SlideShare ist ein Scribd-Unternehmen logo

Risk assessments and applying organisational controls for GDPR compliance

Als PPTX, PDF herunterladen
IT Governance Ltd
IT Governance Ltd

This webinar covers: -An overview of the General Data Protection Regulation (GDPR) and risk assessments.​ -The process for risk management and industry best practice for risk treatment.​ -The components of an internal control system and privacy -compliance framework.​ -ISO 31000 principles and the risk management process. You can find the webinar here https://www.youtube.com/watch?v=wInMDee7T78&t=154s

Business
1 von 35
Risk assessments and applying organisational controls for GDPR compliance Presented by: • Alan Calder, founder and executive chairman, IT Governance 2 November 2017
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th edition (Open University textbook) • www.itgovernance.co.uk Introduction
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop shop All verticals, sectors and all organisational sizes
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • An overview of the General Data Protection Regulation (GDPR) and risk assessments. • The process for risk management and industry best practice for risk treatment. • The components of an internal control system and privacy compliance framework. • ISO 31000 principles and the risk management process. Agenda Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR’s impact • UK organisations that process personal data only have a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Material and territorial scope Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data; – The processing of personal data; and – The unrestricted movement of personal data within the EU. In material scope: – Personal data that is processed wholly or partly by automated means. – Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. It applies to controllers outside the EU that provide services into the EU.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Penalties Administrative fines • Administrative fines will, in each case, be effective, proportionate and dissuasive, and take account of the technical and organisational measures that have been implemented. €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR and risk management frameworks • Article 32: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” • “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” • “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Article 24-1) The data protection officer (DPO) plays a key bridging role between corporate risk management, broader cyber security risk management and managing risks to personal data. NB: Network and Information Systems (NIS) Directive and Government Cyber Security Strategy
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessments under the GDPR Article 35: Where processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. • A data protection impact assessment (DPIA) is particularly required in the case of: – Automated processing, including profiling, and on which decisions are based that produce legal effects concerning natural persons; – Large-scale processing of special categories of data or of personal data relating to criminal convictions; and – A systematic monitoring of a publicly accessible area on a large scale.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk DPIAs A DPIA will set out as a minimum: • A systematic description of the processing and purposes. • Legitimate interests (where applicable) pursued by the controller. • An assessment of the necessity and proportionality of the processing. • An assessment of the risks to the rights and freedoms of the data subjects. • The measures envisaged to address the risks, including:  Compliance with approved codes of conduct should be taken into account.  All safeguards and security measures to protect data and to demonstrate compliance. • Where appropriate, consult the data subjects.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk What is risk? • The effect of uncertainty on objectives (ISO 31000, etc.). • A combination of the likelihood of an incident occurring and the impact, if it does occur, on the organisation. • A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action (businessdictionary.com). • Risk can be good or bad.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Risk assessments: the overall process of risk identification, risk analysis and risk evaluation. Risk management: the coordinated activities to direct and control an organisation with regard to risk. Risk treatment: the process to modify risk.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk and what it means under the GDPR Risks to individuals: the potential for damage or distress. Risks to organisations: financial and/or reputational impact of a data breach. Privacy risk should already be on the CORPORATE RISK REGISTER
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessments Risk assessments help: • Identify the threats that could harm and affect an organisation’s assets; • Determine the value and sensitivity of data by identifying the level of risk that data carries if threatened; and • Implement cost-effective measures to mitigate and reduce the risk.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessments Asset Vulnerability Threat Risk Risk assessments determine the appropriate controls to reach acceptable levels of risk. Risk cannot exist without these three components: 1. An asset that has value and requires protection. 2. A threat that can hurt it. 3. A vulnerability – a weakness that allows the threat to reach the asset.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Why do we assess risk? A risk assessment informs a proper balance of safeguards against the risk of failing to meet business objectives. Inform a position so that: • Removal of safeguards will increase the risk of loss to an unacceptable level; and • Adding any safeguards would make the security system too expensive/bureaucratic. ... and therefore it is a means by which expenditure on security and contingency can be justified.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of risk Inaccurate, insufficient or out-of-date Kept for too long Excessive or irrelevant Disclosed to the wrong people Insecurely transmitted/stored Used in ways that are unacceptable or unexpected Data that is:
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessment (based on ISO 31000) • Workshop, facilitated by a risk expert • (Key) Assets at risk • (Key) Threat – vulnerability relationships • NB: ‘vulnerability’: weakness of an asset or control that can be exploited by one or more threats Identify risks • Consequence (impact) • Probability (likelihood) • Level of risk (e.g. impact x likelihood) Analyse risks • Compare risks with risk criteria (e.g. risk appetite) Evaluate risks
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk criteria – per ISO 31000 • When defining risk criteria, consider: – The nature and types of causes and consequences that can occur and how they will be measured; – How likelihood will be defined; – The timeframe(s) of the likelihood and/or consequence(s); – How the level of risk is to be determined; – The views of stakeholders; – The level at which risk becomes acceptable or tolerable; and – Whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered. • www.itgovernance.co.uk/shop/p-747-iso31000-iso-31000-risk- management-guidelines.aspx
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk scenarios – components Adapted from ISACA, The Risk IT Framework, USA, 2009 Risk scenario Actor • Internal (staff, contractor) • External (competitor, outsider, business partner, regulator, market) Threat type • Malicious • Accidental/error • Failure • Natural • External requirement Event • Disclosure • Interruption • Modification • Theft • Destruction • Ineffective design • Ineffective execution • Rules and regulations • Inappropriate use Asset/resource • People & organisation • Process • Infrastructure (facilities) • IT Infrastructure • Information • Applications Time • Duration • Timing of occurrence (critical, non-critical) • Timing to detect
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk ISO 27005 – risk management Context establishment Risk assessment Risk identification Risk analysis Risk evaluation Risk acceptance Riskcommunicationand consultation Riskmonitoring andreview Risk treatment Risk decision point 1 Assessment satisfactory? N Y N Y Risk decision point 2 Treatment satisfactory?
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk and countermeasures High Medium Very high Likelihood High Medium Medium Low Very low Low Negative impact
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk treatment controls • ISO 27001 information security management system (ISMS) controls are typically selected by objective, taking into account: – National and international legislation and regulations and baseline security criteria; – Organisational objectives; – Operational requirements and constraints; – Cost of implementation and operation (versus risks being reduced and proportional to the organisation); – That they should be implemented to monitor, evaluate and improve the efficiency and effectiveness of information security controls to support the organisation’s aims; and – Balancing investment against harm from security failures.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Example countermeasures Product/technology Site/building physical security Bomb detection Fire/power outage protection Identification and authentication Logical access control Software change control Process System admin controls Financial accounting Business continuity planning Reporting and reacting to incidents Media controls People Security training and awareness Staff vetting Leaver management
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of risk treatment Reduce data collected Retention policy Secure destruction of information Access control Training and awareness Pseudonymise information Contracts or data-sharing agreements Acceptable use policy Subject access request process External supplier risk assessments
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Assess the costs and benefits Cost Controls implemented Vulnerabilities Risk acceptance Number of controls
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance: • Agree approach to risk management. • Degree of assurance required. • Conduct risk assessment: – Ensure those involved understand the methodology (training?) to ensure comparable and reproducible results. • Manage (reduce) risk to level of assurance required using controls and compare to standards such as ISO 30001 or ISO 27001.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance Step 1: Assess risk Identify risk Prioritise initiatives
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance Step 2: Classify data Take action Implement incident management response
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance Step 3: Demonstrate ongoing risk and incident monitoring
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessment tool: vsRisk™ • Key benefits include: – Simplification: minimises the manual hassle and complexity of carrying out an information security risk assessment, saving time and resources. – Replication: risk assessments can be repeated easily in a standard format year after year. – Generates reports: for exporting, editing and sharing across the business and with auditors. – Automation: the fast and simple way to carry out a risk assessment.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance gap assessment tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day DPIA workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit Data mapping involves plotting all of your data flows, drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • DPO as a service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on its core business activities. • Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an ISMS compliant with ISO 27001 We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001- compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy
Questions?

