SlideShare ist ein Scribd-Unternehmen logo

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation

Als PPTX, PDF herunterladen
PECB
PECB

In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR. Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance. In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible. Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates. The webinar will cover: • Quick recap on general ISO components and approach • Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance • Do's and don’ts for implementation and audit • The importance of evidence in the audit • Managing audit expectations and the never ending audit cycle Recorded webinar: https://youtu.be/HL-VUiCj4Ew

Bildung
1 von 86
• Introduction • Before we start… • ISO27001 implementation vs audit • ISMS vs PIMS, in practice • The implementer view • The auditor view • Q & A Agenda
Introduction
Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
Before we start… Previous session recap
• Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard • PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest- privacy-information-standard • Recording: https://youtu.be/ilw4UmMSlU4 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to- isoiec-27701-the-newest-privacy-information-standard • ISO/IEC 27701 vs GDPR - What you need to know • PECB: https://pecb.com/past-webinars/isoiec-27701-vs-gdpr-what-you-need-to- know • Recording: https://www.youtube.com/watch?v=P80So3ryvJ8 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/isoiec-27701-vs- gdpr-what-you-need-to-know For other webinars, see: https://pecb.com/en/webinars Recap: Previous sessions
• Remember ISO27001 • ISMS, Information Security (Management System) • 10 Clauses • 114 controls • Based on PDCA Recap: ISO27001 structure
Act Plan DoCheck ISO27001 main principle: PDCA Time Quality Improvement Quality Assurance Standard Quality Assurance StandardAct Plan DoCheck
Source: ISO9001-2015 Did you know…
Source: PECB ISO27001 Lead Implementer PDCA in ISO27001 clause 6 Planning clause 9 Performance evaluation clause 10 Improvement clause 8 Operation Clause 4 Context of the organization Clause 7 Support Clause 5 Leadership Annex A - Control objectives and controls
Extension to ISO27001 (ISMS) • Information security Management system • + Extension to privacy • + interpretation for GDPR = PIMS (Privacy Information Management system) ISO27701 (PIMS)
Naming convention To avoid any confusion: • ISMS refers to ISO27001 • PIMS refers to ISO27701 (on top of ISO27001) For this session…
ISMS implementation vs audit Opposite or complementary?
Officially starts with external audit but…. • You can use the audit techniques during initial implementation • Implement pre-stage audit • Internal audit is needed (official requirement) • System must have sufficient track record before initial audit After initial audit • Yearly surveillance • 3 year cycle to renewal • Continuous maintenance (also for internal audit) • Continuous improvement The ISO audit lifecycle…
Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (+ recertification) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… The ISO audit lifecycle…
Starts long before the external audit • To use the audit techniques during initial • Pre-stage audit • Internal audit needed (official requirement) Doesn’t stop after initial external audit • Maintenance The implementation lifecycle…
When starting in ISMS implementation • It takes time to adapt business processes to ISO approach • Focus on evidence.. • Not only documentation, • but also operational results that can be tracked • People that know how ISMS plugs in to their work Audit • Not just a check list, but focus on results • Based on evidence (double evidence) • Advisory function (but not consulting) Hints and tips
ISMS to PIMS, in practice. Getting the mind shift right…
When shifting from ISMS to PIMS • It’s no more about “enterprise only” data • It’s ALSO about “personal data’ • On top of it… Meaning, you’re in the lead with enterprise data, in ISMS. The subject is in the lead when handling personal data… in PIMS (Strong legislation giving power to subject.) Fundamental change in approach
ISMS Fundamental change in mindset & environment ISMS ISMS PIMS
The implementer/audit view of PIMS Recap from previous sessions.
Auditor vs implementer • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
• The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
• Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
• Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Find the right auditor for you, YOU choose • Experience, expertise • Right mindset (continuous improvement) • Focus on getting results • CMMI: 1… 2… 3… 4… 5… Some practical hints
Recap: ISO27701 mapping to ISO27001 4.3 ISO27001 requirements (ISO27701 Clause 5) ISO27701 Topic ISO27001 Remark 5.2 Context of organisation 4 Changed 5.3 Leadership 5 Direct 5.4 Planning 6 Changed 5.5 Support 7 Direct 5.6 Operation 8 Direct 5.7 Performance evaluation 9 Direct 5.8 Improvement 10 Direct
Recap: ISO27701 mapping to ISO27001 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.2 Policies 5 Changed 6.3 Organisation 6 Changed 6.4 HR 7 Changed 6.5 Asset Management 8 Changed 6.6 Access Control 9 Changed 6.7 Cryptography 10 Changed 6.8 Physical and environment 11 Changed
