedures • Time stamps • Ownership • Meeting minutes • Documentation • …. PIMS 6.9 / ISMS A12 (Operations) Auditor
  64. 64. Make sure to have • Information transfer policy • Vendor / 3rd party / Data processor policy Special attention to • Vendor/processor • Confidentiality • NDA • Incident reporting & feedback PIMS 6.10 / ISMS A13 (Communic.) General
  65. 65. Pay attention to • PIMS Annex A.7.4 (controller) • PIMS Annex B.8.4 (processor) Evidence • Agreements • Acquisition procedures • Development policies & processes PIMS 6.11 / ISMS A14 (Build or buy) Auditor
  66. 66. Pay attention to • Supplier policies • Vendor relations • Vendor contracts Evidence • Vendor negotiations • Vendor contracts • Vendor audits • 3rd party audit reports • Vendor tracking/invoicing • Vendor management updates PIMS 6.12 / ISMS A15 (Supplier) Auditor
  67. 67. Pay attention to • Incident management policy • Incident register • Data breach register • Data breach notifications Evidence • Policy meta data (owner, updates, …) • Incident management procedure • Data breach reporting • DPA communications, … PIMS 6.13 / ISMS A16 (Incident) Auditor
  68. 68. Pay attention to • Maintaining data protection & privacy during disaster • BCM vs DRP Evidence • BCM planning • DRP plan • Test plans • Exercises • Awareness, training & communication PIMS 6.14 / ISMS A17 (BCM) Auditor
  69. 69. Pay attention to • Legislation • Contract obligations • Company responsibility (protect yourself) • Subject rights Evidence • Anything we discussed today… PIMS 6.15 / ISMS A18 (Compliance) General
  70. 70. And last but not least… Never done
  71. 71. PDCA… Continous improvement Start over again… See you at the next cycle…
  72. 72. Q & A Questions & answers
  73. 73. Appendix
  74. 74. Ramping up… Relevant PECB Training courses
  75. 75. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  76. 76. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
  77. 77. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  78. 78. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  79. 79. Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
  80. 80. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  81. 81. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  82. 82. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  83. 83. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
  84. 84. THANK YOU ? info@cyberminute.com CyberMinute Stefan Mathuvisstefan@qma.be

×