1. STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM AND GDPR: HOW TO ACHIEVE COMPLIANCE?
Благодаря за поканата! За мен е винаги удоволствие да идвам тук, чувствам се като у дома!
Rossen Pashov
Co-founder of International Technical Alliance
Miroslav Mitev, PhD
ISO Lead auditor

2. PROTECTING INFORMATION – A CRITICAL AND ESSENTIAL BUSINESS ASSET
All businesses have high dependency on Information and Communications Technology
A successful business must have the right information at the right time in order to make well-informed decisions
All types of information, whether paper- based or digital, is at risk
Protection of information is a major challenge
Информация е не само голяма бизнес сила, но е и голям риск, който става все по-значим

3. PROTECTING INFORMATION – CHALENGES FOR THE BUSINESS
Constantly changing new technologies and Business development definitely require implementing of various IT solutions practically in all industrial sectors
It requires the need to manage business risks and develop system thinking approach
Все по-голяма внимание се обръща на управленските системи като подход

4. WHAT TO DO? WHAT NOT TO DO?
Information Security
Management System
could be
THE KEY.

5. ISO 27001 Information Security Management System
One of the most practicable approach as management system standard, designed and published by ISO Organization
Highly innovative as management set of IS requirement at the time of last published version

6. History of ISO 27001 Information Security Management System
BS 7799
1995 BS
1998
ISO 17799
2000
ISO 27001
2005
2013

7. STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM
ISO formally specifies how to establish an Information Security Management System (ISMS).
ISMS provides a framework to develop, implement, operate, monitor, review, maintain and improve the information security within an organization whenever the scope of the activities.
Implement effective information security that really meets business requirements
Еднакво приложим както в публична организация, така и в производител, така и в търговец или бизнес услуга

8. STANDARD ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM
Manage all kind of IS risks to suit the business activity
Manage incident handling activities
Build a security culture
Designed to cover much more than just IT

9. ISO 27001 Annex A 114 controls in 14 clauses and 35 control categories
A.5: Information security policies
(2 controls)
A.6: Organization of information security
(7 controls)
A.7: Human resource security
(6 controls)
A.8: Asset management
(10 controls)
A.9: Access control
(14 controls)
A.10: Cryptography
A.11: Physical and environmental security
(15 controls)
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development and maintenance
(13 controls)
A.15: Supplier relationships
(5 controls)
A.16: Information security incident management
A.17: Information security aspects of business continuity management
(4 controls)
A.18: Compliance
(8 controls)
Стандартът е съставен от 2 части – клаузи с изисквания за системата за управление, и практична част в приложение със 114 механизми за контрол, които обхващат важните теми за сигурността на информацията:

10. ISO/IEC 27001 requires that management:
Systematically analyze the organization's information security risks, taking account of the threats, vulnerabilities and impacts
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment
Adopt an comprehensive management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

11. Benefits of Information Security Management System implementation
Meet business and legal requirements
Provision and demonstration of secure environment to clients
Introduction of new technologies and tools
Preventing leak of confidential information
Disaster recovery and Business continuity
Secure interests of interested parties

12. WHAT MEANS INFORMATION SECURITY
Confidentiality: ensuring that information is available to only those authorized to have access
Integrity: Safeguarding the accuracy and completeness of information and processing methods
Availability: ensuring that information and vital services are available to authorized users when required.
Security doesn’t mean only confidentiality
Accountability: responsibility of a particular part for its actions and decisions
Reliability: consistency between behaviors and results

13. How are connected ISO 27001 and GDPR
Same philosophy - Protection of sensitive information
Management System approach and needs Management commitment
Implementation of specific functions and responsibilities related to information security
Implementation of Risk assessment approach
Legal compliance

