Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard

In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.

For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.

The webinar covers:

• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification

Presenter:

Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.

Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.

Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...

  • Sé el primero en comentar

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard

  1. 1. • Introduction • Setting the scene… regulations vs best practices • ISO27701 fundamentals (ISMS, Privacy & GDPR) • ISO27701 PIMS: main structure • Quick walkthrough of extensions • Next steps… • Q & A Agenda
  2. 2. Introduction
  3. 3. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master, Lead ISO27002 • Lead Implementer ISO27701 • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://cybr.cc/peter More info (LinkedIn): peter@cyberminute.com
  4. 4. Before we start… Setting the scene
  5. 5. • Best practices ≠ regulations • ISO Requirements vs guidelines • Privacy ≠ Data Protection • Data protection ≠ Information Security • PII vs Personal Data • International vs. Regional Keep in mind…
  6. 6. • Best practices ≠ regulations ISO = best practice, YOU choose to implement… or not. GDPR, NIS, Cyberact, eCommunication … = law (no choice to implement) • ISO Requirements vs guidelines Requirement = part of audit Guidelines = suggestions, advice to implement What I mean is…
  7. 7. • Privacy ≠ Data Protection GDPR = data protection (NOT PRIVACY) Privacy = ISO29100/ISO29151 Data of subject (aka PII Principal) • Data protection ≠ Information Security ISO27001 = Information Security Entreprise data • PII vs Personal Data ISO vs. GDPR vs. NIST What I mean is…
  8. 8. • International vs. Regional ISO = International Regional GDPR (EU, but …) NIST (US, but…) … What I mean is…
  9. 9. Getting started The ISO27701 fundamentals…
  10. 10. Information security • ISO27001 (Info Security - Requirements) • ISO27002 (Info Security - Code of Practice) • ISO27018 (PII in public cloud) Privacy • ISO29100 (Privacy Framework) (*) • ISO29151 (PII Protection - Code of Practice) • ISO29134 (PIA) Data protection • GDPR (*) ISO27701 builds on…
  11. 11. Incident management • ISO27035 • NIST.SP.800-61r2 (Computer Security Incident Handling Guide) (*) Risk management • ISO27005 • NIST Risk management Framework (*) Vocabulary • ISO27000(*) Some more help from … Check the free ISO downloads at: http://ffwd2.me/FreeISO
  12. 12. How much of each? ISO27001 ISO27002 ISO27701 EU GDPR ISO29100 ISO29151
  13. 13. ISO27701 PIMS Main structure
  14. 14. 1-3. the ISO defaults 4. General 5. PIMS requirements - ISO27001 6. PIMS requirements - ISO27002 7. +ISO27002 guidance for PII Controllers 8. +ISO27002 guidance for PII Processors Annex A-F Main structure
  15. 15. A. Reference control objectives for controllers B. Reference control objectives for processors C. Mapping to ISO29100 D. Mapping to GDPR E. Mapping to ISO27018 and ISO29151 F. How to apply ISO27701 to ISO27001/2 Main structure
  16. 16. Contains • 10 Clauses • + Annex Annex: — 14 control clauses — 35 categories — 114 controls / measures Main structure ISO27002 = ISO27001 Annex + guidance
  17. 17. Act Plan DoCheck ISO27001 main principle: PDCA Time Quality Improvement Quality Assurance Standard Quality Assurance StandardAct Plan DoCheck
  18. 18. Source: PECB ISO27001 Lead Implementer PDCA in ISO27001 clause 6 Planning clause 9 Performance evaluation clause 10 Improvement clause 8 Operation Clause 4 Context of the organization Clause 7 Support Clause 5 Leadership Annex A Control objectives and controls
  19. 19. 5.1. General '/../ The requirements of ISO/IEC 27001:2013 mentioning "information security" shall be extended to the protection of privacy as potentially affected by the processing of PII. Key message in ISO27701 NOTE In practice, where "information security" is used in ISO/IEC 27001:2013, "information security and privacy” applies instead (see Annex F). /../'
  20. 20. FYI 4.4. Customer = subject/enterprise in case of controller = controller in case of processor = processor in case of subprocessor
  21. 21. ISO27701 mapping to ISO27001 4.3 ISO27001 requirements (ISO27701 Clause 5) ISO27701 Topic ISO27001 Remark 5.2 Context of organisation 4 Changed 5.3 Leadership 5 Direct 5.4 Planning 6 Changed 5.5 Support 7 Direct 5.6 Operation 8 Direct 5.7 Performance evaluation 9 Direct 5.8 Improvement 10 Direct
  22. 22. ISO27701 mapping to ISO27002 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.2 Policies 5 Changed 6.3 Organisation 6 Changed 6.4 HR 7 Changed 6.5 Asset Management 8 Changed 6.6 Access Control 9 Changed 6.7 Cryptography 10 Changed 6.8 Physical and environment 11 Changed
  23. 23. ISO27701 mapping to ISO27002 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.9 Operations 12 Changed 6.10 Communications 13 Changed 6.11 Acquisition, Dev & mainten. 14 Changed 6.12 Suppliers 15 Changed 6.13 Incident Mgmt 16 Changed 6.14 Business Continuity 17 Direct 6.15 Compliance 18 Changed
  24. 24. ISO27701 Quick walkthrough of extensions (*) Not all extensions covered
  25. 25. 5.2 Context Most prominent extensions… Important extension of Needs and expectations of interested parties Applicable legislation Management system scope (InfoSec + PII)
  26. 26. 5.4 Risk assessment Most prominent extensions… Important extension of Risk assessment aka PIA Risk treatment
  27. 27. 6. PIMS in ISO27002 Important extension of • Policies (now including PII) • ISMS Roles (ref. CISO + now DPO) • Training and awareness (everyone involved in PII treatment) • (!) MEDIA HANDLING Ref. Data breaches (GDPR) Encryption, secure disposal, … • Identity Management (part of access control) Do not re-issue userIDs User tracking Most prominent extensions…
  28. 28. 6. PIMS in ISO27002 Important extension of • Information Backup • Event logging • Log protection • System development & acquisition (see module 7 & 8) • Test data DO NOT USE PII for test data (use dummy or synthetic) • INCIDENT MANAGEMENT (ref. GDPR data breaches) • Compliance (legislation !, IP, data protection,…) Most prominent extensions…
  29. 29. 7. Guidance for controllers Ref. GDPR subject rights & controller responsibility • Purpose definition • Lawful basis • Consent management • PIA • PII Process contracting • Subject rights ("PII principal") Information Object to processing Copy of PII data Request handling Most prominent extensions…
  30. 30. 7. Guidance for controllers Ref. GDPR subject rights & controller responsibility • Privacy by design (GDPR = "data protection by design") • Privacy by default (GDPR = "data protection by default") • Data minimization principles • Accuracy & quality • De-identification & disposal • PII sharing, transfer & disclosure Incl. ref to international legislation Most prominent extensions…
  31. 31. 8. Guidance for processors Ref. controller vs processor responsibility • Agreement (to delegate obligations) • Marketing & advertisement • Conflict of interest (or legal conflicts) • PbD & PbDef • Temporary files • PII transfer & disposal • (!) transfer between jurisdictions • Disclosure requests Most prominent extensions…
  32. 32. Annex A : control objectives for controllers Most prominent extensions… Not all of the control objectives and controls listed in this annex need to be included in the PIMS implementation When excluded: explanation in SoA (Statement of Applicability)
  33. 33. Annex B : control objectives for processors Most prominent extensions… Not all of the control objectives and controls listed in this annex need to be included in the PIMS implementation When excluded: explanation in SoA (Statement of Applicability).
  34. 34. Annex A: control objectives for controllers (31) Most prominent extensions… A.7.2 Conditions for collection and processing (8) A.7.3 Obligations to PII Principals (10) A.7.4 Privacy by design and privacy by default (9) A.7.5 PII Sharing transfer and disclosure (4)
  35. 35. Annex B: control objectives for processors (18) Most prominent extensions… A.8.2 Conditions for collection and processing (6) A.8.3 Obligations to PII Principals (1) A.8.4 Privacy by design and privacy by default (3) A.8.5 PII Sharing transfer and disclosure (8)
  36. 36. Annex C: mapping to ISO29100 Most prominent extensions… Controllers 11 modules (44 controls) Processors 9 modules (20 controls)
  37. 37. Most prominent extensions… Annex D: mapping to GDPR • Table on 3 pages ;) Annex E-F • ISO 27018/29151 • How to apply (Info sec > "info sec + privacy") Standard as is Addition (additional requirements) refinement
  38. 38. Ramping up… Relevant PECB Training courses
  39. 39. Relevant Training PIMS • PECB ISO 27701 LI (4+1) (LA to be announced) Information Security • PECB ISO27001 LI (4+1) (+LA, 4+1) • PECB ISO27002 LM (4+1) Data protection • PECB Certified Data protection Officer (4+1) Privacy • PECB ISO29100 LI (4+1)
  40. 40. Relevant Training Incident Management • PECB ISO 27035 LI (4+1) Risk Management • PECB ISO 27005 LI (4+1)
  41. 41. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Relevant Training
  42. 42. Appendix
  43. 43. Relevant Training PECB ISO 27701 https://pecb.com/en/education-and-certification-for-individuals/iso-27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-27701/ iso-iec-27701-lead-implementer
  44. 44. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  45. 45. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  46. 46. Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
  47. 47. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  48. 48. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  49. 49. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  50. 50. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
  51. 51. THANK YOU ? info@cyberminute.com CyberMinute