Recap: ISO27701 mapping to ISO27001 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.9 Operations 12 Changed 6.10 Communications 13 Changed 6.11 Acquisition, Dev & mainten. 14 Changed 6.12 Suppliers 15 Changed 6.13 Incident Mgmt 16 Changed 6.14 Business Continuity 17 Direct 6.15 Compliance 18 Changed
The implementer view of ISO27701 Quick tour: special attention
Interested parties • ISMS: Mainly enterprise, contractual, customers, … bit of employee • PIMS: strong focus on subject data, in any type Different approach • High impact regulation • Worldwide • Very powerful individual • Define goal, vision, mission & strategy • Documentation! PIMS 5.2 / ISMS 4 (Context) Implementer
Interested parties • ISMS: vision, commitment, policy, RACI, • PIMS: accountability (ref. GDPR) Make sure to • Organize regular management meetings • Plan agenda, take notes, … • Register Decisions taken • Plan Communication, incl. all interested parties (incl. external) • Make sure mgmt. takes responsibility. • Make them accountable, … PIMS 5.3 / ISMS 5 (Leadership) Implementer
EXTREMELY IMPORTANT • ISMS: risk management is CORE requirement • PIMS: PIA, DPIA (GDPR) You must • Have a risk register • Setup Risk management system (not the software, but the process) • Maintain risk management HINT: how to assess risk in EXISTING environment? (New processes, update of existing processes and regular basis) PIMS 5.4 / ISMS 6 (Planning) Implementer
ISMS = PIMS, you must have • resources • Competence • Awareness, communication & education • Documentation You need • Budget • People • Time PIMS 5.5 / ISMS 7 (Support) Implementer
PIMS 5.6/5.7/5.8 = ISMS 8/9/10 • Operations • Performance • Improvement You need • Operations: Info security / Data protection / Privacy in your DNA • Performance: plan for metrics and measure (CMMI 4) • Improvement: CONTINUOUSLY Other clauses Implementer
Policies • ISMS ISO27002 (114 controls + …) • PIMS ISO27002 + ISO27701 • ISMS prefix “A” = ISO27002 • Measures • Controls • For security we need PPT = people, process & technology PIMS 6 / ISMS Annex
Policies • ISMS ISO27002 (114 controls + …) • PIMS ISO27002 + ISO27002 ;.. Tasks • Setup policies / documentation • Approve policies • Execute policies • Update policies on a regular basis PIMS 6.2 / ISMS A5 Implementer
ISMS PIMS Serving Management Team idem Enterprise Risk Management Team idem Enterprise Info Sec team idem Enterprise IT operations team idem Enterprise Business idem Enterprise Legal support idem Enterprise / DPO or similar Subject PIMS 6.3 / ISMS A6 (IS Org.) Implementer
Info • PIMS: privacy & data protection in • contracting • awareness. Special attention to • Reference of data protection in contracting • People are lazy (maintain awareness) • Training IMPORTANT: everyone must be onboard to protect personal data! PIMS 6.4 / ISMS A7 (HR) General
Make sure to implement • Asset inventory / CMDB • Not only HW • Also processes • People & knowledge Special attention to • Classification PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
ISMS labels categ. PIMS lables Serving 0 - Public Non PII/GDPR Enterprise 1 – Internal Enterprise 2 - Strict internal Enterprise 3 - Critical Enterprise (4 – Secret) Enterprise PII Subject Sensitive PII Subject PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
Must have • Access control policy • User (de)registration Special attention to • PIMS: identity management • PIMS EXPLICIT: • DO NOT RE-USE user IDs PIMS 6.6 / ISMS A9 (Access ctrl.) Implementer
Contains • Crypto policy • Special attention to PII treatment Special attention to • Subject information about crypto in • Website, HR, registration systems, storage, backup, … • Disposal of data ! • Evolution of technology in crypto! PIMS 6.7 / ISMS A10 (Crypto) General
Must have • Physical security • Security perimeters • Layered security Special attention to • Core protection, starts with physical • Layered security like • Street, outside, perimeter, • public zone, internal zone, restricted zone, high protection core, … • Define : “who can do what and where (and when)” PIMS 6.8 / ISMS A11 (Physicl Sec.) Implementer
Special attention to (See previous sessions on PIMS) • Backup • Event logging • Log protection PIMS 6.9 / ISMS A12 (Operations) Implementer Do what you say, say what you do, … … and prove it
Make sure to have • Information transfer policy • Vendor / 3rd party / Data processor policy Special attention to • Vendor/processor • Confidentiality • NDA • Incident reporting & feedback PIMS 6.10 / ISMS A13 (Comm.) General
Contains • Development policies • SW acquisition requirements Special attention to • Own responsibility • Vendor/processor responsibility • Sec/DP/Privacy by design • Sec/DP/privacy by default PIMS explicit: no PII for testing purposes! PIMS 6.11 / ISMS A14 (Build or buy) Implement
Important • Compensate for lack of physical control • Legal control • PIMS : High risk! Special attention to • Policy • Contracts • Expert legal support • Right to audit! PIMS 6.12 / ISMS A15 (Supplier) Implementer
