How ISO 27001 can help to achieve GDPR compliance

 Julia Dutton  2nd August 2017

Organisations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

Managing people, processes and technology

ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

What does the GDPR say?

The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1.       the pseudonymisation and encryption of personal data;

2.       the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3.       the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4.       a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Let’s look at these items separately:

Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

Risk assessment

ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

Business continuity

ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

Testing and assessments

Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

ПЕРСОНАЛНИ КУРСОВЕ ЗА ОБУЧЕНИЕ

ПО ИЗГРАЖДАНЕ НА СИСТЕМИ ЗА УПРАВЛЕНИЕ,

В СЪОТВЕТСТВИЕ С ИЗИСКВАНИЯТА НА:

1. Регламент (ЕС) 2016 / 679 - Защита на личнит данни;

2. ISO 27001 / ISO 27002 / ISO 27032 – Информационна / кибер сигурност;

3. ISO 20000-1 – ИТ услуги;

4. ISO 14001 – Околна среда

Всички описани в следващата таблица персонални курсове се провеждат дистанционно, съгласно предварително съгласувана с обучаемия индивидуална програма, отчитаща неговите конкретни потребности, вкл. текущите му знания и опит в съответната област. Курсовете са „въвеждащ” и „основен”. Всички „въвеждащи” курсове са безплатни.  „Основните” курсове са платени, като цената се договаря отделно с всеки конкретен обучаем и зависи от обхвата, и детайлността на неговата индивидуална програма за обучение.

№	НАИМЕНОВАНИЕ НА КУРСА	ОСНОВНИ СТАНДАРТИ ЗА СЪОТВЕТСТВИЕ
1	Изграждане на Система за управление на защитата на личните данни (НОВ КУРС !)	РЕГЛАМЕНТ (ЕС) 2016/679
2	Изграждане на Система за управление на информационната /кибер сигурност	ISO 27001 ISO 27002 ISO 27032
3	Изграждане на Система за управление на услугите	ISO 20000-1 ISO 20000-2
4	Изграждане на Система за управление на околната среда	ISO 14001

За въпроси и допълнителна информация:

Пламен Каменов

+359 886 655 315

http://infosecservicebg.wixsite.com/study-security

infosecservicebg@gmail.com

http://infosecservicebg.blogspot.com

РЕГЛАМЕНТ (ЕС) 2016/679 и ISO 27001

ОБУЧЕНИЕ И КОНСУЛТАЦИИ ПО ИЗГРАЖДАНЕ НА

Система за управление на защитата на личните данни,

в съответствие с изискванията на РЕГЛАМЕНТ (ЕС) 2016/679

Обхвата на предлаганите обучение и консултации са специфични за различните организации и се определят основно от следващите два фактора:

1. Наличие на регистрация на  организацията,  като Администратор на лични данни по ЗЗЛД;

2. Наличие на изградена, функционираща и сертифицирана Система за управление на информационната сигурност (ISO 27001);

При всички случаи обучението и консултациите включват:

1. Преглед на изискванията на РЕГЛАМЕНТ (ЕС) 2016/679 ;

2. Преглед на основни дейности, които трябва да се свършат от организацията при изграждането на Система за управление на защитата на личните данни;

3. Подход за избор на контролни / защитни механизми, изискващи се за изпълнение на изискванията на РЕГЛАМЕНТ (ЕС) 2016/679

4. Подход за изграждане на Система за управление на защитата на личните данни

- като подсистема на Система за управление на информационната сигурност (ISO 27001);

- като самостоятелна система за сигурност.
5. Преглед на основните изисквания към Служителя по защитата на личните данни. 
6. Разработване на изискващите от Регламента документи,свързани със защитата на личните данни.

За въпроси и допълнителна информация:

Пламен Каменов

0886 655 315

E-mail: infosecservicebg@gmail.com

Забележка:

В следващата таблица са представени в обобщен вид изискванията в Регламент(ЕС) 2016/679 за зашита на личните данни и възможни контролни механизми (определени в ISO 27001) за тяхното изпълнение.