Empfohlen

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
GDPR
GDPRGDPR
GDPRYounes Boukamher
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 

Empfohlen

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
GDPR
GDPRGDPR
GDPRYounes Boukamher
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
ePlus Virtual Chief Information Security Officer (vCISO)
ePlus Virtual Chief Information Security Officer (vCISO)ePlus Virtual Chief Information Security Officer (vCISO)
ePlus Virtual Chief Information Security Officer (vCISO)ePlus
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspectiveDr. Mira Suleimenova, CIPPe
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
DPIA
DPIADPIA
DPIAMartyn Ripley
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 

Weitere ähnliche Inhalte

Was ist angesagt?

Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
ePlus Virtual Chief Information Security Officer (vCISO)
ePlus Virtual Chief Information Security Officer (vCISO)ePlus Virtual Chief Information Security Officer (vCISO)
ePlus Virtual Chief Information Security Officer (vCISO)ePlus
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 

Was ist angesagt? (20)

Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
 
ePlus Virtual Chief Information Security Officer (vCISO)
ePlus Virtual Chief Information Security Officer (vCISO)ePlus Virtual Chief Information Security Officer (vCISO)
ePlus Virtual Chief Information Security Officer (vCISO)
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
DPIA
DPIADPIA
DPIA
 

Ähnlich wie Risk assessments and applying organisational controls for GDPR compliance

The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramGoogleNewsSubmit
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxsoulscout02
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 

Ähnlich wie Risk assessments and applying organisational controls for GDPR compliance (20)

The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspekti
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 

Mehr von IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0IT Governance Ltd
 

Mehr von IT Governance Ltd (20)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0
 

Kürzlich hochgeladen

BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...noida100girls
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 

Kürzlich hochgeladen (20)

BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 

Risk assessments and applying organisational controls for GDPR compliance

  • 1. Risk assessments and applying organisational controls for GDPR compliance Presented by: • Alan Calder, founder and executive chairman, IT Governance 2 November 2017
  • 2. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th edition (Open University textbook) • www.itgovernance.co.uk Introduction
  • 3. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop shop All verticals, sectors and all organisational sizes
  • 4. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • An overview of the General Data Protection Regulation (GDPR) and risk assessments. • The process for risk management and industry best practice for risk treatment. • The components of an internal control system and privacy compliance framework. • ISO 31000 principles and the risk management process. Agenda Copyright IT Governance Ltd 2017 – v1.0
  • 5. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR’s impact • UK organisations that process personal data only have a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
  • 6. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Material and territorial scope Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data; – The processing of personal data; and – The unrestricted movement of personal data within the EU. In material scope: – Personal data that is processed wholly or partly by automated means. – Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. It applies to controllers outside the EU that provide services into the EU.
  • 7. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Penalties Administrative fines • Administrative fines will, in each case, be effective, proportionate and dissuasive, and take account of the technical and organisational measures that have been implemented. €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
  • 8. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR and risk management frameworks • Article 32: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” • “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” • “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Article 24-1) The data protection officer (DPO) plays a key bridging role between corporate risk management, broader cyber security risk management and managing risks to personal data. NB: Network and Information Systems (NIS) Directive and Government Cyber Security Strategy
  • 9. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessments under the GDPR Article 35: Where processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. • A data protection impact assessment (DPIA) is particularly required in the case of: – Automated processing, including profiling, and on which decisions are based that produce legal effects concerning natural persons; – Large-scale processing of special categories of data or of personal data relating to criminal convictions; and – A systematic monitoring of a publicly accessible area on a large scale.
  • 10. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk DPIAs A DPIA will set out as a minimum: • A systematic description of the processing and purposes. • Legitimate interests (where applicable) pursued by the controller. • An assessment of the necessity and proportionality of the processing. • An assessment of the risks to the rights and freedoms of the data subjects. • The measures envisaged to address the risks, including:  Compliance with approved codes of conduct should be taken into account.  All safeguards and security measures to protect data and to demonstrate compliance. • Where appropriate, consult the data subjects.
  • 11. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk What is risk? • The effect of uncertainty on objectives (ISO 31000, etc.). • A combination of the likelihood of an incident occurring and the impact, if it does occur, on the organisation. • A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action (businessdictionary.com). • Risk can be good or bad.
  • 12. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Risk assessments: the overall process of risk identification, risk analysis and risk evaluation. Risk management: the coordinated activities to direct and control an organisation with regard to risk. Risk treatment: the process to modify risk.
  • 13. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk and what it means under the GDPR Risks to individuals: the potential for damage or distress. Risks to organisations: financial and/or reputational impact of a data breach. Privacy risk should already be on the CORPORATE RISK REGISTER
  • 14. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessments Risk assessments help: • Identify the threats that could harm and affect an organisation’s assets; • Determine the value and sensitivity of data by identifying the level of risk that data carries if threatened; and • Implement cost-effective measures to mitigate and reduce the risk.
  • 15. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessments Asset Vulnerability Threat Risk Risk assessments determine the appropriate controls to reach acceptable levels of risk. Risk cannot exist without these three components: 1. An asset that has value and requires protection. 2. A threat that can hurt it. 3. A vulnerability – a weakness that allows the threat to reach the asset.
  • 16. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Why do we assess risk? A risk assessment informs a proper balance of safeguards against the risk of failing to meet business objectives. Inform a position so that: • Removal of safeguards will increase the risk of loss to an unacceptable level; and • Adding any safeguards would make the security system too expensive/bureaucratic. ... and therefore it is a means by which expenditure on security and contingency can be justified.
  • 17. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of risk Inaccurate, insufficient or out-of-date Kept for too long Excessive or irrelevant Disclosed to the wrong people Insecurely transmitted/stored Used in ways that are unacceptable or unexpected Data that is:
  • 18. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessment (based on ISO 31000) • Workshop, facilitated by a risk expert • (Key) Assets at risk • (Key) Threat – vulnerability relationships • NB: ‘vulnerability’: weakness of an asset or control that can be exploited by one or more threats Identify risks • Consequence (impact) • Probability (likelihood) • Level of risk (e.g. impact x likelihood) Analyse risks • Compare risks with risk criteria (e.g. risk appetite) Evaluate risks
  • 19. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk criteria – per ISO 31000 • When defining risk criteria, consider: – The nature and types of causes and consequences that can occur and how they will be measured; – How likelihood will be defined; – The timeframe(s) of the likelihood and/or consequence(s); – How the level of risk is to be determined; – The views of stakeholders; – The level at which risk becomes acceptable or tolerable; and – Whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered. • www.itgovernance.co.uk/shop/p-747-iso31000-iso-31000-risk- management-guidelines.aspx
  • 20. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk scenarios – components Adapted from ISACA, The Risk IT Framework, USA, 2009 Risk scenario Actor • Internal (staff, contractor) • External (competitor, outsider, business partner, regulator, market) Threat type • Malicious • Accidental/error • Failure • Natural • External requirement Event • Disclosure • Interruption • Modification • Theft • Destruction • Ineffective design • Ineffective execution • Rules and regulations • Inappropriate use Asset/resource • People & organisation • Process • Infrastructure (facilities) • IT Infrastructure • Information • Applications Time • Duration • Timing of occurrence (critical, non-critical) • Timing to detect
  • 21. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk ISO 27005 – risk management Context establishment Risk assessment Risk identification Risk analysis Risk evaluation Risk acceptance Riskcommunicationand consultation Riskmonitoring andreview Risk treatment Risk decision point 1 Assessment satisfactory? N Y N Y Risk decision point 2 Treatment satisfactory?
  • 22. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk and countermeasures High Medium Very high Likelihood High Medium Medium Low Very low Low Negative impact
  • 23. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk treatment controls • ISO 27001 information security management system (ISMS) controls are typically selected by objective, taking into account: – National and international legislation and regulations and baseline security criteria; – Organisational objectives; – Operational requirements and constraints; – Cost of implementation and operation (versus risks being reduced and proportional to the organisation); – That they should be implemented to monitor, evaluate and improve the efficiency and effectiveness of information security controls to support the organisation’s aims; and – Balancing investment against harm from security failures.
  • 24. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Example countermeasures Product/technology Site/building physical security Bomb detection Fire/power outage protection Identification and authentication Logical access control Software change control Process System admin controls Financial accounting Business continuity planning Reporting and reacting to incidents Media controls People Security training and awareness Staff vetting Leaver management
  • 25. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of risk treatment Reduce data collected Retention policy Secure destruction of information Access control Training and awareness Pseudonymise information Contracts or data-sharing agreements Acceptable use policy Subject access request process External supplier risk assessments
  • 26. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Assess the costs and benefits Cost Controls implemented Vulnerabilities Risk acceptance Number of controls
  • 27. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance: • Agree approach to risk management. • Degree of assurance required. • Conduct risk assessment: – Ensure those involved understand the methodology (training?) to ensure comparable and reproducible results. • Manage (reduce) risk to level of assurance required using controls and compare to standards such as ISO 30001 or ISO 27001.
  • 28. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance Step 1: Assess risk Identify risk Prioritise initiatives
  • 29. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance Step 2: Classify data Take action Implement incident management response
  • 30. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Next steps A practical approach to risk management for GDPR compliance Step 3: Demonstrate ongoing risk and incident monitoring
  • 31. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk assessment tool: vsRisk™ • Key benefits include: – Simplification: minimises the manual hassle and complexity of carrying out an information security risk assessment, saving time and resources. – Replication: risk assessments can be repeated easily in a standard format year after year. – Generates reports: for exporting, editing and sharing across the business and with auditors. – Automation: the fast and simple way to carry out a risk assessment.
  • 32. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance gap assessment tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
  • 33. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day DPIA workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
  • 34. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit Data mapping involves plotting all of your data flows, drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • DPO as a service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on its core business activities. • Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an ISMS compliant with ISO 27001 We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001- compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy