In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
1.
2. • Introduction
• Before we start…
• ISO27001 implementation vs audit
• ISMS vs PIMS, in practice
• The implementer view
• The auditor view
• Q & A
Agenda
11. Source: PECB ISO27001 Lead Implementer
PDCA in ISO27001
clause 6
Planning
clause 9
Performance
evaluation
clause 10
Improvement
clause 8
Operation
Clause 4
Context of the organization
Clause 7
Support
Clause 5
Leadership
Annex A - Control objectives and controls
12. Extension to ISO27001 (ISMS)
• Information security Management system
• + Extension to privacy
• + interpretation for GDPR
= PIMS
(Privacy Information Management system)
ISO27701 (PIMS)
13. Naming convention
To avoid any confusion:
• ISMS refers to ISO27001
• PIMS refers to ISO27701 (on top of ISO27001)
For this session…
15. Officially starts with external audit but….
• You can use the audit techniques during initial implementation
• Implement pre-stage audit
• Internal audit is needed (official requirement)
• System must have sufficient track record before initial audit
After initial audit
• Yearly surveillance
• 3 year cycle to renewal
• Continuous maintenance (also for internal audit)
• Continuous improvement
The ISO audit lifecycle…
16. Initial audit
• “Get in control”
• Passing the mark
• Basic maturity (ref. CMMI … level 3)
• Room for growth and maturity
Surveillance audit (+ recertification)
• “Stay in control”
• Focus on improvement
• Increasing maturity
• Based on metrics and measurement…
The ISO audit lifecycle…
17. Starts long before the external audit
• To use the audit techniques during initial
• Pre-stage audit
• Internal audit needed (official requirement)
Doesn’t stop after initial external audit
• Maintenance
The implementation lifecycle…
18. When starting in ISMS implementation
• It takes time to adapt business processes to ISO approach
• Focus on evidence..
• Not only documentation,
• but also operational results that can be tracked
• People that know how ISMS plugs in to their work
Audit
• Not just a check list, but focus on results
• Based on evidence (double evidence)
• Advisory function (but not consulting)
Hints and tips
19. ISMS to PIMS, in practice.
Getting the mind shift right…
20. When shifting from ISMS to PIMS
• It’s no more about “enterprise only” data
• It’s ALSO about “personal data’
• On top of it…
Meaning, you’re in the lead with enterprise data, in ISMS.
The subject is in the lead when handling personal data… in PIMS
(Strong legislation giving power to subject.)
Fundamental change in approach
23. Auditor vs implementer
• If you know how the audit works, you know better what to
implement
• Both in the right spirit
• Results based,
• not check list based
• Growth mindset
• Not perfect at first step
• Better done than perfect
• Think big, act small…
Why is this important?
24. • The audit cycle pushes the implementation of PDCA
• Continuous improvement
• Step by step
• Have an independent / external view
• Keep the helicopter view, with good relation between
• Business
• IT
• DPO
• Legal
The auditor view helps to…
25. • Include audit considerations from the start
• Involve audit throughout the project
• Internal audit vs external audit
• External audit
• mostly end stage (before you restart the cycle)
• Certification target
• Internal audit
• Separate department
• Why not cross check? (cross-department)
• External auditor (but still under authority of data controller)
Some practical hints
26. • Look at the external auditor as advisor
• Not a checklist dummy
• [NOT consultant ;) ]
• Find the right auditor for you, YOU choose
• Experience, expertise
• Right mindset (continuous improvement)
• Focus on getting results
• CMMI: 1… 2… 3… 4… 5…
Some practical hints
27. Recap: ISO27701 mapping to ISO27001
4.3 ISO27001 requirements (ISO27701 Clause 5)
ISO27701 Topic ISO27001 Remark
5.2 Context of organisation 4 Changed
5.3 Leadership 5 Direct
5.4 Planning 6 Changed
5.5 Support 7 Direct
5.6 Operation 8 Direct
5.7 Performance evaluation 9 Direct
5.8 Improvement 10 Direct
31. Interested parties
• ISMS: Mainly enterprise, contractual, customers, … bit of employee
• PIMS: strong focus on subject data, in any type
Different approach
• High impact regulation
• Worldwide
• Very powerful individual
• Define goal, vision, mission & strategy
• Documentation!
