SlideShare a Scribd company logo

ISO/IEC 27701 vs GDPR: What you need to know

Download as PPTX, PDF
PECB
PECB

As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019. We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation. Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights. The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection. The webinar covers: - The GDRP view of the ISO/IEC 27701 - Mapping the GDPR to-do and the ISO/IEC 27701 to-do list. - The ISO/IEC 27701 auditor mindset - Compliance AND/OR/XOR solid data protection? - Status of GDPR certification Date: December 04, 2019 Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be

1 of 54
ISO/IEC 27701 vs GDPR: What you need to know
• Introduction • The GDPR view of the ISO/IEC 27701 • Mapping the GDPR to-do and the ISO27701 to-do list. • The ISO/IEC 27701 auditor mindset • Compliance AND/OR/XOR solid data protection? • Status of GDPR certification • Q & A Agenda
Introduction
Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
Before we start… Previous session recap
• Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard • PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest- privacy-information-standard • Recording: https://youtu.be/ilw4UmMSlU4 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to- isoiec-27701-the-newest-privacy-information-standard • Check the past webinars on the PECB website at • https://pecb.com/past-webinars Previous session
• Best practices ≠ regulations • ISO Requirements (ref. audit) vs guidelines • Privacy ≠ Data Protection • Data protection ≠ Information Security • PII vs Personal Data • International vs. Regional Quick Recap
The GDPR view of the ISO/IEC 27701 Annex D: Mapping to GDPR
As initially designed • ISO 27001 is the baseline • + ISO 27701 on top (extra measures) • Focus on "privacy" GDPR flavor is … • Ref. Annex D: • Simply replace "privacy" with "data protection" terminology • Extend the ISO27001 mindset to GDPR mindset • Extended stakeholders/interested parties/external parties • Extended requirements The classic view
Annex D The GDPR mapping in ISO27701
At first sight • Nice overview, but… • Pretty Cryptic, because • Only Number mapping To use it • lookup article from ISO27701 (or do you know it by heart?) • lookup in GDPR (or do you kn…? Nevermind.) Would be handy to have • More explicit clear naming… • Reverse mapping (GDPR to ISO) Using the annex
Sorting the mapping by GDPR Article to see ISO27701? Something like…
Sorting the mapping by GDPR Article to see ISO27701? or…
Github • Direct download : http://ffwd2.me/ISO27701mapping LinkedIn Page with this session's collaterals • https://ffwd2.me/ISO27701Collaterals • (or find it via my LinkedIn profile > articles) Download
Mapping the GDPR and the ISO27701 To do-lists
Sorting the mapping by GDPR Article to see ISO27701 The GDPR check list in ISO27701
GDPR articles relevant to implementation See also • GDPR to ISO27001 mapping from ISO27001security.com • Free • GDPR-ISO27k mapping - ISO 27001 Security • https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.docx Other sources
• The practical approach of ISO gives you a kickstart • It's NOT a 1-off, but a cycle. • Plan… • Do… • Check… • Act or Adjust… • (and again) • No privacy … eh data protection, without information security • But you can have information security without data protection Please note
GDPR articles relevant to implementation • Mostly 1..49 (ref. Articles in ISO27701 Annex D.) For EU and DPAs • 50..99 Except a few articles… - Art. 83 fines ;) - Art. 86 Access to public documents - Art. 87 Processing of national ID - Art. 88 Employment context Please note
Enterprise first  ISO 27001 first + extension to personal data (GDPR) GDPR only  Scoping ISO27001 to GDPR only (with help from ISO27701) GDPR - Subject facing first How to start… some options… IMPORTANT: implementation is process based, it's an ISMS/PIMS, you cannot protect GDPR data only
5.1. General '/../ The requirements of ISO/IEC 27001:2013 mentioning "information security" shall be extended to the protection of privacy as potentially affected by the processing of PII. NOTE In practice, where "information security" is used in ISO/IEC 27001:2013, "information security and privacy” applies instead (see Annex F)." GDPR : doesn't mention "privacy", but refers only to "data protection" Applying the ISO27701 approach to GDPR When applying GDPR: apply the same principle, extend "information security" to "information security and (personal) data protection"