Important • Incident register • Incident = failure of system (opportunity for improvement) • PIMS : High risk for data breaches! Special attention to • Policy • Tracking & improvement • Escalation tracks • Exercise, exercise! PIMS 6.13 / ISMS A16 (Incident) Implementer
Important • Maintaining data protection & privacy during disaster • BCM vs DRP Special attention to • Exercise • Testing • Vendors PIMS 6.14 / ISMS A17 (BCM) Implementer
Pay attention to • Legislation • Contract obligations • Company responsibility (protect yourself) • Subject rights Evidence • Anything we discussed today… PIMS 6.15 / ISMS A18 (Compliance) General
The audit view of ISO27701 Focus on evidence
Interested parties • ISMS: documentation on business model, mission, vision, … • PIMS: ISMS documentation, privacy notices, .. Type of community What evidence to find? • Mission/Vision • Community • Business model, processes, type of data • Talking to business & customer dept. PIMS 5.2 / ISMS 4 (Context) Auditor
Interested parties • ISMS: documentation on business model, mission, vision, … • PIMS: ISMS documentation, privacy notices, .. Type of community How to audit? • Management meetings, agenda, notes, … • Decisions taken • Communication • Approvals & signature of policies, … PIMS 5.3 / ISMS 5 (Leadership) Auditor
Look for • ISMS = Risk management • PIMS = Risk management + PIA/DPIA Evidence • Risk sources: incident register, incident reporting, • Track solution of incident • Data breach reporting (confirmed incidents) • Risk register (setup, up to date, ownership, RACI, …) PIMS 5.4 / ISMS 6 (Planning) Auditor
ISMS = PIMS • Check for management support • Check for education plan • Check for awareness Evidence • Interview • Management planning • Education, awareness & communication PIMS 5.5 / ISMS 7 (Support) Auditor
PIMS 5.6/5.7/5.8 = ISMS 8/9/10 • Operations • Performance • Improvement Evidence • Operations: processed, procedures, … on the floor • Performance: Find the metrics • Improvement: internal audit, new projects, updates, … Other clauses Auditor
To check • Policies • SOA Evidence • Setup policies / documentation • Approval of policies • Execution policies • Updates PIMS 6.2 / ISMS A5 Auditor
Check for • organigram • Company organisation • RACI • Segregation of duties Evidence • Roles & responsibilities description • Function description incl. ISMS/PIMS tasks • People IN/OUT PIMS 6.3 / ISMS A6 Auditor
Info • PIMS: privacy & data protection in • contracting • awareness. Special attention to • Reference of data protection in contracting • People are laze (maintain awareness) • Training IMPORTANT: everyone must be onboard to protect personal data! PIMS 6.4 / ISMS A7 (HR) General
Pay attention to • HR IN/OUT vs. IT IN/OUT Evidence • HR • IT security • Privileged account management • General accounts • In/out events • Regular reviews (x times /yr) PIMS 6.6 / ISMS A9 (Access ctrl.) Auditor
Contains • Crypto policy • Special attention to PII treatment Special attention to • Subject information about crypto in • Website, HR, registration systems, storage, backup, … • Disposal of data ! PIMS 6.7 / ISMS A10 (Crypto) General
Pay attention to • Building • Locations • Entry, • Zones • Equipment, cabling, • 3rd party (!) Evidence • On site visit PIMS 6.8 / ISMS A11 (Physical) Auditor
Pay attention to • Tracing of ISMS/PIMS on the floor • People Evidence • Logs • Processes & procedures • Time stamps • Ownership • Meeting minutes • Documentation • …. PIMS 6.9 / ISMS A12 (Operations) Auditor
Make sure to have • Information transfer policy • Vendor / 3rd party / Data processor policy Special attention to • Vendor/processor • Confidentiality • NDA • Incident reporting & feedback PIMS 6.10 / ISMS A13 (Communic.) General
Pay attention to • PIMS Annex A.7.4 (controller) • PIMS Annex B.8.4 (processor) Evidence • Agreements • Acquisition procedures • Development policies & processes PIMS 6.11 / ISMS A14 (Build or buy) Auditor
Pay attention to • Supplier policies • Vendor relations • Vendor contracts Evidence • Vendor negotiations • Vendor contracts • Vendor audits • 3rd party audit reports • Vendor tracking/invoicing • Vendor management updates PIMS 6.12 / ISMS A15 (Supplier) Auditor
Pay attention to • Incident management policy • Incident register • Data breach register • Data breach notifications Evidence • Policy meta data (owner, updates, …) • Incident management procedure • Data breach reporting • DPA communications, … PIMS 6.13 / ISMS A16 (Incident) Auditor
Pay attention to • Maintaining data protection & privacy during disaster • BCM vs DRP Evidence • BCM planning • DRP plan • Test plans • Exercises • Awareness, training & communication PIMS 6.14 / ISMS A17 (BCM) Auditor
Pay attention to • Legislation • Contract obligations • Company responsibility (protect yourself) • Subject rights Evidence • Anything we discussed today… PIMS 6.15 / ISMS A18 (Compliance) General
And last but not least… Never done
PDCA… Continous improvement Start over again… See you at the next cycle…
Q & A Questions & answers
Appendix
Ramping up… Relevant PECB Training courses
Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
THANK YOU ? info@cyberminute.com CyberMinute Stefan Mathuvisstefan@qma.be

