ISO/IEC 27701 Information Management System for Privacy

ISO/IEC 27701 Information Management System for Privacy

THE ISO/IEC 27000 Standard family has a focus on information security and helps build Information Security Management System (ISMS). Company’s can be certified with the ISO27001 Information security management.

The ISO27701 is an extension to the ISO27001. Organizations that are certified for ISO27001 may extend the scope and their certification to include ISO27701 Security techniques.

ISO 27701 defines the appropriate technical and organizational measures an organization should apply as required by Art.5 in the GDPR.

A management system is a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives. It may include quality management system, an information security management system and, as from now, the privacy information management system (PIMS).

“PIMS: Information Security Management System which addresses the protection of privacy as potentially affected by the processing of Personally Identifiable Information (PII)”.

The PIMS makes it easier for organizations to control and manage people’s personal data and their online identity by permitting them to: allow, deny, or withdraw consent to third parties.

As it is the case with the ISO/IEC 27001 standard, the extension ISO/IEC 27701 standard can bring several advantages to your company:

  1. Improve the privacy of your organization;
  2. Protect you from data breaches;
  3. Increase your international recognition;
  4. Improve customer satisfaction;
  5. Gain competitive advantage in the market.

 

What will ISO27701 certification add to organizations that are already GDPR compliant?

The ISO concept brings a certifiable implementation for the GDPR. You already could implement GDPR using the ISO27001, but the ISO27701 makes the link between ISO27001 and GDPR very explicitly. Annex D of the ISO27701 standard maps controls in ISO27701 to GDPR articles.  

ISO27701 Security techniques transforms the ISO27001 Information Security to include PII (as known as personal data), not only company data. The ISO27701 has additional requirements you need to fulfil for certification.

 

ISO 27701

GDPR

PII

Personal data

PII controller

Data controller

PII processor

Data processor

PII processor

Data subject

 PII processor

Data protection by design

Privacy by default

Data protection by default

(source: https://www.itgovernance.eu/en-ie/iso-27701)

 

What is the difference between PII and Personal Data?

 Personally, identifiable information is defined by the US Office of Privacy and Open Government as:

 “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

 When that information is linked with health information or other sensitive information, we talk about protected health information (PHI). GDPR based the definition of personal data on the concept of PII but it has a broader definition than PII.

 Article 4.1 of GDPR states:

 “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The ISO/IEC 27701 as an extension to ISO27001 standard brings more elements to GDPR compliance.

 How to Get Certified in ISO 27701?

Regardless of whether you are looking to implement ISO/IEC 27701 as an extension to your current ISO/IEC 27001 or simply beginning, At Ataya Partners Academy you can bolster with:

 Deep examination to check your preparedness for certification

  • Classes for ISO/IEC 27001 and ISO/IEC 27701
  • Certification of your management system to ISO/IEC 27001 and ISO/IEC 27701
  • Help your organization for trainings related to the standards and GDPR (European Union General Data Protection Regulation).

Get Your ISO 27701 Individual Certification with Ataya & Partners Academy

 If you are interested in this new topic, become ISO27701 Security Techniques certified and boost your career thanks to Ataya & Partners that ensures a certain comfort: 

  • Exclusive and productive training environment;
  • Limited number of participants;
  • Senior lecturer sharing years of experience and a wealth of knowledge;
  • Comfortable class;
  • Lunch and drinks included.

 

  

To sum up, ISO/IEC 27701 enhances the ISO/IEC 27001 Standard regarding the data privacy and information security standard required by the General Data Protection Regulation (GDPR). The standard explains you how to efficiently manage privacy and contains the structure for PII processors and controllers. At the end, you will be able to implement your Privacy Information Management System (PIMS).

 

Using this standard will prove to your customers and other stakeholders that your organization is supporting GDPR compliance and privacy legislation.

ISO/IEC 27701 is a real extension to the ISO27001 standard to give you the assurance that your organization will be GDPR compliant.

 

To know more about our professionals courses visit the Ataya Partners Academy website here.

Join our community in Linkedin for all the news here.

 

 

Information and Cyber security professional certification

Information and Cyber Security Professional Certification Blog

Task Force WG5I European Human Resources Network for Cyber Security

 

Every Three months the European Cyber Security Organization reunites to discuss cybersecurity on how to improve standards and certifications.

They produce a report each meeting, here we explain in brief, the context and their goals for cyber security.

The European cyber security Organization (ECSO) wants create awareness about cyber security and how this is becoming an increasingly important topic.

As consequence, professionals on cyber security become more in demand. This leads to a skills gap. Certifications are essential to cyber security as they fill a gap in the market of Cyber Security. Keeping certain skills and maintaining all the aspects of cyber security is key . Keeping up do date  the organizations needs to have standards held by the certifying party.

Here you can download the PDF  ECSO European Cyber Security Professional organization : Information and Cyber security professional certification.

The goal here is to create and keep trust. The supply for education regarding cyber security is wide but not clear. In order to be a cyber security expert, you not only need basic knowledge but also demonstre ability to do.

Work experience is also key to obtain certification, in the case of Information systems certification (CISSP, CISM and CISA).

In Belgium, Solvay Brussels School of Economics and Management has given certifications since 2001 and 450 Alumni have one or more certifications. The school also offers executive classes. Digital management and governance, Risk management and Information and Cyber security topics. 

Information Security, Cyber Security, Risk, Compliance, Audit IT and Digital professions. Recently, Solvay Brussels School added a short program in Data Protection.

The founder of Ataya partners Academy Prof. Georges Ataya is also the academic director of Executive education at Solvay Brussels School. He directs the IT Management education and Information security management education.

They have delivered since 2015 a full track on Information security and Cyber security. Solvay Brussels School and Ataya Partners Academy have partnered with ISACA and PECB.

 

Cyber security is not a light topic to learn about but every organization should keep information security a top priority. Maintaining an organization safe and with a clear risk management technique.

 

 

Join the Ataya Partners comunity in Linkedin here.

Learn more about Ataya Partners Academy professional courses.

 

 

 

 

5 Lessons learned from CISSP and ISO training courses

5 Lessons learned from CISSP and ISO training courses

Five key lessons learned for those wishing to embark on a training and a certification journey

Information Security professionals seek to obtain a professional certification to better display their knowledge and their expertise in those landmark credentials. Employers and clients do not feel being sufficiently qualified to validate the expert’s competences in Information Security and in Cybersecurity.

Various questions are often raised in relation to the most adequate training and certification. I have founded Information Security certification (academy.atayapartners.com and exed.solvay.edu/IT), co-created CISM in 2002. A world recognised certification (ISACA.org/cism), acted as one of the first European CISSP trainer in 2001. Every year tens of experts from various classes that I organise (academic and professional) graduate and get certification.

A training for studying CISSP or SIO 27001 Lead Auditor or Lead implemented is an essential step to gather the necessary knowledge and to prepared for the multiple-choice examination.

Attending a training week may be costly, tedious if ill planned. A cheaper alternative is to self-study based on books or online resources. However, this apparently cheap option may eventually become much more time consuming and probably less effective.

The difficulty of a self-Study is to remain well focused and to structure the dedicated study time in an optimal way. Even when attending a full time training, typically over a week, one should consider spending another week in self-study and rehearse of various domains of knowledge. This also consist in browsing the net and researching additional resources on advanced topics.

On-line education is another option. It involves audio, video, projection of slides and references to links and downloadable material. Some offers include human mentoring by a trainer in live interaction delivered to group of online participants. This paced approach helps in aligning the effort with a structured study plan.

Another option involves access to stream or video presentations that could be attended on one’s own pace and could be repeatedly viewed until completely digested. 

No single option offers the guarantee of a passing score. The successful outcome depends on the initial aptitude of the participant as well as on her capability to acquire the necessary knowledge during and after the training period. Some have to retake to the exam after a failed outcome.

Many other professional trainings promote themselves as guaranteed success, but hidden under the asterix it says *In case of exam failure you can re-enrolled for free and repeat the course*. This comes to a cost, another week of training that was not in the schedule.

If we look at the financial aspects, a typical cost of a training week is 3500€, in addition to a potential loss of revenue caused by the absence from work or loss of invoiced consulting days. The payback is regularly estimated to less than one year. The revenue increase for a CISSP holder, or the consulting rate increase, should allow to amortize this initial investment in less than ten working months, provided the certificate holder is able to capitalize and to promote his/her additional aptitudes.

Here are some of my bottom line advicefor those who plan to embark on a CISSP or an ISO27001 training and certification:

 

  1. Don’t register before checking the credentials of the trainer. It may make the whole difference to get expert trainer advises and knowledgeable insights on each one of the domains and study topics.
  2. Identify those domains of weakness and the domains of strengths that you have and decide where should you spend your extra effort to ensure a successful average score.
  3. Avoid those training supermarkets that offer international visibility to their training through web commerce page but lack local expertise. Avoid having a junior one man show, slide-flippers trainer.
  4. Visit major credential owners pages and check the franchised trainers they recommend, but also identify a potential gem near you: a trainer who offers his/her devotion and who is committed to transform you into a genuine expert, by sharing war stories, templates and links, as well as insights and tools.
  5. The most important take away from a credential is not a certificate holding your name but a knowledge and a reputation that you acquire. Success is not the result of having remembered the right buzz words at the exam, but the perspective of resolving complex challenges in information security management career.

 

I had the privilege to build an executive education study in Information Security and Cybersecurity at a renowned Business School. I relied on the bodies of knowledge of both CISSP and ISO 27001 as well as other resources. We could offer to our participants the luxury of having one expert speaker for each topic, calling on tens of specialist speakers. We managed to deliver case base lecture, alternative education methodologies, and a business school model of education enabling our participants to succeed the credential examination, in addition to the Business School certification.

At Ataya Partners Academy we make sure to provide you the best learning environment, you can check our next courses here.


Georges Ataya is Professor at Université Libre de Bruxelles and academic director at Solvay Brussels School. He founded in 2001 what became today the Digital Governance and trust education. He founded in 2005 the Secure Application Development yearly training, Co-created the body of knowledge for the CISM and CGEIT credentials (ISACA) and co-founded the Belgian Cybersecurity Coalition. Georges acted in early 1990’s as member of the Infosec Advisory Group supporting the European Commission strategy in Information Security (IBAG). He acted as International Vice President of ISACA and the IT Governance Institute (2005-2010). Georges participated in the development of various version of COBIT, IT Governance Framework.

Join the Ataya Partners Community on Linkedin.

 

Are You Confused About Compliance?

Are You Confused About Compliance?

Distant learning for Data protection professionals and experts becomes an essential tool for complementing class education. The complexity and volume of knowledge and expertise that need to be acquired are continuously increasing.

On 25 May 2018, the European Union’s General Data Protection Regulation, or GDPR, went into effect. Nearly two years later, major stakeholders are still confused about the extent of required compliance – a confusion that can often be costly.
The good news is that much of the costly confusion that surrounds the GDPR can be avoided through education, awareness, and adequate management.


According to DLA Piper, a multinational law firm, there have been over 160.000 data breach notifications across Europe, resulting in EUR 114 million in fines. This includes a EUR 400.000 fine for a hospital in Portugal and the EUR 50 million imposed on Google – the biggest penalty under the GDPR to date.


But it’s not just the penalties that are expensive. Perhaps even more costly are the thousands of unstructured, last minute compliance initiatives and urgent efforts to correct a reported breach happening in companies across Europe.

Understanding over organisation


Far too many companies fail to fully understand what the GDPR requires of them. To compensate for this lack of understanding, these companies tend to involve as many people as possible, including data processors, IT, information security, external suppliers and sub-contractors – to name only a few. Unfortunately, when too many people are involved, the result is typically an unorganised and overly complicated approach to compliance.
However, the answer isn’t simply organisation. Even companies that make significant investments, designate specific people to specific tasks, and implement structural changes can still fail to comply with the GDPR. “The extent of compliance is seldom directly related to the cost incurred,” says Georges Ataya, Academic Director of Digital Governance and Trust at Solvay Brussels School “More often, it has to do with a lack of understanding by the various parties involved in the actual processing of data.”

Tools of the trade


So, what’s a company supposed to do? One place to start is the Solvay Brussels School European Data Protection Programme . Designed to provide the information and skills needed to reduce compliance-related actions, the course focuses on the five competencies that everyone involved in data processing needs:

  1. Legal Management Requirements: define data protection objectives and scope
  2. Risk Impact and Assessment: identify the gap in reaching defined protection targets
  3. Compliance Transformation: manage compliance related transformation
  4. Information Security and Privacy: protect and secure architectural components
  5. Response and Breach Management: Operate, react and notify when needed

These skills aren’t just for the Data Protection Office (DPO) – they’re essential tools of the trade for anyone involved in processing personal data,” adds Professor Ataya. “This includes personnel involved in the processing activities, such as human resources and marketing, along with external suppliers and outsourced personnel who act on behalf the company and deal with personal data.”
Professor Ataya notes that the Solvay Brussels School course is also relevant to legal, information technology, digital transformation, and information security experts too.

Register today!


Offered since 2017, the course is regularly updated to reflect the most recent regulations and developments.


The next edition, set to start in mid-March, will feature a new distant-learning component. “Starting from the day of registration, participants will already be able to access online activities and information, including case studies and quizzes, even before the first day of class,” says Professor Ataya. “This online component is meant to supplement one’s classroom learning, resulting in an even deeper understanding of the topic.”

My opinion on your compliance?

My opinion on your compliance?

Four methods to obtain assurance on Data Protection implementation and practices (Georges Ataya)

After more than three years for the early adopters and much less for the late comers, organisations continue to invest in implementing data protection good practices and in seeking GDPR compliance. Many inquire on the efficiency or effectiveness of the compliance implementation effort. 

Different stakeholders wish to obtain assurance on the compliance posture of their organisations, of their business processes or of their suppliers. Their objective is to verify the progress with compliance investments, to avoid the risks of a penalty, or simply as a routine risk assessment exercise.

I recommend to adopt one of the following assurance practices depending on the contexts of the enquirer, the size of the compliance investment or the risks of liability of one’s own organisation or that of the supplier.

Board members and business owners wish to ensure an adequate return on investment and a justifiable compliance position on various business activities. Executives regularly miss tangible manifestations, dashboards or other useful indicators on how far the organisation effectively went in regards to the investments that were made. They look at a qualified opinion from an external party.

Executives and directors in charge of an organisation playing the role of a Controller, need to limit their liabilities when relying calling on Processors with unproven compliance track record. They need to rely on a proven assessment method that addresses all important activities involving personal data.

Department managers and process owners, such as human resources managers or marketing directors, remain the first accountable crew in implementing and running compliance operations. Their need span from a basic self-assessment to a detailed scan of actual DPO services and of GDPR adjusted processes.

Conducting a self-Assessment

A self-assessment is a tool designed to provide a quick evaluation of an enterprise's functions, processes and procedures that indicate compliance with GDPR. It is typical structured in twenty to thirty questions. The level of detail is typically reduced to a capability level qualifying the domain of compliance. Those include activities/processes such as those related to the management of Data Subject Requests, complaints, personal data identification, data classification, as well as managing access and sub-processing.

When conducting the self-assessment, it is recommended to inventory the attained achievement and to document achievements, references to existing documents, or links to relevant intranet elements.

Running a Quick-Scan

Typically administered by an expert, the Quick-Scan is meant to monitor the compliance in a comprehensive range evaluating all activities that need to be addressed. The quick scan, also called initial assessment could be the first phase that identifies the detailed phases of an implementation program. In that case, it follows the strategy phase, when senior stakeholders, process owners, the DPO and other parties (CIO, CISO) propose a strategy, some priorities and involved parties. They set the focus on the activities and the personal data that present highest risk or they simply initiate an inventory to identify those.

 A typical short coming of a Quick-scan is its typical reliance on legal matters only. It falls short on evaluating, beyond the list of established compliance needs, those transformation and operations activities including all individual projects, information security protections, incident handling processing, contracts review sequences and plans, awareness projects, and individual process transformation across the enterprise.

In a typical Plan/Build/Run/Monitor cycle for a data protection compliance implementation, organisations management, legal experts, process owners and Data Protection Officers may suffice of the Plan phase. In the absence of a designated program and relevant projects, functions such as the DPO, the CISO, the CIO or external consultant(s) are engaged in non-coordinated activities. A quick scan should therefore, not only asses the effectiveness of the legal advice and reasonableness of the planned activities, it should also highlight shortcomings with planned implementation projects.

GDPR Audit

The goal of a formal audit of the GDPR implementation and activities is to provide management and the board of directors with a level of assurance that GDPR-related compliance controls are operating effectively.

The audit should include an assessment of the enterprise’s policies and procedures for managing and for protecting personal data. The GDPR audit should include a review of tools and technology used to input, process, transmit and store information regulated by GDPR. It should identify the phases of the implementation and evaluate their adequacy. It should also adjust the compliance objectives and detailed actions to the declared business objectives, priorities and final goals expected from the compliance investments.

The level of maturity may be evaluated based on alignment enablers such as collected information, designed processes, designated accountability, implemented processes and other enabler dimensions. 

The involvement of various experts qualified in each domains of competence will strongly assess internal controls for each domains of compliance in line with defined audit program.

IT audit and assurance professionals understand data protection and records management processes in the context of holistic and integrated business systems. The auditor should dispose of functional and business knowledge to assess alignment with business compliance needs.

GDPR Certification

The certification is defined in article 42/3 of the GDPR. The Member States, the supervisory authorities, the [European Data Protection] Board and the European Commission encourage, in particular at the Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises must be taken into account.

A certification mechanism can define its scope either generally or in relation to a specific type or area of processing operations and can thus already identify the objects of certification that fall within the scope of the certification mechanism (Source : Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679. Adopted on 25 May 2018).

When assessing a processing operation, the following three core components must be considered, where applicable: Personal data (material scope of the GDPR); Technical systems - the infrastructure, such as hardware and software, used to process the personal data; and Processes and procedures related to the processing operation(s).

 

Each component used in processing operations must be subject to assessment against the set criteria. At least four different significant factors can be of influence:

1) the organisation and legal structure of the controller or processor;

2) the department, environment and people involved in the processing operation(s);

3) the technical description of the elements to be assessed; and finally

4) the IT infrastructure supporting the processing operation including operating systems, virtual systems, databases, authentication and authorization systems, routers and firewalls, storage systems, communication infrastructure or Internet access and associated technical measures.

Organisations should seek adequate advice when initiating a certification.

Can a Ciso act as a DPO

Can a Ciso act as a DPO

The new European General Data Protection Regulation (GDPR) imposes, in certain cases, the appointment of a Data Protection Officer (DPO). Public and private sector organizations are struggling with the need for them to create an additional responsibility or merge it with the existing Chief Information Security Officer function (CISO). When responding to interrogations, I regularly advise the inquirer to verify three basic criteria.

The first involves the availability of an overall CISO, driving Information Security and informational risk management or is it a simple manager in charge of IT security. The DPO should have a direct contact with business managers and should accomplish series of activities that impact their operations; An adequate authority, independence and responsibilities are prerequisite. Regarding the independence, the G29 WP said in its guidelines on DPO that “As a rule of thumb, conflicting positions within the organization may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing”. So it is a case by case analysis that have to be performed by the management of the company.

The second criteria involve potential conflict between company internal objectives in the three main Information Security objectives (Confidentiality, Integrity and Availability) that are focused on company inner interest which is CISO main activity. This is to be compared with the DPO activity that is to focus on protecting interests not necessarily in line with the company (employees, clients, prospects), namely those of the data subjects for whom personal information is held. Article 38 of GDPR mentions that the function “must be provided necessary resources but may fulfil other tasks and duties”. It also indicates that one should “Beware of conflict of interests “.

The third criteria involve the skills and capabilities of proposed CISO-DPO. It is not common to find professionals disposing of the two skills that may sometime be counterintuitive. Furthermore, our recent education dedicated to Data Protection Officers at Solvay Brussels School (solvay.edu/gdpr) highlights five domains of skills that are required to accomplish this activity.

Those domains, to be conducted by one person or a team, possibly assisted by external expertise, include the following: Understanding of legal as well as other management requirements necessary to establish a Data Protection policy, a strategy for accomplishing and a program plan. The second domain involves the ability to conduct Data Protection Impact Assessment exercise to define the risk gap, the mitigations and necessary improvements. The third domain is related to implementing the transformation process and to make the change effective, across tools, applications, services, data flow mechanisms and new business functions responding to compliance requirements.

The fourth domain involves information security and the building of capabilities for an effective protection. The fifth domain involves all capabilities related to incident handling and communication that is required in the case of a data Breach.  

Despite the fact that the mandatory cases for appointing a DPO under the GDPR are unlikely to apply to small organizations, Smaller organizations that may not even dispose of a CISO function may be obviously tempted to staff both activities in one single function. The function could also be staffed through external support. Article 37 of GDPR mentions that it could be “a staff, or on the basis of a service contract”.

It seems to me essential that activities of both the DPO and the CISO would be organised in the forms of a second line of defence. This means that Business managers remain ultimately responsible for their risks and their protection activities. A support function accomplishing DPO activities remains though accountable for monitoring compliance, providing advice and addresses risks.