PIMS/GDPR implementation Source: PECB ISO27701 Lead Auditor
• Terminology • no "privacy" but info security and data protection) • EVERYONE on board • Internal (employees, interims, and … contractors) • External (customers, prospects, visitors,… subjects) • Policies • Communication • information notice • Responding to subjects • Incident & Crisis management • Continuous improvement • ISO27001 : Clause 1 • GDPR: "state of the art" protection Pay special attention to
• GDPR & ISO27701 is a combined job for • Business • Legal • IT • HR, CRM, … • External parties… • Required expertise for ALL these areas, for every company. • Mind Murphy's law • What can go wrong, will go wrong • In cyber & GDPR: it's not "IF", but "when",… • you only need 1 mouseclick for disaster Pay special attention to
• Protect the subject and his/her data • Protect your company data as subject data • Get in control (especially working with vendors) • Stay in control, even when something goes wrong • Keep up to speed, everything is moving (even law) • Keep improving The goals Companies will be judged not because they were hacked, but how prepared they were and how they handled and communicated about the breach...". (Jan De Bondt)
The ISO27701 auditor mindset Looking from a different angle
Auditor vs implementer • If you know how the audit works, you know better what to implement • Both In the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
• The audit cycle pushes the implementation of PDCA • Continous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
Compliance vs data protection AND & OR | XOR ^ ?
• Mostly a religious discussion • Compliance does not guarantee security • …but it helps • Complementary • It's about the mindset • Getting results • Continous improvement • Start small, grow big, step-by-step • It's not about the checklist but about the results Compliance vs data protection
Typical feedback • "Old" framework? • "too general" • "Not fit" for current evolutions? Advantages • General • Best practice • Flexible, pluggable • Universal & uniform • Extremely Compatible with other frameworks ISO27001 vs security & data protection
GDPR certification Status anno 2020
Context Certification Certification GDPR & NIS ISO27001 Cyber Act
Articles • Art. 42 - Certification • Art. 43 - Certification bodies Art. 42 • Demonstrating compliance • Voluntary (ref ISO) • Board will publish register Art. 43 • Ref to ISO17065 (accreditation) • Art. 43.2 refers to ISO17021 principles (processes, procedures, mgmt, …) GPDR certification
ISO27001 • International, • Standardized • Mutual recognition GDPR • EU Regulation, BUT… • Certification controlled by • National DPA • Accreditation bodies • + EDPB.. Why is this important?
NIS • Directive (not regulation) • National law implementation required • Different implementations… not consistent Cyber Act • EU (only) • Regulation Why is this important? (Cont'd)
GDPR certification • In progress… first consultations for tech scheme started • EDPB published guidelines… nothing more • All countries must publish certifation schema to proceed… (28) • No scheme planned at launch • ISO27701 could be guideline but requires adoption of certification scheme Cyber Act • EU (only) • Regulation • Starts with scheme… existing schemes available for adoption Current status
ISO certification • ISO27001 certification • With ISO27701 extension Possible risk • Mismatch with National or EU scheme IF they choose different scheme (small risk) The only option today…
Ramping up… Relevant PECB Training courses
Relevant Training PIMS • PECB ISO 27701 Foundation • PECB ISO 27701 LI • PECB ISO 27701 LA Information Security • PECB ISO 27001 LI • PECB ISO 27001 LA • PECB ISO 27002 LM
Relevant Training Data protection • PECB Certified Data protection Officer (GDPR) Privacy • PECB ISO29100 LI
Other Relevant Training Incident Management • PECB ISO 27035 LI Risk Management • PECB ISO 27005 LI
Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
Appendix
Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
ISO/IEC 27701 vs GDPR: What you need to know
THANK YOU ? info@cyberminute.com CyberMinute

