Tools and Techniques Using ISO Standards

ISO 27701 – Privacy Information Management Requirements

Tim Weil – ISO 27001/27701 Auditor/Trainer

Cybersecurity and Privacy Professional
SecurityFeeds (Denver)

Rocky Mountain Information Security Conference

Denver, CO Sept 28th, 2022

Tech Day VI 1
 Objectives of this Presentation

Top Privacy Risks in the Cloud ISO Standards for Cloud Security and Privacy
-- A Risk Management Dilemma -- ISO 27001 (Information Security Management System)

-- Risk Management Models -- ISO 27002 (27001 Annex A Control Sections)

-- Data Breaches -- ISO 27018 (Protecting PII in the Public Cloud)

-- Industry Look at Cloud Privacy Mandates

Tools & Techniques for PIMS Audits

Top Privacy Threats in the Cloud -- Sample PIMS Audit

-- Pandemic Threat Study -- Methods
-- Privacy Control Models (ISO 27018, CSA CCM 4.0)
-- Requirements for PII Controllers, Principals and Processors
-- Big Scary Monsters

9/28/2022
Tech Day VI 2
 A Writer’s Life –

9/28/2022
Tech Day VI 3
 Adding Attributes to Role Based Access Control reaches 500
citations on Google Scholar - https://lnkd.in/ew_BQaF

9/28/2022
Tech Day VI 4
 Table of Contents

 What are the Privacy Risks in the Age of Cloud Computing?

 Top Privacy Threats in the Cloud

 ISO Standards for Cloud Security and Privacy

 Tools and Techniques for PIMS Audits (ISO 27701)

 References + Q&A

5
 How we got to the cloud

9/28/2022
Tech Day VI 6
 Now What? (Lessons learn from Enterprise Risk Assessment of the
National Science Foundation’s US Antarctic Program)

Virtualization

Encryption
IT 101 – What Problems Are We Trying to Solve?
Identify ‘Fix-It’ areas in the program
Understand Current State (Remediation)
Improve ‘ad hoc’, ‘not my problem’ state
Manage Information Security & Privacy Risk
Improve Continuous Monitoring Process

IT
Governance

9/28/2022
Tech Day VI 7
 Risk Management
Process
Use – Lifeto/
Risk Matrix
Cycle
Prioritize actions and
expenditures. Most
economic value for each
risk considered.

Nominate Tasks and

Expenditures for budget
allocation

Implementation of
critical Infrastructure

https://www.ssh.com/compliance/cybersecurity-framework/
Tech Day VI 8
 Big Scary Monsters - Global transformation caused by COVID-19
The Blob is an amorphous mass of alien
goo that appears in the 1958 film of the
same name. Appearing as nothing more
than a mass of red gelatin, this creature
possesses animalistic intelligence, acting
purely on the instinct to feed. It feeds on
flesh and gains mass as it consumes
other creatures
9/28/2022
Tech Day VI
Them While investigating a series of mysterious The FUD Factor – Fear,
deaths, Sergeant Ben Peterson finds a young girl Uncertainty and Doubt
agent Robert Graham and scientist Dr. Harold
Medford), he discovers that all the incidents are
due to giant ants that have been mutated by atomic
radiation. Peterson and Graham, with the aid of the
military, attempt to find the queen ants and destroy
the nests before the danger spreads.
9
 Feeding the ‘Big Scary Monsters’ – PII Examples

Name Address Phone Email address Date of birth Marital status Tax code
number

Bank details Passwords Driving licence Passport Purchase IP address Mobile phone
number history serial number

9/28/2022
Tech Day VI 10
 Special categories of PII

Racial or ethnic origin

Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data
Health data
Data concerning sex life
Sexual orientation
9/28/2022
Tech Day VI 11
 Big Scary Monsters – Data Breaches

9/28/2022
Tech Day VI 12
 Managing Privacy Risk in the Cloud (Deloitte)-
Top Privacy Mitigations

• Understand and comply with various jurisdictional privacy laws

o Where is your data stored?
o EU General Protection Data Regulation(GDPR)
o Canada Personal Information Protection and Electronic
Documents Act (PIPEDA)

• How is you data protected?