PIMS 5.2 / ISMS 4 (Context) Implementer
32. Interested parties
• ISMS: vision, commitment, policy, RACI,
• PIMS: accountability (ref. GDPR)
Make sure to
• Organize regular management meetings
• Plan agenda, take notes, …
• Register Decisions taken
• Plan Communication, incl. all interested parties (incl. external)
• Make sure mgmt. takes responsibility.
• Make them accountable, …
PIMS 5.3 / ISMS 5 (Leadership) Implementer
33. EXTREMELY IMPORTANT
• ISMS: risk management is CORE requirement
• PIMS: PIA, DPIA (GDPR)
You must
• Have a risk register
• Setup Risk management system (not the software, but the process)
• Maintain risk management
HINT: how to assess risk in EXISTING environment?
(New processes, update of existing processes and regular basis)
PIMS 5.4 / ISMS 6 (Planning) Implementer
34. ISMS = PIMS, you must have
• resources
• Competence
• Awareness, communication & education
• Documentation
You need
• Budget
• People
• Time
PIMS 5.5 / ISMS 7 (Support) Implementer
35. PIMS 5.6/5.7/5.8 = ISMS 8/9/10
• Operations
• Performance
• Improvement
You need
• Operations: Info security / Data protection / Privacy in your DNA
• Performance: plan for metrics and measure (CMMI 4)
• Improvement: CONTINUOUSLY
Other clauses Implementer
36. Policies
• ISMS ISO27002 (114 controls + …)
• PIMS ISO27002 + ISO27701
• ISMS prefix “A” = ISO27002
• Measures
• Controls
• For security we need PPT = people, process & technology
PIMS 6 / ISMS Annex
38. ISMS PIMS Serving
Management Team idem Enterprise
Risk Management Team idem Enterprise
Info Sec team idem Enterprise
IT operations team idem Enterprise
Business idem Enterprise
Legal support idem Enterprise
/ DPO or similar Subject
PIMS 6.3 / ISMS A6 (IS Org.) Implementer
39. Info
• PIMS: privacy & data protection in
• contracting
• awareness.
Special attention to
• Reference of data protection in contracting
• People are lazy (maintain awareness)
• Training
IMPORTANT: everyone must be onboard to protect personal data!
PIMS 6.4 / ISMS A7 (HR) General
40. Make sure to implement
• Asset inventory / CMDB
• Not only HW
• Also processes
• People & knowledge
Special attention to
• Classification
PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
42. Must have
• Access control policy
• User (de)registration
Special attention to
• PIMS: identity management
• PIMS EXPLICIT:
• DO NOT RE-USE user IDs
PIMS 6.6 / ISMS A9 (Access ctrl.) Implementer
43. Contains
• Crypto policy
• Special attention to PII treatment
Special attention to
• Subject information about crypto in
• Website, HR, registration systems, storage, backup, …
• Disposal of data !
• Evolution of technology in crypto!
PIMS 6.7 / ISMS A10 (Crypto) General
44. Must have
• Physical security
• Security perimeters
• Layered security
Special attention to
• Core protection, starts with physical
• Layered security like
• Street, outside, perimeter,
• public zone, internal zone, restricted zone, high protection core, …
• Define : “who can do what and where (and when)”
PIMS 6.8 / ISMS A11 (Physicl Sec.) Implementer
45. Special attention to (See previous sessions on PIMS)
• Backup
• Event logging
• Log protection
PIMS 6.9 / ISMS A12 (Operations) Implementer
Do what you say,
say what you do, …
… and prove it
46. Make sure to have
• Information transfer policy
• Vendor / 3rd party / Data processor policy
Special attention to
• Vendor/processor
• Confidentiality
• NDA
• Incident reporting & feedback
PIMS 6.10 / ISMS A13 (Comm.) General
47. Contains
• Development policies
• SW acquisition requirements
Special attention to
• Own responsibility
• Vendor/processor responsibility
• Sec/DP/Privacy by design
• Sec/DP/privacy by default
PIMS explicit: no PII for testing purposes!
PIMS 6.11 / ISMS A14 (Build or buy) Implement
48. Important
• Compensate for lack of physical control
• Legal control
• PIMS : High risk!
Special attention to
• Policy
• Contracts
• Expert legal support
• Right to audit!
PIMS 6.12 / ISMS A15 (Supplier) Implementer
49. Important
• Incident register
• Incident = failure of system (opportunity for improvement)
• PIMS : High risk for data breaches!
Special attention to
• Policy
• Tracking & improvement
• Escalation tracks
• Exercise, exercise!
PIMS 6.13 / ISMS A16 (Incident) Implementer
50. Important
• Maintaining data protection & privacy during disaster
• BCM vs DRP
Special attention to
• Exercise
• Testing
• Vendors
PIMS 6.14 / ISMS A17 (BCM) Implementer
51. Pay attention to
• Legislation
• Contract obligations
• Company responsibility (protect yourself)
• Subject rights
Evidence
• Anything we discussed today…
PIMS 6.15 / ISMS A18 (Compliance) General
53. Interested parties
• ISMS: documentation on business model, mission, vision, …
• PIMS: ISMS documentation, privacy notices, .. Type of community
What evidence to find?
• Mission/Vision
• Community
• Business model, processes, type of data
• Talking to business & customer dept.
PIMS 5.2 / ISMS 4 (Context) Auditor
54. Interested parties
• ISMS: documentation on business model, mission, vision, …
• PIMS: ISMS documentation, privacy notices, .. Type of community
How to audit?
• Management meetings, agenda, notes, …
• Decisions taken
• Communication
• Approvals & signature of policies, …
PIMS 5.3 / ISMS 5 (Leadership) Auditor
56. ISMS = PIMS
• Check for management support
• Check for education plan
• Check for awareness
Evidence
• Interview
• Management planning
• Education, awareness & communication
PIMS 5.5 / ISMS 7 (Support) Auditor
57. PIMS 5.6/5.7/5.8 = ISMS 8/9/10
• Operations
• Performance
• Improvement
Evidence
• Operations: processed, procedures, … on the floor
• Performance: Find the metrics
• Improvement: internal audit, new projects, updates, …
Other clauses Auditor
58. To check
• Policies
• SOA
Evidence
• Setup policies / documentation
• Approval of policies
• Execution policies
• Updates
PIMS 6.2 / ISMS A5 Auditor
59. Check for
• organigram
• Company organisation
• RACI
• Segregation of duties
Evidence
• Roles & responsibilities description
• Function description incl. ISMS/PIMS tasks
• People IN/OUT
PIMS 6.3 / ISMS A6 Auditor
60. Info
• PIMS: privacy & data protection in
• contracting
• awareness.
Special attention to
• Reference of data protection in contracting
• People are laze (maintain awareness)
• Training
IMPORTANT: everyone must be onboard to protect personal data!
PIMS 6.4 / ISMS A7 (HR) General
61. Pay attention to
• HR IN/OUT vs. IT IN/OUT
Evidence
• HR
• IT security
• Privileged account management
• General accounts
• In/out events
• Regular reviews (x times /yr)
PIMS 6.6 / ISMS A9 (Access ctrl.) Auditor
62. Contains
• Crypto policy
• Special attention to PII treatment
Special attention to
• Subject information about crypto in
• Website, HR, registration systems, storage, backup, …
• Disposal of data !
PIMS 6.7 / ISMS A10 (Crypto) General
63. Pay attention to
• Building
• Locations
• Entry,
• Zones
• Equipment, cabling,
• 3rd party (!)
Evidence
• On site visit
PIMS 6.8 / ISMS A11 (Physical) Auditor
64. Pay attention to
• Tracing of ISMS/PIMS on the floor
• People
Evidence
• Logs
• Processes & procedures
• Time stamps
• Ownership
• Meeting minutes
• Documentation
• ….
PIMS 6.9 / ISMS A12 (Operations) Auditor
65. Make sure to have
• Information transfer policy
• Vendor / 3rd party / Data processor policy
Special attention to
• Vendor/processor
• Confidentiality
• NDA
• Incident reporting & feedback
PIMS 6.10 / ISMS A13 (Communic.) General
68. Pay attention to
• Incident management policy
• Incident register
• Data breach register
• Data breach notifications
Evidence
• Policy meta data (owner, updates, …)
• Incident management procedure
• Data breach reporting
• DPA communications, …
PIMS 6.13 / ISMS A16 (Incident) Auditor
69. Pay attention to
• Maintaining data protection & privacy during disaster
• BCM vs DRP
Evidence
• BCM planning
• DRP plan
• Test plans
• Exercises
• Awareness, training & communication
PIMS 6.14 / ISMS A17 (BCM) Auditor
70. Pay attention to
• Legislation
• Contract obligations
• Company responsibility (protect yourself)
• Subject rights
Evidence
• Anything we discussed today…
PIMS 6.15 / ISMS A18 (Compliance) General
76. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda
77. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor
78. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
79. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
82. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager
83. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
84. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events