Empfohlen

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 

Empfohlen

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...PECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassA-lign
 
ISO Auditing: What Is It and Why Should You Consider It?
ISO Auditing: What Is It and Why Should You Consider It?ISO Auditing: What Is It and Why Should You Consider It?
ISO Auditing: What Is It and Why Should You Consider It?Triumvirate Environmental
 

Weitere ähnliche Inhalte

Was ist angesagt?

Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...PECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 

Was ist angesagt? (20)

ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Training
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 

Ähnlich wie Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation

ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassA-lign
 
ISO Auditing: What Is It and Why Should You Consider It?
ISO Auditing: What Is It and Why Should You Consider It?ISO Auditing: What Is It and Why Should You Consider It?
ISO Auditing: What Is It and Why Should You Consider It?Triumvirate Environmental
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceAl Abbas, PMP, CISSP, MBA, MSc
 
ISO 90012008 Understanding and Internal Auditing.ppt
ISO 90012008 Understanding and Internal Auditing.pptISO 90012008 Understanding and Internal Auditing.ppt
ISO 90012008 Understanding and Internal Auditing.pptFirozKhan158275
 
The Basics of ISO Certification
The Basics of ISO CertificationThe Basics of ISO Certification
The Basics of ISO CertificationDozuki Software
 
ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...
ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...
ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...IEVISION IT SERVICES Pvt. Ltd
 
Why iso 27001_awareness_presentation_en
Why iso 27001_awareness_presentation_enWhy iso 27001_awareness_presentation_en
Why iso 27001_awareness_presentation_enSelby Wilson
 
Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Schellman & Company
 
PECB Webinar: ISO Internal Audits - A signpost to ISO compliance
PECB Webinar: ISO Internal Audits - A signpost to ISO compliancePECB Webinar: ISO Internal Audits - A signpost to ISO compliance
PECB Webinar: ISO Internal Audits - A signpost to ISO compliancePECB
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicNCCOMMS
 
ISO_9001_Mangement_Briefing.pptx
ISO_9001_Mangement_Briefing.pptxISO_9001_Mangement_Briefing.pptx
ISO_9001_Mangement_Briefing.pptxukavathekar
 
Certification Body Approach to ISO 9001:2015 by NQA
Certification Body Approach to ISO 9001:2015 by NQACertification Body Approach to ISO 9001:2015 by NQA
Certification Body Approach to ISO 9001:2015 by NQANQA
 
Quality Management System awareness for all
Quality Management System awareness for all Quality Management System awareness for all
Quality Management System awareness for all ANUPAM RAY
 

Ähnlich wie Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation (20)

ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
 
ISO Auditing: What Is It and Why Should You Consider It?
ISO Auditing: What Is It and Why Should You Consider It?ISO Auditing: What Is It and Why Should You Consider It?
ISO Auditing: What Is It and Why Should You Consider It?
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer Confidence
 
ISO 90012008 Understanding and Internal Auditing.ppt
ISO 90012008 Understanding and Internal Auditing.pptISO 90012008 Understanding and Internal Auditing.ppt
ISO 90012008 Understanding and Internal Auditing.ppt
 
The Basics of ISO Certification
The Basics of ISO CertificationThe Basics of ISO Certification
The Basics of ISO Certification
 
ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...
ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...
ISO 27001 Lead Implementer Classroom Training Course Certification - ievision...
 
Iso 27001 lead implementer
Iso 27001 lead implementerIso 27001 lead implementer
Iso 27001 lead implementer
 
Iso 27001 lead implementer in al ahmadi
Iso 27001 lead implementer in al ahmadiIso 27001 lead implementer in al ahmadi
Iso 27001 lead implementer in al ahmadi
 
Iso 27001 lead implementer training in kuwaitcity
Iso 27001 lead implementer training in kuwaitcityIso 27001 lead implementer training in kuwaitcity
Iso 27001 lead implementer training in kuwaitcity
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Iso 27001 lead auditor
Iso 27001 lead auditorIso 27001 lead auditor
Iso 27001 lead auditor
 
Why iso 27001_awareness_presentation_en
Why iso 27001_awareness_presentation_enWhy iso 27001_awareness_presentation_en
Why iso 27001_awareness_presentation_en
 
Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018
 
PECB Webinar: ISO Internal Audits - A signpost to ISO compliance
PECB Webinar: ISO Internal Audits - A signpost to ISO compliancePECB Webinar: ISO Internal Audits - A signpost to ISO compliance
PECB Webinar: ISO Internal Audits - A signpost to ISO compliance
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav Lulic
 
ISO_9001_Mangement_Briefing.pptx
ISO_9001_Mangement_Briefing.pptxISO_9001_Mangement_Briefing.pptx
ISO_9001_Mangement_Briefing.pptx
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Certification Body Approach to ISO 9001:2015 by NQA
Certification Body Approach to ISO 9001:2015 by NQACertification Body Approach to ISO 9001:2015 by NQA
Certification Body Approach to ISO 9001:2015 by NQA
 
Quality Management System awareness for all
Quality Management System awareness for all Quality Management System awareness for all
Quality Management System awareness for all
 

Mehr von PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

Mehr von PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Kürzlich hochgeladen

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 

Kürzlich hochgeladen (20)

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation

  • 1.
  • 2. • Introduction • Before we start… • ISO27001 implementation vs audit • ISMS vs PIMS, in practice • The implementer view • The auditor view • Q & A Agenda
  • 4. Peter Geelen (CyberMinute) • 20+ years experience in security • Enterprise Security & IAM • Cybersecurity • Data Protection & Privacy • Incident management, Disaster Recovery • Trainer, coach, auditor • ISO27001 Master & Lead ISO27002 • ISO27701 Lead Impl. & Lead Auditor • Certified DPO & Fellow In Privacy • Lead Incident Mgr & Disaster Recovery • ISO27032 Sr. Lead Cybersecurity Mgr • Lead ISO27005 (Risk Mgmt) • Accredited ISO27001/9001 Lead auditor • Accredited Security Trainer My experience Certification Accreditation http://www.cyberminute.com https://ffwd2.me/pgeelen More info (LinkedIn): peter@cyberminute.com
  • 5. Stefan Mathuvis (QMA) • 20 years experience in security • Quality Management • Quality Auditor • Cybersecurity • Security, Data Protection & Privacy • Trainer, coach, auditor • ISO27001 Lead Auditor • ISO9001 Lead Auditor • Lead auditor ESD & GDP Pharma • Lead auditor GQS • CDPO • Master trainer DGQ • Accredited ISO27001 lead auditor • Accredited 9001 Lead auditor My experience Certification Accreditation http://www.qma.be https://ffwd2.me/stefan More info (LinkedIn): Stefan@qma.be
  • 7. • Quick Guide to ISO/IEC 27701-The Newest Privacy Information Standard • PECB: https://pecb.com/past-webinars/quick-guide-to-isoiec-27701-the-newest- privacy-information-standard • Recording: https://youtu.be/ilw4UmMSlU4 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/quick-guide-to- isoiec-27701-the-newest-privacy-information-standard • ISO/IEC 27701 vs GDPR - What you need to know • PECB: https://pecb.com/past-webinars/isoiec-27701-vs-gdpr-what-you-need-to- know • Recording: https://www.youtube.com/watch?v=P80So3ryvJ8 • Slideshare: https://www.slideshare.net/PECBCERTIFICATION/isoiec-27701-vs- gdpr-what-you-need-to-know For other webinars, see: https://pecb.com/en/webinars Recap: Previous sessions
  • 8. • Remember ISO27001 • ISMS, Information Security (Management System) • 10 Clauses • 114 controls • Based on PDCA Recap: ISO27001 structure
  • 9. Act Plan DoCheck ISO27001 main principle: PDCA Time Quality Improvement Quality Assurance Standard Quality Assurance StandardAct Plan DoCheck
  • 11. Source: PECB ISO27001 Lead Implementer PDCA in ISO27001 clause 6 Planning clause 9 Performance evaluation clause 10 Improvement clause 8 Operation Clause 4 Context of the organization Clause 7 Support Clause 5 Leadership Annex A - Control objectives and controls
  • 12. Extension to ISO27001 (ISMS) • Information security Management system • + Extension to privacy • + interpretation for GDPR = PIMS (Privacy Information Management system) ISO27701 (PIMS)
  • 13. Naming convention To avoid any confusion: • ISMS refers to ISO27001 • PIMS refers to ISO27701 (on top of ISO27001) For this session…
  • 14. ISMS implementation vs audit Opposite or complementary?
  • 15. Officially starts with external audit but…. • You can use the audit techniques during initial implementation • Implement pre-stage audit • Internal audit is needed (official requirement) • System must have sufficient track record before initial audit After initial audit • Yearly surveillance • 3 year cycle to renewal • Continuous maintenance (also for internal audit) • Continuous improvement The ISO audit lifecycle…
