In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.
For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification
Presenter:
Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.
Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
6. • Best practices ≠ regulations
• ISO Requirements vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Keep in mind…
7. • Best practices ≠ regulations
ISO = best practice, YOU choose to implement…
or not.
GDPR, NIS, Cyberact, eCommunication … = law
(no choice to implement)
• ISO Requirements vs guidelines
Requirement = part of audit
Guidelines = suggestions, advice to implement
What I mean is…
8. • Privacy ≠ Data Protection
GDPR = data protection (NOT PRIVACY)
Privacy = ISO29100/ISO29151
Data of subject (aka PII Principal)
• Data protection ≠ Information Security
ISO27001 = Information Security
Entreprise data
• PII vs Personal Data
ISO vs. GDPR vs. NIST
What I mean is…
9. • International vs. Regional
ISO = International
Regional
GDPR (EU, but …)
NIST (US, but…)
…
What I mean is…
15. 1-3. the ISO defaults
4. General
5. PIMS requirements - ISO27001
6. PIMS requirements - ISO27002
7. +ISO27002 guidance for PII Controllers
8. +ISO27002 guidance for PII Processors
Annex A-F
Main structure
16. A. Reference control objectives for controllers
B. Reference control objectives for processors
C. Mapping to ISO29100
D. Mapping to GDPR
E. Mapping to ISO27018 and ISO29151
F. How to apply ISO27701 to ISO27001/2
Main structure
18. Act Plan
DoCheck
ISO27001 main principle: PDCA
Time
Quality
Improvement
Quality
Assurance
Standard
Quality
Assurance
StandardAct Plan
DoCheck
19. Source: PECB ISO27001 Lead Implementer
PDCA in ISO27001
clause 6
Planning
clause 9
Performance
evaluation
clause 10
Improvement
clause 8
Operation
Clause 4
Context of the organization
Clause 7
Support
Clause 5
Leadership
Annex A
Control objectives and controls
20. 5.1. General
'/../ The requirements of ISO/IEC 27001:2013 mentioning "information security"
shall be extended to the protection of privacy as potentially affected by the
processing of PII.
Key message in ISO27701
NOTE In practice, where "information security" is used in ISO/IEC 27001:2013,
"information security and privacy” applies instead (see Annex F). /../'
26. 5.2 Context
Most prominent extensions…
Important
extension of
Needs and expectations of interested parties
Applicable legislation
Management system scope (InfoSec + PII)
27. 5.4 Risk assessment
Most prominent extensions…
Important extension of
Risk assessment aka PIA Risk treatment
28. 6. PIMS in ISO27002
Important extension of
• Policies (now including PII)
• ISMS Roles (ref. CISO + now DPO)
• Training and awareness (everyone involved in PII treatment)
• (!) MEDIA HANDLING
Ref. Data breaches (GDPR)
Encryption, secure disposal, …
• Identity Management (part of access control)
Do not re-issue userIDs
User tracking
Most prominent extensions…
29. 6. PIMS in ISO27002
Important extension of
• Information Backup
• Event logging
• Log protection
• System development & acquisition (see module 7 & 8)
• Test data
DO NOT USE PII for test data (use dummy or synthetic)
• INCIDENT MANAGEMENT (ref. GDPR data breaches)
• Compliance (legislation !, IP, data protection,…)
Most prominent extensions…
30. 7. Guidance for controllers
Ref. GDPR subject rights & controller responsibility
• Purpose definition
• Lawful basis
• Consent management
• PIA
• PII Process contracting
• Subject rights ("PII principal")
Information
Object to processing
Copy of PII data
Request handling
Most prominent extensions…
31. 7. Guidance for controllers
Ref. GDPR subject rights & controller responsibility
• Privacy by design (GDPR = "data protection by design")
• Privacy by default (GDPR = "data protection by default")
• Data minimization principles
• Accuracy & quality
• De-identification & disposal
• PII sharing, transfer & disclosure
Incl. ref to international legislation
Most prominent extensions…
32. 8. Guidance for processors
Ref. controller vs processor responsibility
• Agreement (to delegate obligations)
• Marketing & advertisement
• Conflict of interest (or legal conflicts)
• PbD & PbDef
• Temporary files
• PII transfer & disposal
• (!) transfer between jurisdictions
• Disclosure requests
Most prominent extensions…
33. Annex A : control objectives for controllers
Most prominent extensions…
Not all of the control objectives and controls listed in this annex need to be
included in the PIMS implementation
When excluded: explanation in SoA (Statement of Applicability)
34. Annex B : control objectives for processors
Most prominent extensions…
Not all of the control objectives and controls listed in this annex need to be
included in the PIMS implementation
When excluded: explanation in SoA (Statement of Applicability).
35. Annex A: control objectives for controllers (31)
Most prominent extensions…
A.7.2 Conditions for collection and processing (8)
A.7.3 Obligations to PII Principals (10)
A.7.4 Privacy by design and privacy by default (9)
A.7.5 PII Sharing transfer and disclosure (4)
36. Annex B: control objectives for processors (18)
Most prominent extensions…
A.8.2 Conditions for collection and processing (6)
A.8.3 Obligations to PII Principals (1)
A.8.4 Privacy by design and privacy by default (3)
A.8.5 PII Sharing transfer and disclosure (8)
37. Annex C: mapping to ISO29100
Most prominent extensions…
Controllers
11 modules (44 controls)
Processors
9 modules (20 controls)
38. Most prominent extensions…
Annex D: mapping to GDPR
• Table on 3 pages ;)
Annex E-F
• ISO 27018/29151
• How to apply (Info sec > "info sec + privacy")
Standard as is
Addition (additional requirements)
refinement
40. Relevant Training
PIMS
• PECB ISO 27701 LI (4+1) (LA to be announced)
Information Security
• PECB ISO27001 LI (4+1) (+LA, 4+1)
• PECB ISO27002 LM (4+1)
Data protection
• PECB Certified Data protection Officer (4+1)
Privacy
• PECB ISO29100 LI (4+1)
42. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Relevant Training
44. Relevant Training
PECB ISO 27701
https://pecb.com/en/education-and-certification-for-individuals/iso-27701
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-27701/
iso-iec-27701-lead-implementer
45. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
46. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
49. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager
50. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
51. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events
Vocabulary is important
To understand the ISO27701 you need some background
Some examples:
PCI-DSS (Payment Card Industry - Data security Standard)
GDPR = law
In ISO the requirements can be 'scoped', you can choose to which extent you apply the principles in your organization
From specific service, department, part of company or whole company, or even beyond (incl. customers)
Privacy
Your identity
What you do at home…
Who you are
Data protection
Protecting data ABOUT you
What is known about you
ISO = best practice
GDPR = law
NIST = advisory,
Keep in mind
Application of GDPR can be modified by national legislation, to a certain level
E.g. definition of children's age (to decide without adult) = 16y
Some national laws have lowered that limit to 13.
As explained in the DPO course, these principles from GDPR apply in other international Privacy regulations & legislation too…
Lead Auditor for
ISO27001
ISO27701 (to be launched)
(ISO/IEC 27701 Lead Auditor will be published soon)
The PECB Store is PECB’s new business line that has officially launched on October 3, 2019.
We invite you to take a look at this new e-commerce platform and its products by clicking this link: https://store.pecb.com
Some of the products that you will find available on the PECB Store are ISO and/or IEC standards, which will be sold at a very convenient price. You can also purchase ISO 27701: 2019 for only 171 USD .
If you have any further questions regarding the PECB Store please contact us at store@pecb.com.