SlideShare une entreprise Scribd logo

Role Separation for Security, Privacy and Audit

Télécharger en tant que PPTX, PDF
PECB
PECB

This document provides an agenda and introduction for a presentation on separating and defining the roles of Chief Information Security Officer (CISO), Data Protection Officer (DPO), and Auditor. It begins with introductions of the presenters and their relevant experience. It then discusses why role separation is important and challenges organizations may face in separating roles. It considers different CISO roles and hierarchy options and highlights recent issues in the news regarding CISOs, DPOs, and auditors. The document outlines the basics of information security management (CISO role), data protection management and the DPO role under GDPR, and information security auditing. It discusses challenges for the DPO role under GDPR and considerations for

Formation
1  sur  60
• Introduction • Why role separation? • From the news… • Considering the CISO, DPO & Auditor roles • Combining CISO and DPO • Q & A Agenda
Introduction
Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
Why role separation?
We’re used to … lots of CISO, bit of privacy and audit In many case when companies think “security”, they point to IT to manage it… • CISO aka “security officer” securing IT operations • Legal department for damage control • Business... Eh… do their own thing, little concern for security if everything goes well • Security = cost, not benefit • Privacy or “data protection” wasn’t really part of the business driver (except for some sensitive data areas like health…) What it was… (before GDPR)
Various roles and functions kicked in… • Security manager, security officer, CSO, CISO, CDO… • DPO, data protection manager, • CPO, Privacy officer, privacy manager, • Data security, privacy, data privacy, … • Internal auditor, external auditor • GRC, Compliance officer • Risk manager, risk officer, … • Legal officer, … Since 2008 (financial crisis)…
Role separation is not that simple • There is no exact prescription & guidance how to do it in YOUR specific situation • Each role requires specific expertise, knowledge and experience • The company organization, hierarchy or organigram hinders the required role delegation • In many cases reorganization is required to support security and data protection implementation… But in reality…
Organizing security governance is difficult, because • … people HATE change and • … people feel threatened (losing their job) • … management only sees the costs (not the benefits) • … organization is “too small” • … conflicts of interest • … lack of expertise and experience • … lack of courage (to speak up, to make the change…) But in reality…
From the news… last few weeks
GDPR in the news (DPO issues) Source: https://www.dataguidance.com/news/belgium-belgian-dpa-issues-%E2%82%AC50000-fine-organisation-dpo-appointment-violation Source: https://www.enforcementtracker.com/
CISO, Risk manager, GRC officer… issues Source: https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/heads-of-compliance-legal-step- down-as-dpo
Happy CISO? Source (NL): https://www.security.nl/posting/660081/It-bedrijf+moet+schade+door+ransomware+bij+klant+grotendeels+vergoeden (jun 2020) IT company has to largely compensate customer damage from ransomware
Considering CISO, DPO and auditor roles Untangling security & DP governance
The Information security & Data protection basics Getting started with • Information Security management (aka CISO) • DPO role in data protection management & GDPR • Information security audit (both internal as external) Today’s focus
The Information security & Data protection basics CISO • Responsible for enterprise information security management • Focus on company obligations • Company internal (even with CISO as a service) DPO • Data protection officer • Main tasks & responsibility definition in GDPR • Focus subject rights Some definitions (1)
The Information security & Data protection basics Auditor (*) • See ISO for definition of tasks and responsibilities • Compliance control • Not only “policing”, but also advisory and • pushing continuous improvement • Internal Audit (company) • External Audit (certification) (*) Focus on Information Security audit (not financial, …) Some definitions (2)
GDPR & DPO Impossible job?
Art. 37 (1): Designation of the data protection officer 1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. GDPR & DPO designation requirement
Art. 37 (5): Designation of the data protection officer 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. DPO qualification
Art 37 (6) “6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract” DPO in hierarchy?
GDPR Art 39: Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including • the assignment of responsibilities, • awareness-raising and • training of staff involved in processing operations, and • the related audits; c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; d) to cooperate with the supervisory authority; e) To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. DPO tasks
What’s NOT the responsibility of the DPO? • Organizing information security • Organizing data protection • Accountable for data breaches • Risk management & risk assessment • Implementing security/data protection/privacy by design • … NOT the DPO tasks
What qualifications you need to do the job • Business expertise • Know the business and your company • Legal expertise • Legal & regulatory insights • Compliance • Audit & GRC • Data protection • Information security • Current state of protection, ref. State-of-the-art security techniques The ideal DPO?
But also needs… • Incident management, Business continuity, disaster recovery… • Soft skills • Management skills • Project management skills • Communication • Education • Authority • Behavioral skills (handling the human bad practices …) The ideal DPO?
Consider • DPO office • An expert for each function or task • External support for certain tasks • … The ideal DPO?
