ISO 27701 is a new standard for privacy protection, built as an extension to ISO 27001 & 27002. Released as recently as August of 2019, organizations and practitioners are still trying to understand the standard and its intricacies & implications. Infosys is the first Indian company to have been 27701 certified - a result of a long-running Privacy Program with a team having the necessary expertise and experience of many years in the domain. In this session, the Infosys Chief Privacy Officer shares their journey and offers key insights and learnings to organizations on their paths to achiecing 27701
Why Teams call analytics are critical to your entire business
(SACON) Srinivas posarala - Challenges & Approach
1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
27001 to 27701:
Challenges & Approach
Srinivas Poosarla
Infosys
VP & Chief Privacy
Officer
2. SACON 2020
❑ A brief overview of ISO 27701
❑ What it takes to implement the standard.
❑ What can be leveraged from an existing 27001 implementation
and what needs to be done ground-up
❑ Challenges & Road blocks one can anticipate and how they can
be overcome
❑ Key learnings
Agenda
Views expressed are personal
3. SACON 2020
Changing Notion of Privacy
Places
People
Information
self-determination
Time, Innovation
Privacy
4. SACON 2020
Anatomy of a DP Regulation
1. Privacy Principles
2. Data Subject Rights
3. Accountability
4. Grievance Redressal
❑ Fair & Lawful Processing
❑ Purpose Limitation
❑ Data Minimization
❑ Accuracy
❑ Storage Limitation
❑ Security (C,I,A)
❑ By DPO (Internal to
Org)
❑ By DPA (Authority,
with powers to
regulate and impose
sanctions)
❑ To Access ones’ PII
❑ To Correct
❑ To be forgotten
❑ To object to ADM
❑ To withdraw consent
❑ Against ADM &
Profiling
❑ Appointment of DPO and
empowerment
❑ Privacy by Design & Privacy
Impact Assessments
❑ Due diligence when outsourcing
❑ Evidences to demonstrate
compliance
❑ Breach Notification
❑ International Data Transfers
5. SACON 2020
• Extension to ISO/IEC 27001 & ISO/IEC 27002 for privacy information
management — Requirements and guidelines
• Is a sector specific standard - privacy extension to ISO/IEC 27001
Information Security Management and ISO/IEC 27002 Security Controls
• World’s 1st International Standard on PIMS
• Incorporates mapping against GDPR requirements
• ISO 27001 certification is a prerequisite
About ISO 27701
6. SACON 2020
• Provides an established framework which the PIMS can emulate
• Helps create a baseline set of measures when subjected to DP laws
from multiple jurisdictions
• Risk based approach useful in constantly changing threat landscape
• A model for continuous improvement
• Likely to minimize penalties in event of data breach
• Market differentiator
• Integrates well with ISO 27001
Why ISO 27701?
7. SACON 2020
Mapping between ISMS & PIMS Standard of ISO
ISO 27001
ISO 27002,
Annexure A of ISO 27001Security
Privacy ISO 27701
Sec 5
ISO 27701
Sec 7, 8,
Annexures A & B
ISO 27701
Sec 6
PII specific
Security
Controls
Privacy ControlsPIMS related
requirements
8. SACON 2020
❑Clause 5 : PIMS-specific requirements regarding the information
security requirements in ISO/IEC 27001 for an organization acting
as either a PII controller or Processor
❑Clause 6 : PIMS-specific guidance regarding the information
security controls in ISO/IEC 27002 and PIMS-specific guidance for
an organization acting as either a PII controller or a PII processor
❑Clause 7: Additional ISO/IEC 27002 guidance for PII controllers,
and
❑Clause 8 : Additional ISO/IEC 27002 guidance for PII processors
❑Annex A : PIMS-specific control objectives and controls for PII
controller
❑Annex B : PIMS-specific control objectives and controls for PII
processor
Categories of Key Requirements
9. SACON 2020
Approach towards Development of PIMS
Identify
Security & Privacy Risks
Analyze TreatEvaluate
SOA
Compare with
Annexure A & B
Determine
Controls
Controls Identification
PIMS
Objectives &
Planning
What about
Compliance
Requirements?
10. SACON 2020
• ISMS & PIMS – Distinct or Combined?
• Security related controls on PII
• Documentation infrastructure
• CISO & CPO Organization : Common or Independent?
• Risk Assessment Framework
• SoA
• Data Classification & Labelling Criteria
What may be leveraged during Implementation?
11. SACON 2020
• Compliance is binary , Risk is not
• Conflict between Security & Privacy due to increased reliance
on detection tools for security
• Temp Files
• Force-fitting PIMS in ISMS structure may have led to complexity
• Implementation Guidance on integrating ISMS & PIMS absent
• Competency gap on PIMS standard, if Privacy is a legal function
• Need for auditors to be competent on regulatory updates
Challenges, Way forward & Learnings?