ISO27k GDPR Mapping Release 1

Please download to get full document.

View again

of 20
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
    Copyright © 2016 ISO27k Forum  Page 1 of 20 Mapping between GDPR (the EU General Data Protection Regulation) and ISO27k   Release 1 November 2016 Executive summary The European Union (EU) General Data Protection Regulation (GDPR) - currently being introduced across Europe and beyond ahead of the May 2018 final implementation deadline - mandates numerous privacy arrangements and controls designed to protect personal data, many of which are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other “ISO27k” standards . Organizations that currently have an ISO27k ISMS (Information Security Management System) are therefore likely to have many of the GDPR requirements in place already but may need to make some adjustments. Others may choose to implement an ISO27k ISMS as an overarching framework to manage privacy and personal information as part of the broader management of information risks, information security and related compliance, incident management and business continuity issues. This document maps between the GDPR and ISO27k in the particular context of private/non-governmental organizations subject to GDPR., the ISO27k Forum and the ISO27k Toolkit The website has been running since 2005 as a  free public information resource concerning the ISO/IEC 27000-series information risk and security management standards (“ISO27k”). It is not an official ISO/IEC site, but an unofficial community project supporting users of the ISO27k standards. The ISO27k Forum is a non-commercial Google Group (email reflector) linking over 3,000 users of the ISO27k standards from around the world. As this is a practitioners’ forum, we discuss all manner of practical ISO27k matters there. Membership is  free but we ask you to declare your interest in ISO27k when you  join as a simple means to block the robotic spammers. Overt commercials and off-topic stuff is banned, enabling us to maintain a very high signal-to-noise ratio and a friendly, supportive community atmosphere. The ISO27k Toolkit is a  free collection of materials donated or created by members of the ISO27k Forum to help fellow practitioners. This mapping document demonstrates the power of crowdsourcing.  ISO27k Forum GDPR-ISO27k mapping Copyright © 2016 ISO27k Forum  Page 2 of 20 Disclaimer This is not legal advice, nor is it information risk, information security or privacy advice.  This generic high-level document is provided purely for informational or general guidance purposes. You need to interpret and adapt it for your own unique situation, and if GDPR applies to your organization, you should definitely seek competent legal and other professional advice concerning the adequacy and suitability of your particular security controls and other privacy arrangements. Don’t take our word for anything or blame us for the inevitable errors and omissions: we’re simply trying to help.   Copyright This work is copyright © 2016, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial- Share Alike 3.0 License. In plain English, you are welcome to reproduce, circulate, use and create derivative works from this provided that (a) they are not sold or incorporated into a commercial product, (b) they are properly attributed to the ISO27k Forum, and (c) if they are to be shared or published, derivative works are covered by the same Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. Be nice. Contact if this license is unsuitable for your intended use.  ISO27k Forum GDPR-ISO27k mapping Copyright © 2016 ISO27k Forum  Page 3 of 20 The mapping ISO27k controls without the prefix ‘A’ are in the main body of ISO/IEC 27001:2013. Those prefixed with ‘A’ are listed in Annex A of ISO/IEC 27001:2013 a nd are explained in more detail in ISO/IEC 27002:2013. Further ISO27k standards fill-in various supplementary details ( e.g. ISO/IEC 27005 on information risk management and ISO/IEC 27018 on privacy in cloud computing), while other ISO and non-ISO standards and resources provide lots more information, and in some cases recommend alternative or complementary approaches and controls. GDPR   ISO27k   Article Outline/summary Control Notes 1 GDPR concerns the protection and free movement of “personal data”, defined in article 4 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.  A.18.1.4 etc . The ISO27k standards concern information risks, particularly the management of information security controls mitigating unacceptable risks to organizations’ information. In the context of GDPR, privacy is largely a matter of securing people’s personal information, particularly sensitive computer data. The ISO27k standards specifically mention compliance obligations relating to the privacy and protection of personal info (more formally known as Personally Identifiable Information - PII - in some countries) in control A.18.1.4. 2 GDPR concerns “the processing of personal data wholly or partly by automated means ....” (essentially, IT systems, apps and networks) and in a business or corporate/organizational context (private home uses are not in scope). Many ISO27k concerns information in general, not just computer data, systems, apps and networks. It is a broad framework, built around a ‘management system’. ISO27k systematically addresses information risks and controls throughout the organization as a whole, including but going beyond the privacy and compliance aspects. 3 GDPR concerns personal data for people in the European Union whether is it processed in the EU or elsewhere A.18.1.4 etc . ISO27k is global in scope. Any organization that interacts with people in the European Union may fall under GDPR, especially of  ISO27k Forum GDPR-ISO27k mapping Copyright © 2016 ISO27k Forum  Page 4 of 20 GDPR   ISO27k   Article Outline/summary Control Notes course if they collect personal info. 4 GDPR privacy-related terms are formally defined here. 3 ISO/IEC 27000 defines most ISO27k terms including some privacy terms. Many organizations have their own glossaries in this area. Check that any corporate definitions do not conflict with GDPR.   Chapter I General provisions  5 Personal data must be: (a) processed lawfully, fairly and transparently; (b) collected for specified, explicit and legitimate purposes only; (c) adequate, relevant and limited; (d) accurate; (e) kept no longer than needed; (f) processed securely to ensure its integrity and confidentiality. [This is the latest incarnation of the srcinal OECD principles published way back in 1980 <tips hat>.] The “controller” is accountable for all that.  6.1.2, A.8.1.1 A.8.2 A.8.3 A.9.1.1 A.9.4.1 A.10 A.13.2 A.14.1.1 A.15 A.17 A.18 ... in fact almost all! 5 A.6.1.1 Business processes plus apps, systems and networks must adequately secure personal information, requiring a comprehensive suite of technological, procedural, physical and other controls … starting with an assessment of the associated information risks. See also ‘privacy by design’ and ‘privacy by default’ (Article 25).  In order to satisfy these requirements, organisations need to know where personal info is, classify it and apply appropriate measures to address (a)-(f). Although not stated as such, accountability is an important concept within the ‘Leadership’ sect ion of ISO/IEC 27001. 6 Lawful processing must: (a) be consented to by the subject for the 6.1.2 This should also be covered in the assessment and treatment of
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks