This document provides an agenda and introduction for a presentation on separating and defining the roles of Chief Information Security Officer (CISO), Data Protection Officer (DPO), and Auditor.
It begins with introductions of the presenters and their relevant experience. It then discusses why role separation is important and challenges organizations may face in separating roles. It considers different CISO roles and hierarchy options and highlights recent issues in the news regarding CISOs, DPOs, and auditors.
The document outlines the basics of information security management (CISO role), data protection management and the DPO role under GDPR, and information security auditing. It discusses challenges for the DPO role under GDPR and considerations for
7. We’re used to … lots of CISO, bit of privacy and audit
In many case when companies think “security”,
they point to IT to manage it…
• CISO aka “security officer” securing IT operations
• Legal department for damage control
• Business... Eh… do their own thing, little concern for security if
everything goes well
• Security = cost, not benefit
• Privacy or “data protection” wasn’t really part of the business
driver (except for some sensitive data areas like health…)
What it was… (before GDPR)
8. Various roles and functions kicked in…
• Security manager, security officer, CSO, CISO, CDO…
• DPO, data protection manager,
• CPO, Privacy officer, privacy manager,
• Data security, privacy, data privacy, …
• Internal auditor, external auditor
• GRC, Compliance officer
• Risk manager, risk officer, …
• Legal officer, …
Since 2008 (financial crisis)…
9. Role separation is not that simple
• There is no exact prescription & guidance how to do it in YOUR
specific situation
• Each role requires specific expertise, knowledge and experience
• The company organization, hierarchy or organigram hinders the
required role delegation
• In many cases reorganization is required to support security and
data protection implementation…
But in reality…
10. Organizing security governance is difficult, because
• … people HATE change and
• … people feel threatened (losing their job)
• … management only sees the costs (not the benefits)
• … organization is “too small”
• … conflicts of interest
• … lack of expertise and experience
• … lack of courage (to speak up, to make the change…)
But in reality…
14. Happy CISO?
Source (NL): https://www.security.nl/posting/660081/It-bedrijf+moet+schade+door+ransomware+bij+klant+grotendeels+vergoeden
(jun 2020) IT company has to largely compensate customer damage from ransomware
16. The Information security & Data protection basics
Getting started with
• Information Security management (aka CISO)
• DPO role in data protection management & GDPR
• Information security audit (both internal as external)
Today’s focus
17. The Information security & Data protection basics
CISO
• Responsible for enterprise information security management
• Focus on company obligations
• Company internal (even with CISO as a service)
DPO
• Data protection officer
• Main tasks & responsibility definition in GDPR
• Focus subject rights
Some definitions (1)
18. The Information security & Data protection basics
Auditor (*)
• See ISO for definition of tasks and responsibilities
• Compliance control
• Not only “policing”, but also advisory and
• pushing continuous improvement
• Internal Audit (company)
• External Audit (certification)
(*) Focus on Information Security audit (not financial, …)
Some definitions (2)
20. Art. 37 (1): Designation of the data protection officer
1. The controller and the processor shall designate a data protection
officer in any case where:
a) the processing is carried out by a public authority or body, except for courts acting
in their judicial capacity;
b) the core activities of the controller or the processor consist of processing
operations which, by virtue of their nature, their scope and/or their purposes, require
regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large
scale of special categories of data pursuant to Article 9 and personal data relating
to criminal convictions and offences referred to in Article 10.
GDPR & DPO designation requirement
21. Art. 37 (5): Designation of the data protection officer
5. The data protection officer shall be designated on the basis of professional qualities
and, in particular, expert knowledge of data protection law and practices and the ability
to fulfil the tasks referred to in Article 39.
DPO qualification
22. Art 37 (6)
“6. The data protection officer may be a staff member of the controller or processor, or
fulfil the tasks on the basis of a service contract”
DPO in hierarchy?
23. GDPR Art 39: Tasks of the data protection officer
1. The data protection officer shall have at least the following tasks:
a) to inform and advise the controller or the processor and the employees who carry out processing of their
obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions
and with the policies of the controller or processor in relation to the protection of personal data,
including
• the assignment of responsibilities,
• awareness-raising and
• training of staff involved in processing operations, and
• the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its
performance pursuant to Article 35;
d) to cooperate with the supervisory authority;
e) To act as the contact point for the supervisory authority on issues relating to processing, including the
prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other
matter.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated
with processing operations, taking into account the nature, scope, context and purposes of processing.
DPO tasks
24. What’s NOT the responsibility of the DPO?
• Organizing information security
• Organizing data protection
• Accountable for data breaches
• Risk management & risk assessment
• Implementing security/data protection/privacy by design
• …
NOT the DPO tasks
25. What qualifications you need to do the job
• Business expertise
• Know the business and your company
• Legal expertise
• Legal & regulatory insights
• Compliance
• Audit & GRC
• Data protection
• Information security
• Current state of protection, ref. State-of-the-art security techniques
The ideal DPO?
26. But also needs…
• Incident management, Business continuity, disaster recovery…
• Soft skills
• Management skills
• Project management skills
• Communication
• Education
• Authority
• Behavioral skills (handling the human bad practices …)
The ideal DPO?
27. Consider
• DPO office
• An expert for each function or task
• External support for certain tasks
• …
The ideal DPO?
28. From WP29 guidelines
• If you’re not sure you need a DPO, assign a DPO
• Involvement of DPO in all issues related to data protection
• Necessary resources (see ideal DPO)
• Acting in an independent manner
• Dismissal or penalty for performing DPO tasks
• Conflict of interests
• Data processing by DPO when executing tasks… (!)
DPO attention points
30. Pro and cons
Advantages
• Knowing the company
• Direct impact
• Connection to management
• Internal Multi-discipline team support
• Availability
Disadvantages & risks
• Conflict of interest (being employee)
• Lack of authority
• Data protection vs information security
Internal DPO
31. Pro and cons
Advantages
• Authority as expert
• DPO office (knowledge coverage)
• External view
Disadvantages & risks
• Lack of knowledge on company internals
• Availability
• Accountability
• Data management & transfers (processing contract!)
External DPO
33. What’s in a name?
• SO or ISO?
• CSO or CISO?
• Information security or IT security?
What options do you have in hierarchy?
• Operational Information Security Officer (not “C”)
• Departmental CISO
• C-level security officer (CSO or CISO)
Choice of department
• Security
• Risk
• IT
• Business
• …
Power of hierarchy
34. Main position level choices
• Strategic
• C-level
• Board-level
• Upper management
• Tactical
• Department level
• Operational
• IT security
• Practical
Some options (with pro and cons)
36. Traditional approach (from business)
Source: PECB ISO27002 Lead implementer
Some options (with pro and cons)
37. Other organizational options
Source: PECB ISO27002 Lead implementer
• GRC team
• Compliance
• Risk
• CSO Office
• Security Office
• Internal Audit
• Operational security (non-IT)
• ….
Some options (with pro and cons)
38. No strict governance guidelines or rules
• Current drive for Security by design (ref ISO27001, PCI-DSS, GDPR,
ISO27701, …)
• But no GDPR or direct regulatory requirement to have CISO
• Security vs performance vs budget
• Necessary resources to do the job
• Conflict of interests
• Acting in an independent manner (?)
• Dismissal or penalty for performing CISO tasks (integrity)
• DPO (subject interests) vs CISO (company interests)
CISO attention points
40. Guidelines on DPO’s
• Guidelines on Data Protection Officers (‘DPOs’)
https://ec.europa.eu/information_society/newsroom/image/document/2016-
51/wp243_en_40855.pdf?wb48617274=CD63BD9A
• WP243 Annex – FAQ
https://ec.europa.eu/information_society/newsroom/image/document/2016-
51/wp243_annex_en_40856.pdf
WP29/EDPB advisory
41. Good practice advise for DP/DC
“Depending on the activities, size and structure of the organisation, it can be good practice for
controllers or processors:
• to identify the positions which would be incompatible with the function of DPO
• to draw up internal rules to this effect in order to avoid conflicts of interests
• to include a more general explanation about conflicts of interests
• to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a
way of raising awareness of this requirement
• to include safeguards in the internal rules of the organisation and
• to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently
precise and detailed in order to avoid a conflict of interests.
In this context, it should also be borne in mind that conflicts of interests may take various forms
depending on whether the DPO is recruited internally or externally.”