  • 16. Initial audit • “Get in control” • Passing the mark • Basic maturity (ref. CMMI … level 3) • Room for growth and maturity Surveillance audit (+ recertification) • “Stay in control” • Focus on improvement • Increasing maturity • Based on metrics and measurement… The ISO audit lifecycle…
  • 17. Starts long before the external audit • To use the audit techniques during initial • Pre-stage audit • Internal audit needed (official requirement) Doesn’t stop after initial external audit • Maintenance The implementation lifecycle…
  • 18. When starting in ISMS implementation • It takes time to adapt business processes to ISO approach • Focus on evidence.. • Not only documentation, • but also operational results that can be tracked • People that know how ISMS plugs in to their work Audit • Not just a check list, but focus on results • Based on evidence (double evidence) • Advisory function (but not consulting) Hints and tips
  • 19. ISMS to PIMS, in practice. Getting the mind shift right…
  • 20. When shifting from ISMS to PIMS • It’s no more about “enterprise only” data • It’s ALSO about “personal data’ • On top of it… Meaning, you’re in the lead with enterprise data, in ISMS. The subject is in the lead when handling personal data… in PIMS (Strong legislation giving power to subject.) Fundamental change in approach
  • 21. ISMS Fundamental change in mindset & environment ISMS ISMS PIMS
  • 22. The implementer/audit view of PIMS Recap from previous sessions.
  • 23. Auditor vs implementer • If you know how the audit works, you know better what to implement • Both in the right spirit • Results based, • not check list based • Growth mindset • Not perfect at first step • Better done than perfect • Think big, act small… Why is this important?
  • 24. • The audit cycle pushes the implementation of PDCA • Continuous improvement • Step by step • Have an independent / external view • Keep the helicopter view, with good relation between • Business • IT • DPO • Legal The auditor view helps to…
  • 25. • Include audit considerations from the start • Involve audit throughout the project • Internal audit vs external audit • External audit • mostly end stage (before you restart the cycle) • Certification target • Internal audit • Separate department • Why not cross check? (cross-department) • External auditor (but still under authority of data controller) Some practical hints
  • 26. • Look at the external auditor as advisor • Not a checklist dummy • [NOT consultant ;) ] • Find the right auditor for you, YOU choose • Experience, expertise • Right mindset (continuous improvement) • Focus on getting results • CMMI: 1… 2… 3… 4… 5… Some practical hints
  • 27. Recap: ISO27701 mapping to ISO27001 4.3 ISO27001 requirements (ISO27701 Clause 5) ISO27701 Topic ISO27001 Remark 5.2 Context of organisation 4 Changed 5.3 Leadership 5 Direct 5.4 Planning 6 Changed 5.5 Support 7 Direct 5.6 Operation 8 Direct 5.7 Performance evaluation 9 Direct 5.8 Improvement 10 Direct
  • 28. Recap: ISO27701 mapping to ISO27001 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.2 Policies 5 Changed 6.3 Organisation 6 Changed 6.4 HR 7 Changed 6.5 Asset Management 8 Changed 6.6 Access Control 9 Changed 6.7 Cryptography 10 Changed 6.8 Physical and environment 11 Changed
  • 29. Recap: ISO27701 mapping to ISO27001 4.3 ISO27002 requirements (ISO27701 Clause 6) ISO27701 Topic ISO27002 Remark 6.9 Operations 12 Changed 6.10 Communications 13 Changed 6.11 Acquisition, Dev & mainten. 14 Changed 6.12 Suppliers 15 Changed 6.13 Incident Mgmt 16 Changed 6.14 Business Continuity 17 Direct 6.15 Compliance 18 Changed
  • 30. The implementer view of ISO27701 Quick tour: special attention
  • 31. Interested parties • ISMS: Mainly enterprise, contractual, customers, … bit of employee • PIMS: strong focus on subject data, in any type Different approach • High impact regulation • Worldwide • Very powerful individual • Define goal, vision, mission & strategy • Documentation! PIMS 5.2 / ISMS 4 (Context) Implementer
  • 32. Interested parties • ISMS: vision, commitment, policy, RACI, • PIMS: accountability (ref. GDPR) Make sure to • Organize regular management meetings • Plan agenda, take notes, … • Register Decisions taken • Plan Communication, incl. all interested parties (incl. external) • Make sure mgmt. takes responsibility. • Make them accountable, … PIMS 5.3 / ISMS 5 (Leadership) Implementer
  • 33. EXTREMELY IMPORTANT • ISMS: risk management is CORE requirement • PIMS: PIA, DPIA (GDPR) You must • Have a risk register • Setup Risk management system (not the software, but the process) • Maintain risk management HINT: how to assess risk in EXISTING environment? (New processes, update of existing processes and regular basis) PIMS 5.4 / ISMS 6 (Planning) Implementer