More Related Content

ISO/IEC 27701 vs GDPR: What you need to know

  • 2. • Introduction • The GDPR view of the ISO/IEC 27701 • Mapping the GDPR to-do and the ISO27701 to-do list. • The ISO/IEC 27701 auditor mindset • Compliance AND/OR/XOR solid data protection? • Status of GDPR certification • Q & A Agenda
  • 4. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
  • 6. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard • PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest- privacy-information-standard • Recording: https://youtu.be/ilw4UmMSlU4 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to- isoiec-27701-the-newest-privacy-information-standard • Check the past webinars on the PECB website at • https://pecb.com/past-webinars Previous session
  • 7. • Best practices ≠ regulations • ISO Requirements (ref. audit) vs guidelines • Privacy ≠ Data Protection • Data protection ≠ Information Security • PII vs Personal Data • International vs. Regional Quick Recap
  • 8. The GDPR view of the ISO/IEC 27701 Annex D: Mapping to GDPR
  • 9. As initially designed • ISO 27001 is the baseline • + ISO 27701 on top (extra measures) • Focus on "privacy" GDPR flavor is … • Ref. Annex D: • Simply replace "privacy" with "data protection" terminology • Extend the ISO27001 mindset to GDPR mindset • Extended stakeholders/interested parties/external parties • Extended requirements The classic view
  • 10. Annex D The GDPR mapping in ISO27701
  • 11. At first sight • Nice overview, but… • Pretty Cryptic, because • Only Number mapping To use it • lookup article from ISO27701 (or do you know it by heart?) • lookup in GDPR (or do you kn…? Nevermind.) Would be handy to have • More explicit clear naming… • Reverse mapping (GDPR to ISO) Using the annex
  • 12. Sorting the mapping by GDPR Article to see ISO27701? Something like…
  • 13. Sorting the mapping by GDPR Article to see ISO27701? or…
  • 14. Github • Direct download : http://ffwd2.me/ISO27701mapping LinkedIn Page with this session's collaterals • https://ffwd2.me/ISO27701Collaterals • (or find it via my LinkedIn profile > articles) Download
  • 15. Mapping the GDPR and the ISO27701 To do-lists
  • 16. Sorting the mapping by GDPR Article to see ISO27701 The GDPR check list in ISO27701
  • 17. GDPR articles relevant to implementation See also • GDPR to ISO27001 mapping from ISO27001security.com • Free • GDPR-ISO27k mapping - ISO 27001 Security • https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.docx Other sources
  • 18. • The practical approach of ISO gives you a kickstart • It's NOT a 1-off, but a cycle. • Plan… • Do… • Check… • Act or Adjust… • (and again) • No privacy … eh data protection, without information security • But you can have information security without data protection Please note
  • 19. GDPR articles relevant to implementation • Mostly 1..49 (ref. Articles in ISO27701 Annex D.) For EU and DPAs • 50..99 Except a few articles… - Art. 83 fines ;) - Art. 86 Access to public documents - Art. 87 Processing of national ID - Art. 88 Employment context Please note
  • 20. Enterprise first  ISO 27001 first + extension to personal data (GDPR) GDPR only  Scoping ISO27001 to GDPR only (with help from ISO27701) GDPR - Subject facing first How to start… some options… IMPORTANT: implementation is process based, it's an ISMS/PIMS, you cannot protect GDPR data only
  • 21. 5.1. General '/../ The requirements of ISO/IEC 27001:2013 mentioning "information security" shall be extended to the protection of privacy as potentially affected by the processing of PII. NOTE In practice, where "information security" is used in ISO/IEC 27001:2013, "information security and privacy” applies instead (see Annex F)." GDPR : doesn't mention "privacy", but refers only to "data protection" Applying the ISO27701 approach to GDPR When applying GDPR: apply the same principle, extend "information security" to "information security and (personal) data protection"
  • 22. PIMS/GDPR implementation Source: PECB ISO27701 Lead Auditor
  • 23. • Terminology • no "privacy" but info security and data protection) • EVERYONE on board • Internal (employees, interims, and … contractors) • External (customers, prospects, visitors,… subjects) • Policies • Communication • information notice • Responding to subjects • Incident & Crisis management • Continuous improvement • ISO27001 : Clause 1 • GDPR: "state of the art" protection Pay special attention to
  • 24. • GDPR & ISO27701 is a combined job for • Business • Legal • IT • HR, CRM, … • External parties… • Required expertise for ALL these areas, for every company. • Mind Murphy's law • What can go wrong, will go wrong • In cyber & GDPR: it's not "IF", but "when",… • you only need 1 mouseclick for disaster Pay special attention to
  • 25. • Protect the subject and his/her data • Protect your company data as subject data • Get in control (especially working with vendors) • Stay in control, even when something goes wrong • Keep up to speed, everything is moving (even law) • Keep improving The goals Companies will be judged not because they were hacked, but how prepared they were and how they handled and communicated about the breach...". (Jan De Bondt)
  • 26. The ISO27701 auditor mindset Looking from a different angle
  • 27. Auditor vs implementer • If you know how the audit works, you know better what to implement • Both In the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
  • 28. • The audit cycle pushes the implementation of PDCA • Continous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
  • 29. Compliance vs data protection AND & OR | XOR ^ ?
  • 30. • Mostly a religious discussion • Compliance does not guarantee security • …but it helps • Complementary • It's about the mindset • Getting results • Continous improvement • Start small, grow big, step-by-step • It's not about the checklist but about the results Compliance vs data protection
  • 31. Typical feedback • "Old" framework? • "too general" • "Not fit" for current evolutions? Advantages • General • Best practice • Flexible, pluggable • Universal & uniform • Extremely Compatible with other frameworks ISO27001 vs security & data protection
  • 34. Articles • Art. 42 - Certification • Art. 43 - Certification bodies Art. 42 • Demonstrating compliance • Voluntary (ref ISO) • Board will publish register Art. 43 • Ref to ISO17065 (accreditation) • Art. 43.2 refers to ISO17021 principles (processes, procedures, mgmt, …) GPDR certification
  • 35. ISO27001 • International, • Standardized • Mutual recognition GDPR • EU Regulation, BUT… • Certification controlled by • National DPA • Accreditation bodies • + EDPB.. Why is this important?
  • 36. NIS • Directive (not regulation) • National law implementation required • Different implementations… not consistent Cyber Act • EU (only) • Regulation Why is this important? (Cont'd)
  • 37. GDPR certification • In progress… first consultations for tech scheme started • EDPB published guidelines… nothing more • All countries must publish certifation schema to proceed… (28) • No scheme planned at launch • ISO27701 could be guideline but requires adoption of certification scheme Cyber Act • EU (only) • Regulation • Starts with scheme… existing schemes available for adoption Current status
  • 38. ISO certification • ISO27001 certification • With ISO27701 extension Possible risk • Mismatch with National or EU scheme IF they choose different scheme (small risk) The only option today…
  • 39. Ramping up… Relevant PECB Training courses
  • 40. Relevant Training PIMS • PECB ISO 27701 Foundation • PECB ISO 27701 LI • PECB ISO 27701 LA Information Security • PECB ISO 27001 LI • PECB ISO 27001 LA • PECB ISO 27002 LM
  • 41. Relevant Training Data protection • PECB Certified Data protection Officer (GDPR) Privacy • PECB ISO29100 LI
  • 42. Other Relevant Training Incident Management • PECB ISO 27035 LI Risk Management • PECB ISO 27005 LI
  • 43. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  • 45. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
  • 46. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  • 47. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  • 49. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  • 50. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  • 51. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  • 52. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events

Editor's Notes

  1. Vocabulary is important To understand the ISO27701 you need some background
  2. "Companies will be judged not because they were hacked, but how prepared they were and how they handled and communicated about the breach...".
  3. Vocabulary is important To understand the ISO27701 you need some background
  4. Vocabulary is important To understand the ISO27701 you need some background
  5. Vocabulary is important To understand the ISO27701 you need some background
  6. Vocabulary is important To understand the ISO27701 you need some background
  7. Lead Auditor for ISO27001 ISO27701 (to be launched)
  8. Lead Auditor for ISO27001 ISO27701 (to be launched)
  9. Lead Auditor for ISO27001 ISO27701 (to be launched)
  10. (ISO/IEC 27701 Lead Auditor will be published soon)
  11. Lead Auditor for ISO27001 ISO27701 (to be launched)
  12. Lead Auditor for ISO27001 ISO27701 (to be launched)