From WP29 guidelines • If you’re not sure you need a DPO, assign a DPO • Involvement of DPO in all issues related to data protection • Necessary resources (see ideal DPO) • Acting in an independent manner • Dismissal or penalty for performing DPO tasks • Conflict of interests • Data processing by DPO when executing tasks… (!) DPO attention points
Internal or external DPO Some considerations
Pro and cons Advantages • Knowing the company • Direct impact • Connection to management • Internal Multi-discipline team support • Availability Disadvantages & risks • Conflict of interest (being employee) • Lack of authority • Data protection vs information security Internal DPO
Pro and cons Advantages • Authority as expert • DPO office (knowledge coverage) • External view Disadvantages & risks • Lack of knowledge on company internals • Availability • Accountability • Data management & transfers (processing contract!) External DPO
CISO Up or down the tree of hierarchy?
What’s in a name? • SO or ISO? • CSO or CISO? • Information security or IT security? What options do you have in hierarchy? • Operational Information Security Officer (not “C”) • Departmental CISO • C-level security officer (CSO or CISO) Choice of department • Security • Risk • IT • Business • … Power of hierarchy
Main position level choices • Strategic • C-level • Board-level • Upper management • Tactical • Department level • Operational • IT security • Practical Some options (with pro and cons)
Traditional approach (from IT) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
Traditional approach (from business) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
Other organizational options Source: PECB ISO27002 Lead implementer • GRC team • Compliance • Risk • CSO Office • Security Office • Internal Audit • Operational security (non-IT) • …. Some options (with pro and cons)
No strict governance guidelines or rules • Current drive for Security by design (ref ISO27001, PCI-DSS, GDPR, ISO27701, …) • But no GDPR or direct regulatory requirement to have CISO • Security vs performance vs budget • Necessary resources to do the job • Conflict of interests • Acting in an independent manner (?) • Dismissal or penalty for performing CISO tasks (integrity) • DPO (subject interests) vs CISO (company interests) CISO attention points
Combining CISO and DPO Always trouble?
Guidelines on DPO’s • Guidelines on Data Protection Officers (‘DPOs’) https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_en_40855.pdf?wb48617274=CD63BD9A • WP243 Annex – FAQ https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_annex_en_40856.pdf WP29/EDPB advisory
Good practice advise for DP/DC “Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors: • to identify the positions which would be incompatible with the function of DPO • to draw up internal rules to this effect in order to avoid conflicts of interests • to include a more general explanation about conflicts of interests • to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement • to include safeguards in the internal rules of the organisation and • to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally.” WP29/EDPB advisory
Segregation of duties Do NOT combine  DPO  Management function You CAN combine (with due diligence)  DPO  Security operations Attention point
Identify conflicts of interest Segregation of duties vs team/company size • When IS/DP is handled by single/small team, conflict of interest will arise (by default) • Add policy/process/procedure to maintain due diligence Important difference (identify tasks!) • DPO • Management functions • Operational security /data protection functions Attention point
ISMS audit roles Audit, advisory & consulting?
Goals • Compliance check • Keeping security in line of business • Continuous improvement Types of audit • Internal • External What is audit about?
Auditor vs implementer (from previous sessions) • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
• The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
• Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
• Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Watch out for conflicts of interest • Auditor -> general advice • Advise <> consultancy (specific, targeted advices) • Guidelines • ISO27006 (ISO27001 auditor guidance) • ISO17021 (audit the auditor, general) Some practical hints
ISO27006 5.2.1 Certification bodies may carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic information and advice which is publicly available, i.e. they shall not provide company-specific advice which contravenes the requirements of b) below; Auditor – Conflicts of interest
ISO27006 5.2.1 b) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.3.6); c) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; d) performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation; e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, the certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit. Auditor – Conflicts of interest
ISO17021 5.2 Management of impartiality 5.2.1 Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality 5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongoing basis. Where there are any threats to impartiality, the certification body shall document and demonstrate how it eliminates or minimizes such threats and document any residual risk Auditor – Conflicts of interest
ISO17021 5.2 Management of impartiality 5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy Auditor – Conflicts of interest
Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (1yr) + recertification (3yr) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… Remember the ISO audit lifecycle…
References
Important • FAQ • https://ec.europa.eu/information_society/newsroom/image/document/20 16-51/wp243_annex_en_40856.pdf • Guidelines on Data Protection Officers ('DPOs'), wp243rev.01_en • https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048 • Available language versions • http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48137 EDPB (aka WP29) on DPO
Ramping up… Relevant PECB Training courses
Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
THANK YOU ? info@cyberminute.com CyberMinute Stefan Mathuvisstefan@qma.be