  • 34. ISMS = PIMS, you must have • resources • Competence • Awareness, communication & education • Documentation You need • Budget • People • Time PIMS 5.5 / ISMS 7 (Support) Implementer
  • 35. PIMS 5.6/5.7/5.8 = ISMS 8/9/10 • Operations • Performance • Improvement You need • Operations: Info security / Data protection / Privacy in your DNA • Performance: plan for metrics and measure (CMMI 4) • Improvement: CONTINUOUSLY Other clauses Implementer
  • 36. Policies • ISMS ISO27002 (114 controls + …) • PIMS ISO27002 + ISO27701 • ISMS prefix “A” = ISO27002 • Measures • Controls • For security we need PPT = people, process & technology PIMS 6 / ISMS Annex
  • 37. Policies • ISMS ISO27002 (114 controls + …) • PIMS ISO27002 + ISO27002 ;.. Tasks • Setup policies / documentation • Approve policies • Execute policies • Update policies on a regular basis PIMS 6.2 / ISMS A5 Implementer
  • 38. ISMS PIMS Serving Management Team idem Enterprise Risk Management Team idem Enterprise Info Sec team idem Enterprise IT operations team idem Enterprise Business idem Enterprise Legal support idem Enterprise / DPO or similar Subject PIMS 6.3 / ISMS A6 (IS Org.) Implementer
  • 39. Info • PIMS: privacy & data protection in • contracting • awareness. Special attention to • Reference of data protection in contracting • People are lazy (maintain awareness) • Training IMPORTANT: everyone must be onboard to protect personal data! PIMS 6.4 / ISMS A7 (HR) General
  • 40. Make sure to implement • Asset inventory / CMDB • Not only HW • Also processes • People & knowledge Special attention to • Classification PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
  • 41. ISMS labels categ. PIMS lables Serving 0 - Public Non PII/GDPR Enterprise 1 – Internal Enterprise 2 - Strict internal Enterprise 3 - Critical Enterprise (4 – Secret) Enterprise PII Subject Sensitive PII Subject PIMS 6.5 / ISMS A8 (Asset Mgmt) Implementer
  • 42. Must have • Access control policy • User (de)registration Special attention to • PIMS: identity management • PIMS EXPLICIT: • DO NOT RE-USE user IDs PIMS 6.6 / ISMS A9 (Access ctrl.) Implementer
  • 43. Contains • Crypto policy • Special attention to PII treatment Special attention to • Subject information about crypto in • Website, HR, registration systems, storage, backup, … • Disposal of data ! • Evolution of technology in crypto! PIMS 6.7 / ISMS A10 (Crypto) General
  • 44. Must have • Physical security • Security perimeters • Layered security Special attention to • Core protection, starts with physical • Layered security like • Street, outside, perimeter, • public zone, internal zone, restricted zone, high protection core, … • Define : “who can do what and where (and when)” PIMS 6.8 / ISMS A11 (Physicl Sec.) Implementer
  • 45. Special attention to (See previous sessions on PIMS) • Backup • Event logging • Log protection PIMS 6.9 / ISMS A12 (Operations) Implementer Do what you say, say what you do, … … and prove it
  • 46. Make sure to have • Information transfer policy • Vendor / 3rd party / Data processor policy Special attention to • Vendor/processor • Confidentiality • NDA • Incident reporting & feedback PIMS 6.10 / ISMS A13 (Comm.) General
  • 47. Contains • Development policies • SW acquisition requirements Special attention to • Own responsibility • Vendor/processor responsibility • Sec/DP/Privacy by design • Sec/DP/privacy by default PIMS explicit: no PII for testing purposes! PIMS 6.11 / ISMS A14 (Build or buy) Implement
  • 48. Important • Compensate for lack of physical control • Legal control • PIMS : High risk! Special attention to • Policy • Contracts • Expert legal support • Right to audit! PIMS 6.12 / ISMS A15 (Supplier) Implementer
  • 49. Important • Incident register • Incident = failure of system (opportunity for improvement) • PIMS : High risk for data breaches! Special attention to • Policy • Tracking & improvement • Escalation tracks • Exercise, exercise! PIMS 6.13 / ISMS A16 (Incident) Implementer
  • 50. Important • Maintaining data protection & privacy during disaster • BCM vs DRP Special attention to • Exercise • Testing • Vendors PIMS 6.14 / ISMS A17 (BCM) Implementer
  • 51. Pay attention to • Legislation • Contract obligations • Company responsibility (protect yourself) • Subject rights Evidence • Anything we discussed today… PIMS 6.15 / ISMS A18 (Compliance) General
  • 52. The audit view of ISO27701 Focus on evidence
  • 53. Interested parties • ISMS: documentation on business model, mission, vision, … • PIMS: ISMS documentation, privacy notices, .. Type of community What evidence to find? • Mission/Vision • Community • Business model, processes, type of data • Talking to business & customer dept. PIMS 5.2 / ISMS 4 (Context) Auditor