№	Изискване по Регламент 2016 / 679 № на клауза	Изпълнение на изискването с внедряването на контрол, съгласно ISO 27001 / 27002
	ОБХВАТ
1	Article 3 (territorial scope) and 27 (representatives)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
2	Article 4, section 1, subsection 1 (personal data)	A.8.2.1 (classification of information)
	ОБРАБОТКА  НА  ЛИЧНИТЕ ДАННИ
1	Article 6 (common personal data) and 9 (sensitive data)	A.8.2.1 (classification of information)
2	Article 4, section 1, subsection 2 (processing)	A.8.1.3 (acceptable use of assets)
3	Article 4, section 1, subsection 7 (controller)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
4	Article 4, section 1, subsection 8 (processor)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
5	Article 6 (common person data - lawfulness of processing), 9 (sensitive data), 85 (processing and freedom of expression and information (journalistic, academic, artistic and literary purpose)), 86 (public access to official documents), 87 (national identification number), 88 (employment) 89 (public interest, scientific, historical and statistical purposes) and 90 (secrecy)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
6	Article 4, section 1, subsection 16 (main establishment), 60 (cooperation between supervisory authorities, one-stop-shop and the consistency mechanism) and 55 (competence of the supervisory authority)	A.6.1.3 (contact with authorities)
	ПРИНЦИПИ
1	Article 5 (principles)	A.8.2.3 (handling of assets)
2	Article 5, section 1, subsection a (lawful, fair and transparent) and Article 6, section 1, subsection a (consent) and Article 7 (consent), 8 (consent for children) and article 9, section 2, subsection a (consent)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information) A.12.1.1 (documented operating procedures)
3	Article 5, section 1, subsection a (lawful, fair and transparent) and Article 6, section 1, subsection f (legitimate interests)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information) A.12.1.1 (documented operating procedures)
4	Article 5, section 1, subsection a (lawful, fair and transparent) and Article 6, section 1, subsection b (contract) or subsection c (legal obligation)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
5	Article 5, section 1, subsection a (lawful, fair and transparent) and Article 6 (Lawfulness of processing), 9 (sensitive information), 85 (processing and freedom of expression and information (journalistic, academic, artistic and literary purpose)), 86 (public access to official documents), 87 (national identification number), 88 (employment law), 89 (public interest, scientific, historical and statistical purpose) and 90 (secrecy)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information) A.12.1.1 (documented operating procedures)
6	Article 5, section 1, subsection a (lawful, fair and transparent)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
7	Article 5, section 1, subsection b (purpose limitation)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
8	Article 5, section 1, subsection c (data minimisation)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information) A.12.1.1 (documented operating procedures)
9	Article 5, section 1, subsection d (accuracy) (see also Article 16-21)	A.12.1.1 (documented operating procedures)
10	Article 5, section 1, subsection d (accuracy) (see also Article 16-21)	A.12.1.1 (documented operating procedures)
11	Article 5, section 1, subsection e (storage limitation)	A.12.1.1 (documented operating procedures)
12	Article 5, section 1, subsection f (integrity and confidentiality) (see also article 32)	A.5.1.1 (policies for information security) A.6.1.5 (information security in project management) A.14.1.1 (security requirements analysis and specification) A.14.2.5 (secure system engineering principles)
	ПРАВА НА ОБЕКТИТЕ НА ЛИЧНИТЕ ДАННИ
1	Article 12, section 2 (transparency)	A.12.1.1 (documented operating procedures)
2	Article 12, section 3 (transparency)	A.12.1.1 (documented operating procedures)
3	Article 13, section 1 and 2 (information to be provided when personal data is collected from the data subjects), Article 14, section 1 and 2 (information to be provided when personal data is not obtained from the data subject) Article 15, section 1 (Right of access by the data subject)	A.12.1.1 (documented operating procedures) A.6.1.1 (information security roles and responsibilities) A.18.1.4 (l) (compliance with privacy and protection of personal identifiable information) A.8.2.1 (classification of information) A.13.2.1 (information transfer policies and procedures)
4	Article 16 (rectification), Article 17 (Right to erasure) and Article 18 (Right to restriction of processing)	A.12.1.1 (documented operating procedures)
5	Article 19 (Notification obligation)	A.12.1.1 (documented operating procedures)
6	Article 20 (data portability)	A.12.1.1 (documented operating procedures)
7	Article 21 (Right to object)	A.12.1.1 (documented operating procedures) A.18.1.4 (l) (compliance with the privacy and protection of personal data)
8	Article 22 (profiling)	A.12.1.1 (documented operating procedures) A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
	ЗАДЪЛЖЕНИЯ НА ОРГАНИЗАЦИЯТА
1	Article 24, section 1 (responsibility of the controller)	A.5.1.1 (policies for information security) A.5.1.2 (review of the policies for information security) A.18.2.2 (compliance with security policies and standards)
2	Article 24, section 2 (responsibility of the controller)	A.5.1.1 (policies for information security) A.5.1.2 (review of the policies for information security)
3	Article 25, section 1 (data protection by design and by default) and section 2 (data protection by design and by default)	A.5.1.1 (policies for information security) A.6.1.5 (information security in project management) A.14.1.1 (security requirements of information systems) A.14.2.5 (secure system engineering principles)
4	Preamble 78 (data protection by design in tendering procedure)	A.15.1.1 (information security policy for supplier relationships) A.15.1.2 (addressing security with supplier agreements) A.13.2.2 (agreements on information transfer)
5	Article 28, section 1 (processor)	A.15.1.1 (information security policy for supplier relationships) A.15.1.2 (addressing security with supplier agreements) A.13.2.1 (information transfer policies and procedures) A.13.2.2 (agreements on information transfer)
6	Article 28, section 2 (processor)	A.15.1.1 (information security policy for supplier relationships) A.15.1.2 (addressing security with supplier agreements) A.13.2.1 (information transfer policies and procedures) A.13.2.2 (agreements on information transfer)
7	Article 28, section 3 (processor)	A.9.2.2 (user access provisioning) A.9.4.1 (information access restriction) A.12.1.1 (documented operating procedures) A.13.2.2 (agreements on information transfer) A.15.1.1 (information security policy for supplier relationships) A.15.1.2 (addressing security with supplier agreements) A.16.1.3 (reporting information security weaknesses)
8	Article 30, section 1 (records of processing activities)	A.12.1.1 (documented operating procedures)
9	Article 30, section 2 (records of processing activities)	A.12.1.1 (documented operating procedures)
10	Article 32, section 1 and section 2 (security of processing)	A.5.1.1 (policies for information security) A.6.1.5 (information security in project management) A.14.1.1 (security requirements of information systems) A.14.2.5 (secure system engineering principles)
11	Article 32, section 1, subsection a (security of processing)	A.10.1.1 (policy on the use of cryptographic controls) A.9.4.1 (information access restriction)
12	Article 32, section 1, subsection b (security of processing)	A.5.1.1 (policies for information security) A.14.1.1 (security requirements of information systems) A.14.2.5 (secure system engineering principles)
13	Article 32, section 1, subsection c (security of processing)	A.12.3.1 (information backup) A.17.1.1 (planning information security continuity) A.17.1.2 (implementing information security continuity)
14	Article 32, section 1, subsection d (security of processing)	A.14.2.8 (system security testing) A.14.2.9 (system acceptance testing) A.12.7.1 (information systems audit controls) A.15.2.1 (monitoring and review of supplier services) A.18.2 ( information security reviews)
15	Article 32, section 4 (security of processing)	A.5.1.1 (policies for information security) A.14.1.1 (security requirements of information systems) A.14.2.5 (secure system engineering principles)
16	Article 33, section 1 and section 3 (notification of security incidents to the supervisory authority)	A.16.1.1 (responsibilities and procedures) A.16.1.5 (response to information security incidents) A.6.1.3 (contact with authorities)
17	Article 33, section 5 (notification of security incidents to the supervisory authorities)	A.16.1.7 (collection of evidence) A.12.4 (logging and monitoring)
18	Article 33, section 2 (notification of security incidents to the supervisory authorities)	A.16.1.3 (reporting information security weaknesses)
19	Article 34 (data breach is to be communicated to data subjects)	A.16.1.5 (response to information security incidents)
20	Article 35, section 1 (data protection impact assessment)	A.6.1.5 (information security in project management) A.14.1.1 (security requirements of information systems) A.14.2.5 (secure system engineering principles)
21	Article 36, section 1 (prior consultation)	A.6.1.3 (contact and regulatory authorities)
22	Article 37 (designation of the data protection officer)	A.6.1.1 (information security roles and responsibilities)
	СПЕЦИАЛНИ СЛУЧАИ
1	Article 44 (general principle for transfers)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
2	Article 44 (general principle for transfers)	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
3	Article 46 (transfer)	A.15.1.2 (addressing security with supplier agreements)
4	Article 46 and article 47 (transfers)	A.15.2.1 (monitoring and review of supplier services)
5	Many articles in the Regulation allows for national interpretation/ implementation	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
6	Many articles in the Regulation make it possible for national interpretation / implementation.	A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)