As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019. We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation. Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights. The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection. The webinar covers: - The GDRP view of the ISO/IEC 27701 - Mapping the GDPR to-do and the ISO/IEC 27701 to-do list. - The ISO/IEC 27701 auditor mindset - Compliance AND/OR/XOR solid data protection? - Status of GDPR certification Date: December 04, 2019 Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be

2. • Introduction
• The GDPR view of the ISO/IEC 27701
• Mapping the GDPR to-do and the ISO27701 to-do list.
• The ISO/IEC 27701 auditor mindset
• Compliance AND/OR/XOR solid data protection?
• Status of GDPR certification
• Q & A
Agenda

3. Introduction

4. Peter Geelen (CyberMinute)
• 20+ years experience in security
• Enterprise Security & IAM
• Cybersecurity
• Data Protection & Privacy
• Incident management, Disaster Recovery
• Trainer, coach, auditor
• ISO27001 Master & Lead ISO27002
• ISO27701 Lead Impl. & Lead Auditor
• Certified DPO & Fellow In Privacy
• Lead Incident Mgr & Disaster Recovery
• ISO27032 Sr. Lead Cybersecurity Mgr
• Lead ISO27005 (Risk Mgmt)
• Accredited ISO27001/9001
Lead auditor
• Accredited Security Trainer
My experience Certification Accreditation
http://www.cyberminute.com
https://ffwd2.me/pgeelen
More info (LinkedIn):
peter@cyberminute.com

5. Before we start…
Previous session recap

6. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard
• PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest-
privacy-information-standard
• Recording: https://youtu.be/ilw4UmMSlU4
• Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to-
isoiec-27701-the-newest-privacy-information-standard
• Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Previous session

7. • Best practices ≠ regulations
• ISO Requirements (ref. audit) vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Quick Recap

8. The GDPR view of the ISO/IEC 27701
Annex D: Mapping to GDPR

9. As initially designed
• ISO 27001 is the baseline
• + ISO 27701 on top (extra measures)
• Focus on "privacy"
GDPR flavor is …
• Ref. Annex D:
• Simply replace "privacy" with "data protection" terminology
• Extend the ISO27001 mindset to GDPR mindset
• Extended stakeholders/interested parties/external parties
• Extended requirements
The classic view

10. Annex D
The GDPR mapping in ISO27701

11. At first sight
• Nice overview, but…
• Pretty Cryptic, because
• Only Number mapping
To use it
• lookup article from ISO27701 (or do you know it by heart?)
• lookup in GDPR (or do you kn…? Nevermind.)
Would be handy to have
• More explicit clear naming…
• Reverse mapping (GDPR to ISO)
Using the annex

12. Sorting the mapping by GDPR Article to see ISO27701?
Something like…

13. Sorting the mapping by GDPR Article to see ISO27701?
or…

14. Github
• Direct download : http://ffwd2.me/ISO27701mapping
LinkedIn Page with this session's collaterals
• https://ffwd2.me/ISO27701Collaterals
• (or find it via my LinkedIn profile > articles)
Download

15. Mapping the GDPR and the ISO27701
To do-lists

16. Sorting the mapping by GDPR Article to see ISO27701
The GDPR check list in ISO27701

17. GDPR articles relevant to implementation
See also
• GDPR to ISO27001 mapping from ISO27001security.com
• Free
• GDPR-ISO27k mapping - ISO 27001 Security
• https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.docx
Other sources

18. • The practical approach of ISO gives you a kickstart
• It's NOT a 1-off, but a cycle.
• Plan…
• Do…
• Check…
• Act or Adjust…
• (and again)
• No privacy … eh data protection, without information security
• But you can have information security without data protection
Please note

19. GDPR articles relevant to implementation
• Mostly 1..49 (ref. Articles in ISO27701 Annex D.)
For EU and DPAs
• 50..99
Except a few articles…
- Art. 83 fines ;)
- Art. 86 Access to public documents
- Art. 87 Processing of national ID
- Art. 88 Employment context
Please note

20. Enterprise first
 ISO 27001 first + extension to personal data (GDPR)
GDPR only
 Scoping ISO27001 to GDPR only (with help from ISO27701)
GDPR - Subject facing first
How to start… some options…
IMPORTANT:
implementation is process based, it's an ISMS/PIMS,
you cannot protect GDPR data only

21. 5.1. General
'/../ The requirements of ISO/IEC 27001:2013 mentioning "information security"
shall be extended to the protection of privacy as potentially affected by the
processing of PII.
NOTE In practice, where "information security" is used in ISO/IEC 27001:2013,
"information security and privacy” applies instead (see Annex F)."
GDPR : doesn't mention "privacy", but refers only to "data protection"
Applying the ISO27701 approach to GDPR
When applying GDPR: apply the same principle, extend "information security" to
"information security and (personal) data protection"

