As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
2. • Introduction
• The GDPR view of the ISO/IEC 27701
• Mapping the GDPR to-do and the ISO27701 to-do list.
• The ISO/IEC 27701 auditor mindset
• Compliance AND/OR/XOR solid data protection?
• Status of GDPR certification
• Q & A
Agenda
6. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard
• PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest-
privacy-information-standard
• Recording: https://youtu.be/ilw4UmMSlU4
• Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to-
isoiec-27701-the-newest-privacy-information-standard
• Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Previous session
7. • Best practices ≠ regulations
• ISO Requirements (ref. audit) vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Quick Recap
8. The GDPR view of the ISO/IEC 27701
Annex D: Mapping to GDPR
9. As initially designed
• ISO 27001 is the baseline
• + ISO 27701 on top (extra measures)
• Focus on "privacy"
GDPR flavor is …
• Ref. Annex D:
• Simply replace "privacy" with "data protection" terminology
• Extend the ISO27001 mindset to GDPR mindset
• Extended stakeholders/interested parties/external parties
• Extended requirements
The classic view
11. At first sight
• Nice overview, but…
• Pretty Cryptic, because
• Only Number mapping
To use it
• lookup article from ISO27701 (or do you know it by heart?)
• lookup in GDPR (or do you kn…? Nevermind.)
Would be handy to have
• More explicit clear naming…
• Reverse mapping (GDPR to ISO)
Using the annex
14. Github
• Direct download : http://ffwd2.me/ISO27701mapping
LinkedIn Page with this session's collaterals
• https://ffwd2.me/ISO27701Collaterals
• (or find it via my LinkedIn profile > articles)
Download
16. Sorting the mapping by GDPR Article to see ISO27701
The GDPR check list in ISO27701
17. GDPR articles relevant to implementation
See also
• GDPR to ISO27001 mapping from ISO27001security.com
• Free
• GDPR-ISO27k mapping - ISO 27001 Security
• https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.docx
Other sources
18. • The practical approach of ISO gives you a kickstart
• It's NOT a 1-off, but a cycle.
• Plan…
• Do…
• Check…
• Act or Adjust…
• (and again)
• No privacy … eh data protection, without information security
• But you can have information security without data protection
Please note
19. GDPR articles relevant to implementation
• Mostly 1..49 (ref. Articles in ISO27701 Annex D.)
For EU and DPAs
• 50..99
Except a few articles…
- Art. 83 fines ;)
- Art. 86 Access to public documents
- Art. 87 Processing of national ID
- Art. 88 Employment context
Please note
20. Enterprise first
ISO 27001 first + extension to personal data (GDPR)
GDPR only
Scoping ISO27001 to GDPR only (with help from ISO27701)
GDPR - Subject facing first
How to start… some options…
IMPORTANT:
implementation is process based, it's an ISMS/PIMS,
you cannot protect GDPR data only
21. 5.1. General
'/../ The requirements of ISO/IEC 27001:2013 mentioning "information security"
shall be extended to the protection of privacy as potentially affected by the
processing of PII.
NOTE In practice, where "information security" is used in ISO/IEC 27001:2013,
"information security and privacy” applies instead (see Annex F)."
GDPR : doesn't mention "privacy", but refers only to "data protection"
Applying the ISO27701 approach to GDPR
When applying GDPR: apply the same principle, extend "information security" to
"information security and (personal) data protection"
23. • Terminology
• no "privacy" but info security and data protection)
• EVERYONE on board
• Internal (employees, interims, and … contractors)
• External (customers, prospects, visitors,… subjects)
• Policies
• Communication
• information notice
• Responding to subjects
• Incident & Crisis management
• Continuous improvement
• ISO27001 : Clause 1
• GDPR: "state of the art" protection
Pay special attention to
24. • GDPR & ISO27701 is a combined job for
• Business
• Legal
• IT
• HR, CRM, …
• External parties…
• Required expertise for ALL these areas, for every company.
• Mind Murphy's law
• What can go wrong, will go wrong
• In cyber & GDPR: it's not "IF", but "when",…
• you only need 1 mouseclick for disaster
Pay special attention to
25. • Protect the subject and his/her data
• Protect your company data as subject data
• Get in control (especially working with vendors)
• Stay in control, even when something goes wrong
• Keep up to speed, everything is moving (even law)
• Keep improving
The goals
Companies will be judged not because they were hacked,
but how prepared they were and how they handled
and communicated about the breach...".
(Jan De Bondt)
27. Auditor vs implementer
• If you know how the audit works, you know better what to
implement
• Both In the right spirit
• Results based,
• not check list based
• Growth mindset
• Not perfect at first step
• Better done than perfect
• Think big, act small…
Why is this important?
28. • The audit cycle pushes the implementation of PDCA
• Continous improvement
• Step by step
• Have an independent / external view
• Keep the helicopter view, with good relation between
• Business
• IT
• DPO
• Legal
The auditor view helps to…
30. • Mostly a religious discussion
• Compliance does not guarantee security
• …but it helps
• Complementary
• It's about the mindset
• Getting results
• Continous improvement
• Start small, grow big, step-by-step
• It's not about the checklist but about the results
Compliance vs data protection
31. Typical feedback
• "Old" framework?
• "too general"
• "Not fit" for current evolutions?
Advantages
• General
• Best practice
• Flexible, pluggable
• Universal & uniform
• Extremely Compatible with other frameworks
ISO27001 vs security & data protection
35. ISO27001
• International,
• Standardized
• Mutual recognition
GDPR
• EU Regulation, BUT…
• Certification controlled by
• National DPA
• Accreditation bodies
• + EDPB..
Why is this important?
36. NIS
• Directive (not regulation)
• National law implementation required
• Different implementations… not consistent
Cyber Act
• EU (only)
• Regulation
Why is this important? (Cont'd)
37. GDPR certification
• In progress… first consultations for tech scheme started
• EDPB published guidelines… nothing more
• All countries must publish certifation schema to proceed… (28)
• No scheme planned at launch
• ISO27701 could be guideline but requires adoption of certification
scheme
Cyber Act
• EU (only)
• Regulation
• Starts with scheme… existing schemes available for adoption
Current status
38. ISO certification
• ISO27001 certification
• With ISO27701 extension
Possible risk
• Mismatch with National or EU scheme IF they choose different
scheme (small risk)
The only option today…
40. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM
43. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda
45. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor
46. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
47. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
50. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager
51. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
52. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events