- Applications, tools and software for the implementation and documentation of the new ISO 27701 for GDPR and DPA compliance - Key control objectives, requirement based on the ISO 2700 on information security - How to prepare for an independent certification

1. How can ISO 27701 help to
designing, implementing,
operating and improving a privacy
information management system
Prof. Hernan Huwyler, MBA, CPA
January 28th 2020

2. Agenda
Applications
Controls Preparation
• Additional
control for
privacy
• Priorities
• Implementation
and audit tips

3. • Tools to manage a privacy system for ISO
27701 and compliance
• Documentation and traceability
• Global policies enforcement
• Single point of control for transfers
• Real-time alerts and incident management
• Internal and external audit management for
vulnerability remediation
Applications
Tools
Data protection
Compliance

4. • Technical controls
• Enforcing encryption, anonymization,
pseudonymization and tokenization
• Preventing data losses
• Managing user permissions
• Finding and protecting at-risk data on
endpoints and in the cloud
• Preventing virus, malware and ransomware
attacks
• Logging user activities
Applications
Tools
Data protection
Compliance

5. • Legal controls
• Completing subject access requests
• Keeping a record of processing activities
• Scanning for personal data
• Managing of consents and cookies
• Performing data protection impact
assessments
• Managing 3rd party relationships
Applications
Tools
Data protection
Compliance

6. • Security risk assessment on personal data
• Starting from
– Objectives in the privacy policy
– Requirements in the privacy laws
– Assets in the record on processing activities
• Models to quantify information security risks
• Probability of successful attacks
• Financial loss per attack related to affected assets
• Priorized action plans
• Investment budget
• Extention of cyber controls
Planning control assessment

7. • Appoint a privacy officer
• Develop, execute and monitor controls for the privacy program
• Monitor compliance with privacy laws (DPO role)
• Assess the effectiveness of the role
• Independence (from for CISO)
• Reporting to top management
• Expertise in data protection and privacy laws
• Training to employees and top management
• Advice in privacy impact assessments
Planning control assessment

8. • Update the procedure for data breach management and the
notification protocol
• Update policies that contribute to privacy by design and
privacy by default with
• guidance on personal data protection and the implementation
of the privacy principles in the software development lifecycle
• privacy and personal data protection requirements in the design
phase, which can be based on the output from a privacy risk
assessment and a privacy impact assessment
• data protection checkpoints within project milestones
• required privacy and personal data protection knowledge
• by default minimize processing of personal data
Control on policies

9. • Ensure to plan for training and awareness sessions
based on privacy incidents and near-misses
• Cover all groups of employees and contractors
managing personal information
• Communicate on privacy breaches
• the legal and reputational consequences for the organization
• the disciplinary consequences for the employee
• the impact on the data subjects
Control on training

10. • Ensure to classify personal information according
to the overall categories
• GDPR special category data identified in the RoPA a restricted
category
• Link categories to security controls and protocols
• Labeling for data and volumes with personal information
• Restricting removable media with personal information, in
particular, outside premises
Control on data classification

11. • Focus on the sensible personal information
• Agree the cryptographic controls with processors
• Encrypt personal data in transit
• In physical transfers, such as to offsite backups and data
processors
• In emails
• In particupar, using untrusted networks such as public internet
• Restrict decryption capabilities to authorized
personnel
Control on encryption

12. • Enhance procedures for registration, de-
registration and certification of users of systems
with personal information
• Avoid reissuing expired and deactivated users
• Agree on the validated users with data controller and document
procedures when processing data on its behalf
• Define the frequency to check unused credentials
• Update user profiles for personal information
Control on user management

13. • Update procedures for backups with personal
information
• Link backups to the record retention policy and legal
requirement
• Agree backups capabilities with data processors
• Log performed backups on personal information
• Implement integrity controls with restoring personal information
• Erase or de-identify backups with returning unneded data to
controllers
Control on backups

14. • Update the logging procedures for events related
to the personal information life cycle
• Ensure the completeness of logs > access type, timestap,
additions, modifications and deletions
• Validate users with access to the logs (wich also contains
personal data)
• Protect the logs
• Review the log and alarms on accesses to personal information
• Ensure that the controllers only access to their personal data
managed by the processors (not to data of other clients)
Control on logging

15. • Incorporate clauses with processors and co-
controllers to define
• minimum technical and organizational measures
• roles and responsibilities
• controls to ensure compliance
• activities by fourth parties
• Audit rights or independent certifications
Control on third parties

16. • Implement explicit erasure of personal information
• Restrict the printing of documents with personal
information
• Review the confidentially agreements for all the
employees and subcontractors managing personal
data
• Avoid using personal data in testing environments
• Incorporate the new costs of non-compliance with
privacy laws into the information security risk
assessments
Other controls

17. • Perform a gap analysis between the ISO 27701
requirements and current security audit plans
including those by controllers
• Consider Agile + Scrum for managing the preparation
program
• Test compliance with new controls
• Prepare SMEs for interviews and set time for them to
get ready
• Agree on the accredited certification body with
controllers, marketing and other stakeholders
Preparation for ISO certification

18. Avoid micro-management

19. Thanks!

20. The copyright of this work belongs to The GDPR
Institute® and none of this presentation, either in
part or in whole, in any manner or form, may be
copied, reproduced, transmitted, modified or
distributed or used by other means without
permission from The GDPR Institute®. Carrying out
any unauthorized act in relation to this copyright
notice may result in both a civil claim for damages
and criminal prosecution.
Copyright notice