Recommandé

Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
GDPR training
GDPR training GDPR training
GDPR training ASL
 

Recommandé

Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
GDPR training
GDPR training GDPR training
GDPR training ASL
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for DummiesCaroline Boscher
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRCorporater
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
ISO 27701
ISO 27701ISO 27701
ISO 27701UtkarshDhiman4
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
GDPRBrief.pptx
GDPRBrief.pptxGDPRBrief.pptx
GDPRBrief.pptxBabatundeAbioye2
 

Contenu connexe

Tendances

How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRCorporater
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 

Tendances (20)

How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPR
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 

Similaire à Role Separation for Security, Privacy and Audit

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
Assessing the impact of security services
Assessing the impact of security servicesAssessing the impact of security services
Assessing the impact of security servicesJisc
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Peter GEELEN ✔
 
GDPR Scotland 2017
GDPR Scotland 2017GDPR Scotland 2017
GDPR Scotland 2017Ray Bugg
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Peter GEELEN ✔
 
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOBrowne Jacobson LLP
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Ragnar Heil
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
Logs in Security and Compliance flare
Logs in Security and Compliance flareLogs in Security and Compliance flare
Logs in Security and Compliance flarezilberberg
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?DevOps.com
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artJames Mulhern
 
Privacy: Regulatory Pressure is the Consequence of a Broader Problem
Privacy: Regulatory Pressure is the Consequence of a Broader ProblemPrivacy: Regulatory Pressure is the Consequence of a Broader Problem
Privacy: Regulatory Pressure is the Consequence of a Broader ProblemMatthew Karnas
 

Similaire à Role Separation for Security, Privacy and Audit (20)

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
GDPRBrief.pptx
GDPRBrief.pptxGDPRBrief.pptx
GDPRBrief.pptx
 
Assessing the impact of security services
Assessing the impact of security servicesAssessing the impact of security services
Assessing the impact of security services
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)
 
GDPR Scotland 2017
GDPR Scotland 2017GDPR Scotland 2017
GDPR Scotland 2017
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)
 
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPO
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
Webinar Metalogix "Auf der Zielgeraden zur DSGVO!"
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
Logs in Security and Compliance flare
Logs in Security and Compliance flareLogs in Security and Compliance flare
Logs in Security and Compliance flare
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?DBAs - Is Your Company’s Personal and Sensitive Data Safe?
DBAs - Is Your Company’s Personal and Sensitive Data Safe?
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
 
Privacy: Regulatory Pressure is the Consequence of a Broader Problem
Privacy: Regulatory Pressure is the Consequence of a Broader ProblemPrivacy: Regulatory Pressure is the Consequence of a Broader Problem
Privacy: Regulatory Pressure is the Consequence of a Broader Problem
 

Plus de PECB

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 

Plus de PECB (20)

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Dernier

Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxruthvilladarez
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxElton John Embodo
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 

Dernier (20)

Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 

Role Separation for Security, Privacy and Audit

  • 1.
  • 2. • Introduction • Why role separation? • From the news… • Considering the CISO, DPO & Auditor roles • Combining CISO and DPO • Q & A Agenda
  • 4. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
  • 5. Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
  • 7. We’re used to … lots of CISO, bit of privacy and audit In many case when companies think “security”, they point to IT to manage it… • CISO aka “security officer” securing IT operations • Legal department for damage control • Business... Eh… do their own thing, little concern for security if everything goes well • Security = cost, not benefit • Privacy or “data protection” wasn’t really part of the business driver (except for some sensitive data areas like health…) What it was… (before GDPR)
  • 8. Various roles and functions kicked in… • Security manager, security officer, CSO, CISO, CDO… • DPO, data protection manager, • CPO, Privacy officer, privacy manager, • Data security, privacy, data privacy, … • Internal auditor, external auditor • GRC, Compliance officer • Risk manager, risk officer, … • Legal officer, … Since 2008 (financial crisis)…
  • 9. Role separation is not that simple • There is no exact prescription & guidance how to do it in YOUR specific situation • Each role requires specific expertise, knowledge and experience • The company organization, hierarchy or organigram hinders the required role delegation • In many cases reorganization is required to support security and data protection implementation… But in reality…
  • 10. Organizing security governance is difficult, because • … people HATE change and • … people feel threatened (losing their job) • … management only sees the costs (not the benefits) • … organization is “too small” • … conflicts of interest • … lack of expertise and experience • … lack of courage (to speak up, to make the change…) But in reality…
  • 11. From the news… last few weeks
  • 12. GDPR in the news (DPO issues) Source: https://www.dataguidance.com/news/belgium-belgian-dpa-issues-%E2%82%AC50000-fine-organisation-dpo-appointment-violation Source: https://www.enforcementtracker.com/
  • 13. CISO, Risk manager, GRC officer… issues Source: https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/heads-of-compliance-legal-step- down-as-dpo
  • 14. Happy CISO? Source (NL): https://www.security.nl/posting/660081/It-bedrijf+moet+schade+door+ransomware+bij+klant+grotendeels+vergoeden (jun 2020) IT company has to largely compensate customer damage from ransomware
  • 15. Considering CISO, DPO and auditor roles Untangling security & DP governance
  • 16. The Information security & Data protection basics Getting started with • Information Security management (aka CISO) • DPO role in data protection management & GDPR • Information security audit (both internal as external) Today’s focus
  • 17. The Information security & Data protection basics CISO • Responsible for enterprise information security management • Focus on company obligations • Company internal (even with CISO as a service) DPO • Data protection officer • Main tasks & responsibility definition in GDPR • Focus subject rights Some definitions (1)
  • 18. The Information security & Data protection basics Auditor (*) • See ISO for definition of tasks and responsibilities • Compliance control • Not only “policing”, but also advisory and • pushing continuous improvement • Internal Audit (company) • External Audit (certification) (*) Focus on Information Security audit (not financial, …) Some definitions (2)
  • 20. Art. 37 (1): Designation of the data protection officer 1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. GDPR & DPO designation requirement
  • 21. Art. 37 (5): Designation of the data protection officer 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. DPO qualification
  • 22. Art 37 (6) “6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract” DPO in hierarchy?
  • 23. GDPR Art 39: Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including • the assignment of responsibilities, • awareness-raising and • training of staff involved in processing operations, and • the related audits; c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; d) to cooperate with the supervisory authority; e) To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. DPO tasks
  • 24. What’s NOT the responsibility of the DPO? • Organizing information security • Organizing data protection • Accountable for data breaches • Risk management & risk assessment • Implementing security/data protection/privacy by design • … NOT the DPO tasks
  • 25. What qualifications you need to do the job • Business expertise • Know the business and your company • Legal expertise • Legal & regulatory insights • Compliance • Audit & GRC • Data protection • Information security • Current state of protection, ref. State-of-the-art security techniques The ideal DPO?
  • 26. But also needs… • Incident management, Business continuity, disaster recovery… • Soft skills • Management skills • Project management skills • Communication • Education • Authority • Behavioral skills (handling the human bad practices …) The ideal DPO?
  • 27. Consider • DPO office • An expert for each function or task • External support for certain tasks • … The ideal DPO?
  • 28. From WP29 guidelines • If you’re not sure you need a DPO, assign a DPO • Involvement of DPO in all issues related to data protection • Necessary resources (see ideal DPO) • Acting in an independent manner • Dismissal or penalty for performing DPO tasks • Conflict of interests • Data processing by DPO when executing tasks… (!) DPO attention points
  • 29. Internal or external DPO Some considerations
