7.13 - Defradar - ISO27k GDPR Mapping Release - v2
7.13 - Defradar - ISO27k GDPR Mapping Release - v2
7.13 - Defradar - ISO27k GDPR Mapping Release - v2
ISO27k controls without the prefix ‘A’ are in the main body of ISO/IEC 27001:2013. Those prefixed with ‘A’ are listed in Annex A of ISO/IEC 27001:2013 and are explained in
more detail in ISO/IEC 27002:2013. Further ISO27k standards fill-in various supplementary details (e.g. ISO/IEC 27005 on information risk management and ISO/IEC 27018
on privacy in cloud computing), while other ISO and non-ISO standards and resources provide lots more information, and in some cases recommend alternative or
complementary approaches and controls.
GDPR ISO27k
Article Outline/summary Control Notes
1 GDPR concerns the protection and free movement of “personal data”, A.18.1.4 The ISO27k standards concern information risks, particularly the
defined in article 4 as “any information relating to an identified or etc. management of information security controls mitigating unacceptable
identifiable natural person (‘data subject’); an identifiable natural person risks to organizations’ information. In the context of GDPR, privacy is
is one who can be identified, directly or indirectly, in particular by largely a matter of securing people’s personal information, particularly
reference to an identifier such as a name, an identification number, sensitive computer data. The ISO27k standards specifically mention
location data, an online identifier or to one or more factors specific to the compliance obligations relating to the privacy and protection of
physical, physiological, genetic, mental, economic, cultural or social personal info (more formally known as Personally Identifiable
identity of that natural person”. Information - PII - in some countries) in control A.18.1.4.
2 GDPR concerns “the processing of personal data wholly or partly by Many ISO27k concerns information in general, not just computer data,
automated means ....” (essentially, IT systems, apps and networks) and in systems, apps and networks. It is a broad framework, built around a
a business or corporate/organizational context (private home uses are not ‘management system’. ISO27k systematically addresses information
in scope). risks and controls throughout the organization as a whole, including but
going beyond the privacy and compliance aspects.
3 GDPR concerns personal data for people in the European Union whether A.18.1.4 ISO27k is global in scope. Any organization that interacts with people in
is it processed in the EU or elsewhere etc. the European Union may fall under GDPR, especially of course if they
collect personal info.
4 GDPR privacy-related terms are formally defined here. 3 ISO/IEC 27000 defines most ISO27k terms including some privacy terms.
Many organizations have their own glossaries in this area. Check that
any corporate definitions do not conflict with GDPR.
Chapter I General provisions
5 Personal data must be: (a) processed lawfully, fairly and transparently; (b) 6.1.2, Business processes plus apps, systems and networks must adequately
collected for specified, explicit and legitimate purposes only; (c) adequate, A.8.1.1 secure personal information, requiring a comprehensive suite of
relevant and limited; (d) accurate; (e) kept no longer than needed; (f) A.8.2 technological, procedural, physical and other controls … starting with an
processed securely to ensure its integrity and confidentiality. A.8.3 assessment of the associated information risks. See also ‘privacy by
A.9.1.1 design’ and ‘privacy by default’ (Article 25).
[This is the latest incarnation of the original OECD principles published way A.9.4.1
back in 1980 <tips hat>.] A.10 In order to satisfy these requirements, organisations need to know
A.13.2 where personal info is, classify it and apply appropriate measures to
A.14.1.1 address (a)-(f).
A.15
A.17
A.18 ...
in fact
almost
all!
The “controller” is accountable for all that. Although not stated as such, accountability is an important concept
5 within the ‘Leadership’ section of ISO/IEC 27001.
