This document discusses how implementing the ISO 27001 standard for information security management can help organizations comply with the EU General Data Protection Regulation (GDPR). ISO 27001 provides a framework to identify and protect personal data, conduct risk assessments, manage incidents, control assets and supplier relationships, and incorporate security practices into system development. Following ISO 27001 helps cover many of the technical and organizational compliance requirements of GDPR in a consistent manner. The document outlines specific controls and processes within ISO 27001 that align with and support compliance with GDPR.
2. Assentian
• A London based Cyber Security Practice
• Certified Information Security Auditors
• Certified ISO 27001 Implementors
• Members of the UK Cyber Security Forum
• Dr Ilesh Dattani – Member of the International Standards
Committees on
– Governance and Resilience (information security and business
continuity)
– Big Data – storage, access, use and sharing in a legal and
complaint way.
• Mr Jonathan Gay – CISA (Certified Information Security Auditor)
3. The changing face of Data Privacy and Information
Security
Traditional View
The domain of a System Administrator
Task of Purchasing a Firewall
Implementing Security Controls was not a compulsion
Modern View
The Domain of the Business Owner
Task of Finding out what is AT RISK and finding right solutions for the same
Business and Security can’t be separated
Security Team Consists of Top Management, IT Managers and a Dedicated
Information Security Manager/DPO
Plan, Do, Check and Act Model
Integration of Quality Systems Like ISO, CMMI etc with Information Security Models
4. Why is this important
More and More Dependence on Information Systems
Need for a long term and failure proof system for Securing
every form of Information Asset
Theft of Information can cause disasterous results for
companies
Projects are awarded to companies who have a sound
system to protect Information
International Laws like HIPPA and GDPR have set the
benchmark for protecting information being stolen or
tampered.
5. Type of Information
Information can be:
created
stored
destroyed
Used
Transmitted
Categories – Personal, Financial,
Operational, Client
Information format
Paper
Databases
Disk(ette)s
CD-ROMs
Tapes
(Design) drawings
Films
Conversations
…
6. Business Requirements for Information Security and
Data Protection
• Commercial requirements
• Legal requirements
• What is information security?
• Basic components
• Managing information
boundaries
• Sharing information with
partners
• Holistic approach
7. Components of Information Security
Confidentiality
Integrity
Ensuring that information is accessible only to
those authorised to have access.
Safeguarding the accuracy and
completeness of information
and processing methods
Availability
Ensuring that authorised
users have access to
information and associated
assets when required.
9. Managing Information Boundaries
Intranet connections to other
business units,
Extranets to business partners,
Remote connections to staff working
off-site,
Virtual Private Networks (VPN’s),
Customer networks,
Supplier chains,
Service Level Agreements,
contracts, outsourcing arrangements,
Third Party access.
10. Sharing Information
Types of information covered by an information security
management system
Internal - information that you would not want your
competitors to know.
Customer / client / supplier - information that they would
not wish you to divulge.
Information that needs to be shared with other trading
partners.
(This may be one of the above, but may also be specific
information that would not otherwise exist in this
particular form)
11. It’s a International Standard for Information Security
Management
It consists of various Specification for information Security
Management
Code of Practice for Information Security Management
Basis for contractual relationship
Basis for third party certification
Can be Certified by Certification Bodies
Applicable to all industry Sectors
Emphasis on prevention
12. Five Mandatory requirements of the
standard
Section 4 – General and Documentation
requirement
- General requirements
- Establishing and maintaining an ISMS
- Documentation Requirements
“The Organization shall develop, implement,
maintain and continually improve a
documented ISMS within the context of the
organisations overall business activities and
risk. For the purposes of this standard the
process used is based on PDCA model…”
15. Important Areas of Concern
ISO27001
Security policy (5)
Organization of information security (6)
Asset management(7)
Human resources security (8)
Physical and environmental security (9)
Communications and operations management (10)
Access control (11)
Information systems acquisition, development and
maintenance (12)
Information security incident management (13)
Business continuity (14) management
Compliance (15)
16. Asset Management - Data
Objective:
Responsibility for assets
Information classification
Covers:
Inventory of assets
Ownership of assets
Acceptable use of assets
Classification guidelines
Information labelling and handling
17. Third-Party Relationships
• As part of GDPR an organisation is required
to manage compliance of any suppliers that
it uses – what does that mean ?
– You must audit the supplier to make sure they
meet the requirements within the context of the
service they are providing
– If you are providing a service to a client and part
of that is then sub-contracted – you carry the
laibility and risk of non-compliance on the part of
the sub-contractor
18. Information Asset Classification
SrSr Asset CategoryAsset Category ClassificationClassification
1 Paper Assets Client Confidential
2 Electronic Data Company Confidential
3 Hardware Commercial in Confidence
4 Software Restricted
5 People Critical & Non Critical
19. Compliance
Objective
Compliance with legal requirements
Compliance with security policies and standards, and technical compliance
Information Systems audit considerations
Covers:
Identification of applicable legislation
Intellectual property rights (IPR)
Protection of organizational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities
Regulation of cryptographic controls
Compliance with security policies and standards
Technical compliance checking
Information systems audit controls
Protection of information system audit tools
22. How does ISO 27001 Help
• ISO 27001 is a framework for information protection.
• According to GDPR, personal data is critical information
that all organizations need to protect.
• Extra to GDPR - supporting the rights of personal data
subjects: the right to be informed, the right to have their
data deleted, and data portability.
• But, if the implementation of ISO 27001 identifies
personal data as an information security asset, most of
the EU GDPR requirements will be covered.
23. ISO27001 and GDPR
• Risk Assessment – Because of the high fines defined in EU GDPR and the major financial impact
on organizations, it is only natural that the risk found during risk assessment regarding personal
data is too high not to be dealt with. On the other side, one of the new requirements of the EU
GDPR is the implementation of Data Protection Impact Assessments, where companies will have
to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while
implementing ISO 27001, personal data must be classified as high criticality, but according to the
control A.8.2.1 (Classification of information): “Information should be classified in terms of legal
requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
24. ISO 27001 and GDPR
• Compliance – By implementing ISO 27001, because of control A.18.1.1
(Identification of applicable legislation and contractual requirements), it is
mandatory to have a list of relevant legislative, statutory, regulatory, and
contractual requirements. If the organization needs to be compliant with EU GDPR
(see section above), this regulation will have to be part of this list. In any case,
even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy
and protection of personally identifiable information) of ISO 27001 guides
organizations through the implementation of a data policy and protection of
personally identifiable Information.
25. ISO 27001 and GDPR
• Breach notification – Companies will have to notify data authorities within 72 hours after a breach of
personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management
of information security incidents and improvements) will ensure “a consistent and effective approach
to the management of information security incidents, including communication on security events.”
According to EU GDPR, data subjects (“The Data Subject is a living individual to whom personal data
relates.”) will also have to be notified, but only if the data poses a “high risk to data subject’s rights
and freedom.” The implementation of incident management, which results in detection and reporting
of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
26. ISO 27001 and GDPR
• Asset Management – ISO 27001 control
A.8 (Asset Management) leads to
inclusion of personal data as information
security assets and allows organizations
to understand what personal data is
involved and where to store it, how long,
what is its origin, and who has access,
which are all requirements of EU GDPR.
27. ISO 27001 and GDPR
• Privacy by Design – The adoption of
Privacy by Design, another EU GDPR
requirement, becomes mandatory in the
development of products and systems.
ISO 27001 control A.14 (System
acquisitions, development and
maintenance) ensures that “information
security is an integral part of information
systems across the entire lifecycle.”
28. ISO 27001 and GDPR
• Supplier Relationships – ISO 27001 control
A.15.1 (Information security in supplier
relationships) requires the “protection of the
organization’s assets that are accessible by
suppliers.” According to GDPR, the
organization delegates suppliers’ processing
and storage of personal data; it shall require
compliance with the requirements of the
regulation through formal agreements.
29. ISO 27001 and GDPR
• conduct an EU GDPR GAP Analysis to
determine what remains to be done to
meet the EU GDPR requirements, and
then these requirements can be easily
added through the Information Security
Management System that is already set by
ISO 27001.
30. ISO 27001 and GDPR
• From the ISO 27000 family, ISO/IEC 27018
should also be consulted (Code of practice for
protection of personally identifiable information
(PII) in public clouds acting as PII processors) if
the organization stores/processes personal
data in the cloud. See the article ISO 27001 vs.
ISO 27018 – Standard for protecting privacy in
the cloud to learn more.
31. Compliance Service Offers
• ISO 27001 Management – Oversee Compliance Process
– Implementation and Certification
• Full ISO 27001 Compliance Service
• ISO 27001 Audit
• GDPR Gap Analysis
• ISO 27001 Default Procedures and Processes –
Advisory Services in implementation
• ISO 27001 and GDPR Training and Awareness