14. WHAT IS THE EU GENERAL DATA PROTECTION REGULATION (EU GDPR)?
The Regulation was approved on April 14, 2016, by the European Parliament and the Council of Europe. It is applied directly in each country, allowing for a consistency of rules between nations on the rights of citizens’ privacy.
Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects, even if for free, or that monitor the Data Subjects’ behavior within the EU.
Enter in force on 25 May 2018 but with a lot of confuses

15. Individuals Rights and Freedoms Risks
Physical consequences – abduction, extortion, criminal donation, property damage and ext.
Financial losses – credit card data, bank information and ext.
Loss of opportunities – reputation, job position, obtaining a visa, credit opportunities, discrimination, access to public services, disadvantaged people rights
Fraud - Identity theft, spying, imitation, illegal references (spam, marketing strategies)

16. WHAT MEANS PERSONAL DATA PROCESSING
Collection
Recording
Organisation
Structuring
Storage
Adaptation
Retrieval
Consultation
Use
Disclosure by transmission
Dissemination
Restriction
Erasure
Destruction

17. PERSONAL DATA
Name
Address
Localization
Income

18. PERSONAL DATA Online identifier Health information Cultural profile
License plate

19. WHERE WE CAN FIND PERSONNEL DATA (PP)?
PP stored in ERP/CRM systems/data bases, clouds, servers, networks, mail accounts
Tables, employee databases
Clients - financial information, bank accounts
Suppliers/Subcontractors/Partners Registers
Website visitors records
Marketing databases
Call Centers databases
Loyal/VIP clients programme
Software product managing patients/clients
Video cameras records for monitoring and fingerprints
Phonebooks
Mail lists
Interview records
Conference participation records
Fulfilled questionnaires
Debt collection databases

20. WHAT IS THE EU GENERAL DATA PROTECTION REGULATION (EU GDPR)?
If the organization is dealing with special categories of personal data on a large scale, it needs to appoint a Data Protection Officer (DPO) as part of its board.
If these measures are not met, the penalties are high: up to € 20 million or, in case of companies, up to 4% of annual turnover, whichever is higher.

21. DOES YOUR ORGANIZATION NEED TO BE EU GDPR COMPLIANT?
The organizations that need to be EU GDPR compliant are:
Companies (controllers and processors) established in the EU, regardless of whether or not the processing takes place within the EU.
Companies (controllers and processors) not established in the EU offering goods or services within the EU or to EU individuals.
There are two types of responsibilities regarding the protection of personal data: data “controllers” and data “processors.”

22. GDPR benefits
One set of rules for all companies processing data in the EU
Doing business just got fairer

23. GDPR benefits
PDP to become a matter of vital importance for the top management of organizations.
Policies based on an accountability framework and transparent rules to ensure rapid response to security incidents and consequent personal data leaks

24. GDPR weakness Provide a large framework with too general requirements
Requires of implementation of additional legal acts at national level for GDPR applying and monitoring
Lack of enough technical and organizational requirements
Generates unclear questions and aspects
Possibility of political pressure and inequality
Тук може много да се говори, но не трябва и да се забравя, че този акт не е насочен към подпомагане на бизнеса, а към защита на правата на физическите лица

25. WHO WE ARE ITA - International Technical Alliance
ISO Certification Body with international recognized Accreditation from Italian Accreditation National Agency – ACCREDIA
Independent and accredited certification services
Offer a broad portfolio of services within MS Certification and related services
Presented in more than 15 countries in Europe and Asia
Participation on the Armenian market mainly for ISO certification services on the financial and IT sectors

26. ITA - International Technical Alliance Management Systems Certification - Service Lines
ISO 9001 Quality Management Systems
ISO Information Security Management Systems
ISO IT Service Management Systems
ISO & FSSC – Food Safety Management Systems
ISO & Environmental and Energy Management Systems
OHSAS & ISO Health and Safety Management Systems
ISO Anti-Bribery Management Systems
Training activities related to Lead and Internal Auditors
GDPR GAP Analysis

27. Thank you! Merci! Rossen Pashov
Co-founder of International Technical Alliance