WP29/EDPB advisory
42. Segregation of duties
Do NOT combine
DPO
Management function
You CAN combine (with due diligence)
DPO
Security operations
Attention point
43. Identify conflicts of interest
Segregation of duties vs team/company size
• When IS/DP is handled by single/small team, conflict of
interest will arise (by default)
• Add policy/process/procedure to maintain due diligence
Important difference (identify tasks!)
• DPO
• Management functions
• Operational security /data protection functions
Attention point
45. Goals
• Compliance check
• Keeping security in line of business
• Continuous improvement
Types of audit
• Internal
• External
What is audit about?
46. Auditor vs implementer (from previous sessions)
• If you know how the audit works, you know better what to
implement
• Both in the right spirit
• Results based,
• not check list based
• Growth mindset
• Not perfect at first step
• Better done than perfect
• Think big, act small…
Why is this important?
47. • The audit cycle pushes the implementation of PDCA
• Continuous improvement
• Step by step
• Have an independent / external view
• Keep the helicopter view, with good relation between
• Business
• IT
• DPO
• Legal
The auditor view helps to…
48. • Include audit considerations from the start
• Involve audit throughout the project
• Internal audit vs external audit
• External audit
• mostly end stage (before you restart the cycle)
• Certification target
• Internal audit
• Separate department
• Why not cross check? (cross-department)
• External auditor (but still under authority of data controller)
Some practical hints
49. • Look at the external auditor as advisor
• Not a checklist dummy
• [NOT consultant ;) ]
• Watch out for conflicts of interest
• Auditor -> general advice
• Advise <> consultancy (specific, targeted advices)
• Guidelines
• ISO27006 (ISO27001 auditor guidance)
• ISO17021 (audit the auditor, general)
Some practical hints
50. ISO27006 5.2.1
Certification bodies may carry out the following duties without them being considered as
consultancy or having a potential conflict of interest:
a) arranging and participating as a lecturer in training courses, provided that, where
these courses relate to information security management, related management
systems or auditing, certification bodies shall confine themselves to the provision
of generic information and advice which is publicly available, i.e. they shall not
provide company-specific advice which contravenes the requirements of b) below;
Auditor – Conflicts of interest
51. ISO27006 5.2.1
b) making available or publishing on request information describing the certification body’s
interpretation of the requirements of the certification audit standards (see 9.1.3.6);
c) activities prior to audit, solely aimed at determining readiness for certification audit; however,
such activities shall not result in the provision of recommendations or advice that would
contravene this clause and the certification body shall be able to confirm that such activities do
not contravene these requirements and that they are not used to justify a reduction in the eventual
certification audit duration;
d) performing second and third-party audits according to standards or regulations other than those
being part of the scope of accreditation;
e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall not provide internal information security reviews of the client’s ISMS
subject to certification. Furthermore, the certification body shall be independent from the body or
bodies (including any individuals) which provide the internal ISMS audit.
Auditor – Conflicts of interest
52. ISO17021 5.2 Management of impartiality
5.2.1 Conformity assessment activities shall be undertaken impartially. The certification
body shall be responsible for the impartiality of its conformity assessment activities and
shall not allow commercial, financial or other pressures to compromise impartiality
5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat,
monitor, and document the risks related to conflict of interests arising from provision
of certification including any conflicts arising from its relationships on an ongoing
basis. Where there are any threats to impartiality, the certification body shall document
and demonstrate how it eliminates or minimizes such threats and document any
residual risk
Auditor – Conflicts of interest
53. ISO17021 5.2 Management of impartiality
5.2.10 In order to ensure that there is no conflict of interests, personnel who have
provided management system consultancy, including those acting in a managerial
capacity, shall not be used by the certification body to take part in an audit or other
certification activities if they have been involved in management system consultancy
towards the client. A recognized mitigation of this threat is that personnel shall not
be used for a minimum of two years following the end of the consultancy
Auditor – Conflicts of interest
54. Initial audit
• “Get in control”
• Passing the mark
• Basic maturity (ref. CMMI … level 3)
• Room for growth and maturity
Surveillance audit (1yr) + recertification (3yr)
• “Stay in control”
• Focus on improvement
• Increasing maturity
• Based on metrics and measurement…
Remember the ISO audit lifecycle…
58. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda
59. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events