Presentation is loading. Please wait.

Presentation is loading. Please wait.

STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM AND GDPR: HOW TO ACHIEVE COMPLIANCE? Благодаря за поканата! За мен е винаги удоволствие да идвам.

Similar presentations


Presentation on theme: "STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM AND GDPR: HOW TO ACHIEVE COMPLIANCE? Благодаря за поканата! За мен е винаги удоволствие да идвам."— Presentation transcript:

1 STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM AND GDPR: HOW TO ACHIEVE COMPLIANCE?
Благодаря за поканата! За мен е винаги удоволствие да идвам тук, чувствам се като у дома! Rossen Pashov Co-founder of International Technical Alliance Miroslav Mitev, PhD ISO Lead auditor

2 PROTECTING INFORMATION – A CRITICAL AND ESSENTIAL BUSINESS ASSET
All businesses have high dependency on Information and Communications Technology A successful business must have the right information at the right time in order to make well-informed decisions All types of information, whether paper- based or digital, is at risk Protection of information is a major challenge Информация е не само голяма бизнес сила, но е и голям риск, който става все по-значим

3 PROTECTING INFORMATION – CHALENGES FOR THE BUSINESS
Constantly changing new technologies and Business development definitely require implementing of various IT solutions practically in all industrial sectors It requires the need to manage business risks and develop system thinking approach Все по-голяма внимание се обръща на управленските системи като подход

4 WHAT TO DO? WHAT NOT TO DO? Information Security Management System could be THE KEY.

5 ISO 27001 Information Security Management System
One of the most practicable approach as management system standard, designed and published by ISO Organization Highly innovative as management set of IS requirement at the time of last published version

6 History of ISO 27001 Information Security Management System
BS 7799 1995 BS 1998 ISO 17799 2000 ISO 27001 2005 2013

7 STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM
ISO formally specifies how to establish an Information Security Management System (ISMS). ISMS provides a framework to develop, implement, operate, monitor, review, maintain and improve the information security within an organization whenever the scope of the activities. Implement effective information security that really meets business requirements Еднакво приложим както в публична организация, така и в производител, така и в търговец или бизнес услуга

8 STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM
Manage all kind of IS risks to suit the business activity Manage incident handling activities Build a security culture Designed to cover much more than just IT

9 ISO 27001 Annex A 114 controls in 14 clauses and 35 control categories
A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security (6 controls) A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography A.11: Physical and environmental security (15 controls) A.12: Operations security A.13: Communications security A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance (8 controls) Стандартът е съставен от 2 части – клаузи с изисквания за системата за управление, и практична част в приложение със 114 механизми за контрол, които обхващат важните теми за сигурността на информацията:

10 ISO/IEC 27001 requires that management:
Systematically analyze the organization's information security risks, taking account of the threats, vulnerabilities and impacts Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment Adopt an comprehensive management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

11 Benefits of Information Security Management System implementation
Meet business and legal requirements Provision and demonstration of secure environment to clients Introduction of new technologies and tools Preventing leak of confidential information Disaster recovery and Business continuity Secure interests of interested parties

12 WHAT MEANS INFORMATION SECURITY
Confidentiality: ensuring that information is available to only those authorized to have access Integrity: Safeguarding the accuracy and completeness of information and processing methods Availability: ensuring that information and vital services are available to authorized users when required. Security doesn’t mean only confidentiality Accountability: responsibility of a particular part for its actions and decisions Reliability: consistency between behaviors and results

13 How are connected ISO 27001 and GDPR
Same philosophy - Protection of sensitive information Management System approach and needs Management commitment Implementation of specific functions and responsibilities related to information security Implementation of Risk assessment approach Legal compliance

14 WHAT IS THE EU GENERAL DATA PROTECTION REGULATION (EU GDPR)?
The Regulation was approved on April 14, 2016, by the European Parliament and the Council of Europe. It is applied directly in each country, allowing for a consistency of rules between nations on the rights of citizens’ privacy. Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects, even if for free, or that monitor the Data Subjects’ behavior within the EU. Enter in force on 25 May 2018 but with a lot of confuses

15 Individuals Rights and Freedoms Risks
Physical consequences – abduction, extortion, criminal donation, property damage and ext. Financial losses – credit card data, bank information and ext. Loss of opportunities – reputation, job position, obtaining a visa, credit opportunities, discrimination, access to public services, disadvantaged people rights Fraud - Identity theft, spying, imitation, illegal references (spam, marketing strategies)

16 WHAT MEANS PERSONAL DATA PROCESSING
Collection Recording Organisation Structuring Storage Adaptation Retrieval Consultation Use Disclosure by transmission Dissemination Restriction Erasure Destruction

17 PERSONAL DATA Name Address Localization Income

18 PERSONAL DATA Online identifier Health information Cultural profile
License plate

19 WHERE WE CAN FIND PERSONNEL DATA (PP)?
PP stored in ERP/CRM systems/data bases, clouds, servers, networks, mail accounts Tables, employee databases Clients - financial information, bank accounts Suppliers/Subcontractors/Partners Registers Website visitors records Marketing databases Call Centers databases Loyal/VIP clients programme Software product managing patients/clients Video cameras records for monitoring and fingerprints Phonebooks Mail lists Interview records Conference participation records Fulfilled questionnaires Debt collection databases

20 WHAT IS THE EU GENERAL DATA PROTECTION REGULATION (EU GDPR)?
If the organization is dealing with special categories of personal data on a large scale, it needs to appoint a Data Protection Officer (DPO) as part of its board. If these measures are not met, the penalties are high: up to € 20 million or, in case of companies, up to 4% of annual turnover, whichever is higher.

21 DOES YOUR ORGANIZATION NEED TO BE EU GDPR COMPLIANT?
The organizations that need to be EU GDPR compliant are: Companies (controllers and processors) established in the EU, regardless of whether or not the processing takes place within the EU. Companies (controllers and processors) not established in the EU offering goods or services within the EU or to EU individuals. There are two types of responsibilities regarding the protection of personal data: data “controllers” and data “processors.”

22 GDPR benefits One set of rules for all companies processing data in the EU Doing business just got fairer

23 GDPR benefits PDP to become a matter of vital importance for the top management of organizations. Policies based on an accountability framework and transparent rules to ensure rapid response to security incidents and consequent personal data leaks

24 GDPR weakness Provide a large framework with too general requirements
Requires of implementation of additional legal acts at national level for GDPR applying and monitoring Lack of enough technical and organizational requirements Generates unclear questions and aspects Possibility of political pressure and inequality Тук може много да се говори, но не трябва и да се забравя, че този акт не е насочен към подпомагане на бизнеса, а към защита на правата на физическите лица

25 WHO WE ARE ITA - International Technical Alliance
ISO Certification Body with international recognized Accreditation from Italian Accreditation National Agency – ACCREDIA Independent and accredited certification services Offer a broad portfolio of services within MS Certification and related services Presented in more than 15 countries in Europe and Asia Participation on the Armenian market mainly for ISO certification services on the financial and IT sectors

26 ITA - International Technical Alliance Management Systems Certification - Service Lines
ISO 9001 Quality Management Systems ISO Information Security Management Systems ISO IT Service Management Systems ISO & FSSC – Food Safety Management Systems ISO & Environmental and Energy Management Systems OHSAS & ISO Health and Safety Management Systems ISO Anti-Bribery Management Systems Training activities related to Lead and Internal Auditors GDPR GAP Analysis

27 Thank you! Merci! Rossen Pashov
Co-founder of International Technical Alliance


Download ppt "STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM AND GDPR: HOW TO ACHIEVE COMPLIANCE? Благодаря за поканата! За мен е винаги удоволствие да идвам."

Similar presentations


Ads by Google