22. PIMS/GDPR implementation
Source: PECB ISO27701 Lead Auditor

23. • Terminology
• no "privacy" but info security and data protection)
• EVERYONE on board
• Internal (employees, interims, and … contractors)
• External (customers, prospects, visitors,… subjects)
• Policies
• Communication
• information notice
• Responding to subjects
• Incident & Crisis management
• Continuous improvement
• ISO27001 : Clause 1
• GDPR: "state of the art" protection
Pay special attention to

24. • GDPR & ISO27701 is a combined job for
• Business
• Legal
• IT
• HR, CRM, …
• External parties…
• Required expertise for ALL these areas, for every company.
• Mind Murphy's law
• What can go wrong, will go wrong
• In cyber & GDPR: it's not "IF", but "when",…
• you only need 1 mouseclick for disaster
Pay special attention to

25. • Protect the subject and his/her data
• Protect your company data as subject data
• Get in control (especially working with vendors)
• Stay in control, even when something goes wrong
• Keep up to speed, everything is moving (even law)
• Keep improving
The goals
Companies will be judged not because they were hacked,
but how prepared they were and how they handled
and communicated about the breach...".
(Jan De Bondt)

26. The ISO27701 auditor mindset
Looking from a different angle

27. Auditor vs implementer
• If you know how the audit works, you know better what to
implement
• Both In the right spirit
• Results based,
• not check list based
• Growth mindset
• Not perfect at first step
• Better done than perfect
• Think big, act small…
Why is this important?

28. • The audit cycle pushes the implementation of PDCA
• Continous improvement
• Step by step
• Have an independent / external view
• Keep the helicopter view, with good relation between
• Business
• IT
• DPO
• Legal
The auditor view helps to…

29. Compliance vs data protection
AND & OR | XOR ^ ?

30. • Mostly a religious discussion
• Compliance does not guarantee security
• …but it helps
• Complementary
• It's about the mindset
• Getting results
• Continous improvement
• Start small, grow big, step-by-step
• It's not about the checklist but about the results
Compliance vs data protection

31. Typical feedback
• "Old" framework?
• "too general"
• "Not fit" for current evolutions?
Advantages
• General
• Best practice
• Flexible, pluggable
• Universal & uniform
• Extremely Compatible with other frameworks
ISO27001 vs security & data protection

32. GDPR certification
Status anno 2020

33. Context
Certification
Certification GDPR & NIS
ISO27001
Cyber Act

34. Articles
• Art. 42 - Certification
• Art. 43 - Certification bodies
Art. 42
• Demonstrating compliance
• Voluntary (ref ISO)
• Board will publish register
Art. 43
• Ref to ISO17065 (accreditation)
• Art. 43.2 refers to ISO17021 principles (processes, procedures, mgmt, …)
GPDR certification

35. ISO27001
• International,
• Standardized
• Mutual recognition
GDPR
• EU Regulation, BUT…
• Certification controlled by
• National DPA
• Accreditation bodies
• + EDPB..
Why is this important?

36. NIS
• Directive (not regulation)
• National law implementation required
• Different implementations… not consistent
Cyber Act
• EU (only)
• Regulation
Why is this important? (Cont'd)

37. GDPR certification
• In progress… first consultations for tech scheme started
• EDPB published guidelines… nothing more
• All countries must publish certifation schema to proceed… (28)
• No scheme planned at launch
• ISO27701 could be guideline but requires adoption of certification
scheme
Cyber Act
• EU (only)
• Regulation
• Starts with scheme… existing schemes available for adoption
Current status

38. ISO certification
• ISO27001 certification
• With ISO27701 extension
Possible risk
• Mismatch with National or EU scheme IF they choose different
scheme (small risk)
The only option today…

39. Ramping up…
Relevant PECB Training courses

40. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM

41. Relevant Training
Data protection
• PECB Certified Data protection Officer (GDPR)
Privacy
• PECB ISO29100 LI

42. Other Relevant Training
Incident Management
• PECB ISO 27035 LI
Risk Management
• PECB ISO 27005 LI

43. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda

44. Appendix

45. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor

46. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor

47. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager

48. Relevant Training
PECB GDPR
https://pecb.com/en/education-and-certification-for-individuals/gdpr
CDPO
https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified-
data-protection-officer

49. Relevant Training
PECB ISO29100
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer/iso-29100-lead-privacy-implementer

50. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager

51. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager

52. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events

54. THANK YOU
?
info@cyberminute.com CyberMinute