A.6.1.1
6 Lawful processing must: (a) be consented to by the subject for the stated 6.1.2 This should also be covered in the assessment and treatment of
purpose; (b) be required by a contract; (c) be necessary for other A.14.1.1 information risks. It will influence the design of business
compliance reasons; (d) be necessary to protect someone’s vital interests; A.18.1.1 processes/activities, apps, systems etc. (e.g. it may be necessary to
(e) be required for public interest or an official authority; and/or (f) be etc. determine someone’s age before proceeding to collect and use their
limited if the subject is a child. personal info). These are business requirements to limit and protect
personal information: many security controls are required in practice to
Note: there are several detailed and explicit requirements concerning mitigate unacceptable information risks that cannot be avoided (by not
lawful processing - see GDPR! collecting/using the data) or shared (e.g. relying on some other party to
get consent and collect the data - a risk in its own right!).
Note also that EU member states may impose additional rules.
7 The data subject’s consent must be informed, freely given and they can A.8.2.3 There is a requirement to request informed consent for processing
withdraw it easily at any time. A.12.1.1 (otherwise stop!) and to be able to demonstrate this. Procedures need
A.13.2.4? to be in place for this and records demonstrating the consent must be
A.18.1.3 protected and retained.
6.1.2
A.14.1.1 Withdrawal of consent implies the capability to locate and remove the
A.8.3.2 personal info, perhaps during its processing and maybe also from
A.13.2 backups and archives, plus business processes to check and handle
etc. requests.
8 Special restrictions apply to consent by/for children. See These special restrictions apply primarily at the time information is
Article 7 gathered (e.g. getting a parent’s consent).
9 Special restrictions apply to particularly sensitive data concerning a A.8.2.1 See 7 above. It is important to identify where sensitive data may be
person’s race, political opinions, religion, sexuality, genetic info and other A.8.2.3 processed, whether that is ‘necessary’ in fact, and to obtain explicit
biometrics etc. Processing of such info is prohibited by default unless A.14.1.1 consent - factors to be considered in the design of systems, apps and
consent is given and processing is necessary (as defined in the Article). business processes.
10 Special restrictions also apply to personal data concerning criminal A.7.1 Any use of this information should be identified and only processed in
convictions and offenses. A.8.2.1 specific circumstances. Such information should preferably not be
A.8.2.3 retained except by the authorities … but may be needed for background
6.1.2 checks, credit/fraud risk profiling etc.
A.14.1.1
A.7.1
etc.
11 Some restrictions don’t apply if a person cannot be identified from the A.8.2.1 Avoiding information risks (by NOT knowing who the subjects are) is a
data held. A.8.2.3 good option, where feasible: does the business really need to know a
6.1.2 person’s identity or will aggregate info/statistics suffice?
A.14.1.1
etc.
Chapter III Rights of the data subject
12 Communications with data subjects must be transparent, clear and easily A.12.1.1 See above. This affects the wording of web forms, notifications,
understood. A.14.1.1 telephone scripts etc. plus the processes. It may also be relevant to
A.16 incident management i.e. mechanisms allowing people to enquire or
etc. complain in relation to their own personal information (implying a
means to identify and authenticate them), for responding promptly,
and for keeping records of such comms (e.g. to limit or charge for
excessive requests)
13 When personal data are collected, people must be given (or already A.8.2.1 Procedures for the provision of fair processing information, information
possess) several specific items of information such as details of the data A.8.2.3 on the data controller and purposes for processing the data need to be
“controller” and “data protection officer”, whether their info will be A.12.1.1 defined and implemented. This relies in part on identifying where
exported (especially outside the EU), how long the info will be held, their A.14.1.1 personal info is in use.
rights and how to enquire/complain etc. A.16
etc.
14 Similar notification requirements to Article 13 apply if personal info is A.8.2.1 See Article 13.
obtained indirectly (e.g. a commercial mailing list?): people must be A.8.2.3
informed within a month and on the first communication with them. A.12.1.1
A.14.1
A.16
etc.
15 People have the right to find out whether the organization holds their A.8.1.1 Subject rights include being able to obtain a copy of their own info
personal info, what it is being used for, to whom it may be disclosed etc., A.8.2.1 (again implying the need for identification and authentication before
and be informed of the right to complain, get it corrected, insist on it being A.12.1.1 acting on such requests), disclosing the nature of processing e.g. the
erased etc. A.13.2.1 logic behind and the consequences of ‘profiling’, and info about the
People have rights to obtain a copy of their personal information. A.14.1.1 controls if their data are exported. It may also affect backup and archive
etc. copies. See also Article 7 on withdrawal of consent.