  • 30. Pro and cons Advantages • Knowing the company • Direct impact • Connection to management • Internal Multi-discipline team support • Availability Disadvantages & risks • Conflict of interest (being employee) • Lack of authority • Data protection vs information security Internal DPO
  • 31. Pro and cons Advantages • Authority as expert • DPO office (knowledge coverage) • External view Disadvantages & risks • Lack of knowledge on company internals • Availability • Accountability • Data management & transfers (processing contract!) External DPO
  • 32. CISO Up or down the tree of hierarchy?
  • 33. What’s in a name? • SO or ISO? • CSO or CISO? • Information security or IT security? What options do you have in hierarchy? • Operational Information Security Officer (not “C”) • Departmental CISO • C-level security officer (CSO or CISO) Choice of department • Security • Risk • IT • Business • … Power of hierarchy
  • 34. Main position level choices • Strategic • C-level • Board-level • Upper management • Tactical • Department level • Operational • IT security • Practical Some options (with pro and cons)
  • 35. Traditional approach (from IT) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
  • 36. Traditional approach (from business) Source: PECB ISO27002 Lead implementer Some options (with pro and cons)
  • 37. Other organizational options Source: PECB ISO27002 Lead implementer • GRC team • Compliance • Risk • CSO Office • Security Office • Internal Audit • Operational security (non-IT) • …. Some options (with pro and cons)
  • 38. No strict governance guidelines or rules • Current drive for Security by design (ref ISO27001, PCI-DSS, GDPR, ISO27701, …) • But no GDPR or direct regulatory requirement to have CISO • Security vs performance vs budget • Necessary resources to do the job • Conflict of interests • Acting in an independent manner (?) • Dismissal or penalty for performing CISO tasks (integrity) • DPO (subject interests) vs CISO (company interests) CISO attention points
  • 39. Combining CISO and DPO Always trouble?
  • 40. Guidelines on DPO’s • Guidelines on Data Protection Officers (‘DPOs’) https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_en_40855.pdf?wb48617274=CD63BD9A • WP243 Annex – FAQ https://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp243_annex_en_40856.pdf WP29/EDPB advisory
  • 41. Good practice advise for DP/DC “Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors: • to identify the positions which would be incompatible with the function of DPO • to draw up internal rules to this effect in order to avoid conflicts of interests • to include a more general explanation about conflicts of interests • to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement • to include safeguards in the internal rules of the organisation and • to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally.” WP29/EDPB advisory
  • 42. Segregation of duties Do NOT combine  DPO  Management function You CAN combine (with due diligence)  DPO  Security operations Attention point
  • 43. Identify conflicts of interest Segregation of duties vs team/company size • When IS/DP is handled by single/small team, conflict of interest will arise (by default) • Add policy/process/procedure to maintain due diligence Important difference (identify tasks!) • DPO • Management functions • Operational security /data protection functions Attention point
  • 44. ISMS audit roles Audit, advisory & consulting?
  • 45. Goals • Compliance check • Keeping security in line of business • Continuous improvement Types of audit • Internal • External What is audit about?
  • 46. Auditor vs implementer (from previous sessions) • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
  • 47. • The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
  • 48. • Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
  • 49. • Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Watch out for conflicts of interest • Auditor -> general advice • Advise <> consultancy (specific, targeted advices) • Guidelines • ISO27006 (ISO27001 auditor guidance) • ISO17021 (audit the auditor, general) Some practical hints
  • 50. ISO27006 5.2.1 Certification bodies may carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic information and advice which is publicly available, i.e. they shall not provide company-specific advice which contravenes the requirements of b) below; Auditor – Conflicts of interest
  • 51. ISO27006 5.2.1 b) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.3.6); c) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; d) performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation; e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, the certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit. Auditor – Conflicts of interest
  • 52. ISO17021 5.2 Management of impartiality 5.2.1 Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality 5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongoing basis. Where there are any threats to impartiality, the certification body shall document and demonstrate how it eliminates or minimizes such threats and document any residual risk Auditor – Conflicts of interest
  • 53. ISO17021 5.2 Management of impartiality 5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy Auditor – Conflicts of interest
  • 54. Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (1yr) + recertification (3yr) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… Remember the ISO audit lifecycle…
  • 56. Important • FAQ • https://ec.europa.eu/information_society/newsroom/image/document/20 16-51/wp243_annex_en_40856.pdf • Guidelines on Data Protection Officers ('DPOs'), wp243rev.01_en • https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048 • Available language versions • http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48137 EDPB (aka WP29) on DPO
  • 57. Ramping up… Relevant PECB Training courses
  • 58. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  • 59. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events