o Privacy by Design
o Risk Assessment for ‘high risk’ data holdings GDPR Requirements
• Mandatory Data Protection Officer
• Vendor and Partner Management
• How private is your data? • Breach Notification
• Right to be Forgotten
o Data encryption mechanisms • Data Portability
o Key management strategies • Consent Management
• Fines for Non-Compliance
• Cross-Border Transfer

9/28/2022
Tech Day VI 13
 Privacy Risk in the Data Management Lifecycle
Risk Management
Process – Life /
Cycle
 To be able to address the various risks,
business organizations need to
implement a robust data protection
management program including
information security. The management
of personal data within its lifecycle is a
crucial step in the organization's efforts
to ensure the privacy, confidentiality,
availability and integrity of personally
identifiable information.

https://www.dpexnetwork.org/articles/benefits-implementing-isoiec-27701-privacy-information-management-system

Tech Day VI 14
 Privacy Risk in the Data Management Lifecycle
Risk Management
Process – Life /
Cycle

Tech Day VI 15
 Table of Contents

 What are the Privacy Risks in the Age of Cloud Computing?

 Privacy Threats and Protection in the Cloud

 ISO Standards for Cloud Security and Privacy

 Tools and Techniques for PIMS Audits (ISO 27701)

 References + Q&A

16
 Cloud Security Alliance – Top Pandemic Threats
https://cloudsecurityalliance.org/

9/28/2022
Tech Day VI 17
 Protection of personally identifiable information (PII) in public clouds
acting as PII processors – ISO 27018

9/28/2022
Tech Day VI 18
 Cloud Security Alliance CCM4.0 –
Data Security and Privacy Lifecycle Management (18 Controls)

9/28/2022
Tech Day VI 19
 ISO 27002:2022 vs :2013
https://www.advantio.com/blog/whats-new-in-iso/iec-27002-2022-updates

9/28/2022
Tech Day VI 20
 Table of Contents

 What are the Privacy Risks in the Age of Cloud Computing?

 Privacy Threats and Protection in the Cloud

 ISO Standards for Cloud Security and Privacy

 ISO Tools and Techniques for PIMS Audits (ISO 27701)

 References + Q&A

21
 Benefits of ISO 27001 - ISO /IEC 27001:2013 Structure and Content

ISO/IEC 27001:2013 Implementation, Certification from a certification body demonstrates that the security
of organization information has been addressed, valuable data and information assets properly controlled.

Also there is List of benefits By achieving certification to ISO/IEC 27001:2013 organization will be able to
acquire numerous benefits including:

Ahmed Riad, BlueKaizen Magazine, Benefits of ISO 27001- https://www.slideshare.net/AhmedRiad2/isoiec-https://www.slideshare.net/AhmedRiad2/isoiec-2

9/28/2022
Tech Day VI 22
 The ISO/IEC 27001 standard ISO/IEC 27001 Controls v2022 vs 2013

9/28/2022
Tech Day VI 23
 ISO 27701 - Privacy Information Management System (PIMS)
https://cloudsecurityalliance.org/blog/2021/11/17/data-security-and-privacy-related-iso-iec-certifications/

9/28/2022
Tech Day VI 24
 ISO 27701 - Privacy Information Management System (PIMS)
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701/

9/28/2022
Tech Day VI 25
 ISO 27701 - Privacy Information Management System (PIMS)
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701/

9/28/2022
Tech Day VI 26
 ISO 27701 - Privacy Information Management System (PIMS)
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701/

Annex B – PIMS-specific reference control objectives and controls (PII Processors)

B.8.2 Conditions for collection and processing
B.8.8.2.1 Customer agreement
B.8.8.2.2.Organization's purposes
B.8.2.4 Infringing instruction
B.8.2.5 Customer obligations
8.8.2.6 Records related to processing PII
B.8.3 Obligations to PII principals
B.8.3..1 Obligations to PII Principals
B.8.4 Privacy by design and by default
B.8.4.1 Customer agreement
B.8.4.2.Organization's purposes
B.8.4.3 Infringing instruction
B.8.5 PII sharing, transfer and disclosure
8.5 PII sharing, transfer and disclosure
8.5.1 Basis for PII transfer between jurisdictions
8.5.2 Countries and international organizations to which PII can be transferred
8.5.3 Records of PII disclosure to third parties
8.5.4 Notification of PII disclosure requests
8.5.5 Legally binding PII disclosures
8.5.6 Disclosure of subcontractors used to process PII
8.5.7 Engagement of a subcontractor to process PII
8.5.8 Change of subcontractor to process PII

9/28/2022
Tech Day VI 27
 Table of Contents

 What are the Privacy Risks in the Age of Cloud Computing?