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

  • AghathaMaxi

    Dec. 30, 2019
  • Peerapon_Ruengvilairat

    Feb. 16, 2020
  • PeterGeelen1

    Feb. 24, 2020
  • onihoney

    Apr. 2, 2020
  • YakovKeselman

    Apr. 21, 2020
  • SvenWilke

    Apr. 21, 2020
  • BICzar

    May. 20, 2020
  • CarlEdisonBalagtas

    Jul. 23, 2020
  • Cokunzel

    Aug. 29, 2020
  • kisipopi

    Oct. 3, 2020
  • nunaddict

    Mar. 23, 2021

In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR. For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection. The webinar covers: • Walkthrough of the ISO/IEC 27701 • Links with ISO/IEC 2700x series standards, ISO 29100 series... • ISO/IEC 2700x and GDPR mapping • Audit & certification Presenter: Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more. Date: December 04, 2019 The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/iso-27001... Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Google +: https://plus.google.com/+PECBGroup Facebook: https://www.facebook.com/PECBInternat... Slideshare: http://www.slideshare.net/PECBCERTIFI...

Vistas

Total de vistas

7.541

En Slideshare

0

De embebidos

0

Número de embebidos

1.725

Acciones

Descargas

618

Compartidos

0

Comentarios

0

Me gusta

11

×