  • 54. Interested parties • ISMS: documentation on business model, mission, vision, … • PIMS: ISMS documentation, privacy notices, .. Type of community How to audit? • Management meetings, agenda, notes, … • Decisions taken • Communication • Approvals & signature of policies, … PIMS 5.3 / ISMS 5 (Leadership) Auditor
  • 55. Look for • ISMS = Risk management • PIMS = Risk management + PIA/DPIA Evidence • Risk sources: incident register, incident reporting, • Track solution of incident • Data breach reporting (confirmed incidents) • Risk register (setup, up to date, ownership, RACI, …) PIMS 5.4 / ISMS 6 (Planning) Auditor
  • 56. ISMS = PIMS • Check for management support • Check for education plan • Check for awareness Evidence • Interview • Management planning • Education, awareness & communication PIMS 5.5 / ISMS 7 (Support) Auditor
  • 57. PIMS 5.6/5.7/5.8 = ISMS 8/9/10 • Operations • Performance • Improvement Evidence • Operations: processed, procedures, … on the floor • Performance: Find the metrics • Improvement: internal audit, new projects, updates, … Other clauses Auditor
  • 58. To check • Policies • SOA Evidence • Setup policies / documentation • Approval of policies • Execution policies • Updates PIMS 6.2 / ISMS A5 Auditor
  • 59. Check for • organigram • Company organisation • RACI • Segregation of duties Evidence • Roles & responsibilities description • Function description incl. ISMS/PIMS tasks • People IN/OUT PIMS 6.3 / ISMS A6 Auditor
  • 60. Info • PIMS: privacy & data protection in • contracting • awareness. Special attention to • Reference of data protection in contracting • People are laze (maintain awareness) • Training IMPORTANT: everyone must be onboard to protect personal data! PIMS 6.4 / ISMS A7 (HR) General
  • 61. Pay attention to • HR IN/OUT vs. IT IN/OUT Evidence • HR • IT security • Privileged account management • General accounts • In/out events • Regular reviews (x times /yr) PIMS 6.6 / ISMS A9 (Access ctrl.) Auditor
  • 62. Contains • Crypto policy • Special attention to PII treatment Special attention to • Subject information about crypto in • Website, HR, registration systems, storage, backup, … • Disposal of data ! PIMS 6.7 / ISMS A10 (Crypto) General
  • 63. Pay attention to • Building • Locations • Entry, • Zones • Equipment, cabling, • 3rd party (!) Evidence • On site visit PIMS 6.8 / ISMS A11 (Physical) Auditor
  • 64. Pay attention to • Tracing of ISMS/PIMS on the floor • People Evidence • Logs • Processes & procedures • Time stamps • Ownership • Meeting minutes • Documentation • …. PIMS 6.9 / ISMS A12 (Operations) Auditor
  • 65. Make sure to have • Information transfer policy • Vendor / 3rd party / Data processor policy Special attention to • Vendor/processor • Confidentiality • NDA • Incident reporting & feedback PIMS 6.10 / ISMS A13 (Communic.) General
  • 66. Pay attention to • PIMS Annex A.7.4 (controller) • PIMS Annex B.8.4 (processor) Evidence • Agreements • Acquisition procedures • Development policies & processes PIMS 6.11 / ISMS A14 (Build or buy) Auditor
  • 67. Pay attention to • Supplier policies • Vendor relations • Vendor contracts Evidence • Vendor negotiations • Vendor contracts • Vendor audits • 3rd party audit reports • Vendor tracking/invoicing • Vendor management updates PIMS 6.12 / ISMS A15 (Supplier) Auditor
  • 68. Pay attention to • Incident management policy • Incident register • Data breach register • Data breach notifications Evidence • Policy meta data (owner, updates, …) • Incident management procedure • Data breach reporting • DPA communications, … PIMS 6.13 / ISMS A16 (Incident) Auditor
  • 69. Pay attention to • Maintaining data protection & privacy during disaster • BCM vs DRP Evidence • BCM planning • DRP plan • Test plans • Exercises • Awareness, training & communication PIMS 6.14 / ISMS A17 (BCM) Auditor
  • 70. Pay attention to • Legislation • Contract obligations • Company responsibility (protect yourself) • Subject rights Evidence • Anything we discussed today… PIMS 6.15 / ISMS A18 (Compliance) General
  • 71. And last but not least… Never done
  • 72. PDCA… Continous improvement Start over again… See you at the next cycle…
  • 73. Q & A Questions & answers
  • 75. Ramping up… Relevant PECB Training courses
  • 76. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  • 77. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
  • 78. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  • 79. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  • 81. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  • 82. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  • 83. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  • 84. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
  • 85.