16 People have the right to get their personal info corrected, completed, A.12.1.1 Implies functional requirements to check, edit and extend stored info,
clarified etc. A.14.1 with various controls concerning identification, authentication, access,
A.9 validation etc. It may also affect backup and archive copies.
A.16?
A.12.3
A.18.1.3
17 People have a right to be forgotten i.e. to have their personal info erased 6.1.2 This is a form of withdrawing consent (see Article 7). Implies system &
and no longer used. A.14.1.1 process functional requirements to be able to erase specific stored info,
A.9 with various controls concerning identification, authentication, access,
A.16 validation etc. It may also affect backup and archive copies.
A.12.3
A.8.3.2
18 People have a right to restrict processing of their personal info. 6.1.2 See Articles 7, 12 etc.
A.8.2.1 May need ways to identify the specific data that is to be restricted and
A.8.2.3 implement new handling / processing rules. Note it may also affect
A.12.1.1 backup and archive copies.
A.14.1.1
A.16
A.12.3
A.18.1.1
19 People have a right to know the outcome of requests to have their A.12.1.1 Informing/updating the originator is a conventional part of the incident
personal info corrected, completed, erased, restricted etc. 6.1.2 management process, but there may be a separate or parallel process
A.14.1.1 specifically for privacy complaints, requests etc. since the originators
A.16 here are not usually employees/insiders.
etc.
20 People have a right to obtain a usable ‘portable’ electronic copy of their 6.1.2 Depending on your organisation’s purpose, this may seem such an
personal data to pass to a different controller. A.13 unlikely scenario in practice (low risk) that it may best be handled by
A.14.1.1 exception, manually, without automated IT system functions. Note that
A.8.3 the extracted data must be limited to the identified and authenticated
A.10 person/s concerned, and must be communicated securely, probably
A.18.1.3 encrypted. It may also imply erasing or restricting the data and
etc. confirming this (Articles 17, 18 and 19).
21 People have a right to object to their information being used for profiling 6.1.2 See article 18.
and marketing purposes. A.12.1.1 May need ways to identify the specific data that is not to be processed
A.14.1.1 and implement new handling / processing rules.
A.16
A.12.3
etc.
22 People have a right to insist that key decisions arising from automatic 6.1.2 Profiling and decision support systems involving personal info must
processing of their personal info are manually reviewed/reconsidered. A.12.1.1 allow manual review and overrides, with the appropriate authorization,
A.14.1.1 access and integrity controls etc.
A.16
23 National laws may modify or override various rights and restrictions for A.18.1.1 This is primarily of concern to the authorities/public bodies and their
national security and other purposes. systems (e.g. police, customs, immigration, armed forces), but may
affect some private/commercial organizations, either routinely (e.g.
legal sector, defence industry, ISPs, CSPs, money laundering rules in
financial services?) or by exception (implying a legally-sound manual
process to assess and handle such exceptional situations).
Recital 39 ends with “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing
unauthorised access to or use of personal data and the equipment used for the processing.” - an important requirement not entirely clear from the Articles.
Recital 49 notes (in effect) that systems and network security monitoring (e.g. to detect and respond to hacks, denial-of-service attacks etc.) is a “legitimate interest of the
data controller concerned”, hence it is not unlawful to capture personal data during such activities (even without the data subjects’ explicit consent) … but this doesn’t negate
the need to secure it, to declare it as one of the “purposes” and to inform system/network users that the information may be monitored for such purposes.
Recital 83 starts “In order to maintain security and to prevent processing in infringement of this regulation, the controller or processor should evaluate the risks inherent in the
processing and implement measures to mitigate those risks, such as encryption.” The information-risk-driven approach is fundamental to ISO27k.