 Top Privacy Threats in the Cloud

 ISO Standards for Cloud Security and Privacy

 Tools and Techniques for PIMS Audits (ISO 27701)

 References + Q&A

28
 CASE Study – Microsoft Supplier Security and Privacy Assurance Program (SSPA).
ISO 27701. Internal Audit – tools and methods - 27701 | A-LIGN

• Leverage ISO 27001 + ISO 27701 to Meet Your Microsoft SSPA Requirements

• Microsoft requires that all vendors meet the requirements within the Supplier Security and Privacy Assurance
Program (SSPA). This program requires that any vendor that collects, stores, or processes customer, partner, or
employee information meet the reporting requirements. https://www.a-lign.com/service/microsoft-sspa.

• A Company operates securely under all Microsoft Data Protection Requirements providing high end support using
Microsoft provided cloud-based services and tools. The sole use of cloud-based tooling allows our team to work
efficiently with end customers while maintaining a low security risk, housing no customer or user data on any
Company systems. Due to the nature of its business, Company assumes the role of, a Processor, as Company might
access customer PII. Company has access to customer data, and potentially PII, but does not download, store or
keep any PII or any other customer data in any direct managed system. However, the protection of customer privacy
data a crucial business requirement as it’s vital to Company to protect its reputation as well as the integrity and
confidentiality of the services it provides to customers.

9/28/2022
Tech Day VI 29
 CASE Study – Microsoft Supplier Security and Privacy Assurance Program (SSPA).
ISO 27701 Internal Audit – Criteria and Schedule
Audit Criteria:v
• Review of the Implementation and effectiveness of ISMS
and PIMS governance.
• The audit criteria (set of requirements) for this audit are
all normative clauses of ISO/IEC 27001:2013 and
ISO/IEC 27701-2019.
• Clause 4 – Context of the organization
• Clause 5 – Leadership/PIMS-specific requirements
related to ISO/IEC 27001
• Clause 6 – Planning/PIMS-specific guidance related to
ISO/IEC 27002
• Clause 7 – Support/Additional ISO/IEC 27002 guidance
for PII controllers
• Clause 8 – Operation/Operation of the service
management system/Additional ISO/IEC 27002 guidance
for PII processors
• Clause 9 – Performance Evaluation
• Clause 10 – Improvement
• Annex A – Control objectives and controls/PIMS-specific
reference control objectives and controls (PII Controllers)
• Annex B – PIMS-specific reference control objectives and
controls (PII Processors)
Tech Day VI
9am Clause 5. PIMS-specific requirements related to ISO/IEC
27001
5.1 General
5.2 Context of the organization
5.4 Planning
10am Annex A - PIMS-specific reference control objectives and
controls (PII Controllers)
.7.2 Conditions for collection and processing
A.7.3 Obligations to PII principals
A.7.4 Privacy by design and privacy by default
A.7.5 PII sharing, transfer and disclosure
11am Annex B – PIMS-specific reference control objectives and
controls (PII Processors)
B.8.2 Conditions for collection and processing
B.8.3 Obligations to PII principals
B.8.4 Privacy by design and by default
B.8.5 PII sharing, transfer and disclosure
30
 CASE Study – ISO 27701 Internal Audit – Documentation Review

Document Name

1 Context of the Organization (scope & boundaries)

2 Information Security Policy

3 Roles, Responsibilities and Authorities

4 Organization Chart (Roles, Responsibilities)

7 Privacy Risk Assessment

8 Risk Treatment Plan

9 Statement of Applicability

10 Data Privacy Policy

17 Information Classification and Handling Policy

18 Privacy Impact Assessment

Tech Day VI 31
 CASE Study – ISO 27701 Internal Audit – Audit Conclusions

In the Opinion of the Auditor, the organization currently conforms to the ISO 27001 Clause 4-10 / Annex A
generic requirements for an Information Security Management System (ISMS).

In the Opinion of the Auditor, the organization currently conforms to the ISO 27701 applicable clauses 5 and
6 / Annex B guidance for PII Processor (PIMS).

The areas assessed during the course of the visit were found to be very effective, very well controlled and
managed. Company shows continual improvement in managing the ISMS program by communicating core
principles of privacy and information security (protection of confidentiality, integrity and availability) across
the organization.

Non-conformities
No major non-conformities have been identified in the ISMS/PIMS Internal Audit

Minor NCR
Minor Non-Conformity - 01 5.4.1.2 (ISO 27701) - PIMS risk assessment does not include the applicable
ISO 27701 Annex B requirements for a Data Processor (B.8.x)
Minor Non-Conformity - 02 A.12.4.2 Logs must be safeguarded from tampering.

Tech Day VI 32
 Summary PIMS Requirements for PII Controllers and Principals

9/28/2022
Tech Day VI 33
 Summary PIMS Requirements for PII Controllers and Processors

9/28/2022
Tech Day VI 34
Table of Contents

 What are the Privacy Risks in the Age of Cloud Computing?

 Top Privacy Threats in the Cloud

 ISO Standards for Cloud Security and Privacy

 Tools and Techniques for PIMS Audits (ISO 27701)

 References + Q&A

35
 ISO 27001/27701 Accredited Site List (examples)
Google - https://cloud.google.com/security/compliance/iso-27701

AWS - https://aws.amazon.com/blogs/security/aws-achieves-iso-iec-27701-2019-certification/

https://aws.amazon.com/compliance/iso-certified/

OneTrust (Coalfire) - https://www.onetrust.com/news/onetrust-achieves-worlds-first-iso-27701/

Xi Cloud Services (Nutanix) Achieve ISO/IEC 27701:2019 Certification

https://next.nutanix.com/community-blog-154/xi-cloud-services-achieve-iso-iec-27701-2019-certification-38471

Microsoft PIMS - https://docs.microsoft.com/en-us/compliance/regulatory/offering-iso-27701

CubePay - Singapore TuV SuD (Fintech)

https://www.tuvsud.com/en-us/services/auditing-and-system-certification/iso-27701

dacadoo Obtains ISO 27001 and ISO 27701 Certifications – https://dacadoo.pr.co/199390-dacadoo-obtains-iso-27001-and-iso-27701-

certifications

Teleperformance (France)

https://www.teleperformance.com/en-us/insights-list/insightful-articles/global/elevating-data-privacy-around-the-world-with-global-iso-27701-
certification/

https://www.businesswire.com/news/home/20211201005742/en/Teleperformance-A

9/28/2022
Tech Day VI 36
IEEE Digital Privacy Initiative
➢ An IEEE-wide effort focusing on the digital privacy needs of individuals, rather than the security
of data/products/organization
➢ Envision a future in which the capability exists to enable any individual around the world to
privately maintain presence, data, identity, and dignity online
➢ To help achieve this vision, the Initiative seeks the following goals:
➢ Bring the voice of technologists to the digital privacy conversation, incorporating a holistic
approach to address privacy that also includes economic, legal, and social perspectives
➢ Facilitate cross-disciplinary collaboration to advance research, promote standardization and
best practices, and create tools and capabilities to support the privacy needs of individuals,
and
➢ Coordinate efforts across and beyond IEEE with a multicultural lens that are working on
different dimensionns of digital privacy
➢ Feel free to contact/connect with us @ [email protected]

Tech Day VI
Learn more at digitalprivacy.ieee.org
37
Digital Privacy Initiative Working Groups
Framework
and
Foundation

Policies and
Standards Legislations

Healthcare

Connected Conferences
Vehicles Industry and
Workshops

Energy

Education
Publications
and Training

Tech Day VI 38
 Assessing Privacy Information Management Requirements – Blue Sky or Rain?

9/28/2022
Tech Day VI 39
 Audit and Trainer – ISO 27701 (Privacy Information Management)

9/28/2022
Tech Day VI 40
Thank you for joining us!

http://www.securityfeeds.com - [email protected]
Tech Day VI 41