Month: September 2020

Extended mapping of CIS Controls to ISO27001 security controls

Introduction

The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks.
The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.

Here is the link: https://www.cisecurity.org/controls/cis-controls-list/

Many companies use this controls list already, but also require to map their CIS security controls to ISO27001, for various reasons.

Implementing security controls with regards to the NIS directive, is one of them, eg when you’re implementing OT…

ISO27001 controls mapping

For that purpose the CIS provided a XLS mapping between the CIS controls and ISO27001.

You can download the sheet from the CIS website: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a

Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)

Alternatively, it’s available from the CIS Workbench community at: https://workbench.cisecurity.org/files/2329 (registration might be needed to access the download)

FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping.
And after review, a new version (1.1) with updates has been published on the CIS workbench.

Direct download for version 1.1 available at: https://workbench.cisecurity.org/files/2329/download/3615

Still some gaps

You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.


But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)

But the license for use of the CIS controls mapping does not allow redistribution of modified materials…

Disclaimer (the small print)

Here’s the License from the mapping file:

Their work (quote) “is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”

So I CANNOT distribute the XLS as modified material (Why not?).

Extending the mapping

If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:

CIS sectionCoverageISO27001 Control
2.2=A.12.5.1
2.5=A.8.1.1
2.8small subsetA.12.5.1
2.10small supersetA.9.4.1/A.8.2
3.1small subsetA.12.6.1
3.2small subsetA.12.6.1
3.4small subsetA.12.6.1
3.5small subsetA.12.6.1
3.6small subsetA.12.6.1
4.1small supersetA.8.1.1/A.9.2.3 
6.5small subsetA.12.4.1 
6.6small subsetA.12.4.1 
6.8small subsetA.12.4.1 
7.3small subsetA.12.2.1
7.5small supersetA.8./A.13.1.1
7.6small subsetA.13.1.1
8.3small subsetA12.2.1
9.5small subsetA.13.1.1
10.2small subsetA.12.3.1
10.5=A.12.3.1
11.1small subsetA.13.1.1
11.2small subsetA.13.1.1
11.6small subsetA.13.1.1
12.1small subsetA.13.1.1
12.5small subsetA.13.1.1
12.10small subsetA.13.1.1
13.2small subsetA.11.2.5
14.7small subsetA.8.2.3
16.2small subsetA.9.3.1
16.3small subsetA.9.3.1
16.9small subsetA.9.2.1
16.10small subsetA.9.2.1
16.12A.12.4.1
16.13A.12.4.1
17.1=Clause 7.2
18.3=A.12.5.1
18.4A.12.5.1
18.7A.14.2.9
18.10small subsetA.14.2.5 
18.11small subsetA.14.2.5 
19.3small subsetA16.1.1
19.6small subsetA16.1.2
19.7small subsetA16.1.1
19.8small subsetA16.1.4
20.1small subsetA18.2.3
20.2small subsetA18.2.3
20.3small subsetA18.2.3
20.4small subsetA18.2.3
20.5small subsetA18.2.3
20.6small subsetA18.2.3
20.7small subsetA18.2.3
20.8small subsetA18.2.3

Planning for ISO Certification using CIS Controls?

When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.


And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls.
CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer.
If you compare both systems in a table the story gets clear:

The “red” areas require extra work to make it ISO27001 compliant.

And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.

A quick walk-through of the new ISO29184 – Online Privacy notices and consent

Source and download: https://www.iso.org/standard/70331.html

With the publication of the GDPR in 2016, it quickly became clear that it would massively impact the direct marketing sector, simply because direct marketing runs on personal data.

On 25 may 2018, the GDPR came into force, changing the global mindset on data protection (and privacy by extension).

Anno 2020, 2 years after the publication, many enterprises, large and small still struggle to apply the data protection regulation and best practices.

And for the direct marketing companies, this is a particular difficult topic, after 4 years.

So, maybe, the newly (june 2020) published standard can provide a practical help to implement consent management. Please remind that the GDPR is a regulation/law… not a best practice with hints and tips.

For hints & tips and practical advice on GDPR, check the EDPB (previously known as WP29) website: https://edpb.europa.eu/our-work-tools/general-guidance_en (Check the Our Work & Tools menu).

While there has been a lot of guidance, communication & education on implementing a direct marketing that is compliant with GDPR and ePrivacy/eCommunication regulation and directives.

Even, for other markets than direct marketing where managing personal data is optional (meaning, not part of core business), you can use this guide to manage privacy or data protection notices for your newsletters and website.

Side note

The ISO 29184 is strictly and only about privacy notices and consent, it’s not an in depth guide for direct marketing, but it’s an essential part of it.

If you need more information on the EU ePrivacy/eCommunications directive , see here: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058

ISO 29184 content walk through

Document structure

After the mandatory basic chapters (Foreword, 1. Scope), the document hints to ISO 29100 in chapter 2 (Normative References) and 3. (Terms and definitions.

Important note here is that the definition of “explicit consent” has been updated to match the GDPR requirement for unambiguous affirmative consent.

Chapter 5 contains the “general requirements and recommendations”.

A major requirement (and typical for ISO compliance like in ISO9001 and ISO27001) is that you need to document the implementation of each control in this standard.

The content is structured in 5 chapters (Level 2)

  1. Overall objective
  2. Notice
  3. Contents of notice
  4. Consent
  5. Change of conditions

To read the full details, you know what to do,…

But it’s interesting to see the technical/operations controls required in this standard

General conditions on privacy notice

  • Provide information to all interested parties about your privacy practices, including
    • the identity and registered address of the data controller, and
    • contact points where the subject (in this standard the subject is called “PII principal”)
  • Provide clear and easy to understand information
    • with regards the target audience,
    • which are usually NOT lawyers or data protection specialists),
    • taking care of the expected language of your audience
  • You must determine and document the appropriate time for providing notice
    • Remember the Art. 13 and Art 14 definitions in GDPR
    • By preference, you should notify the subject immediately before collecting PII (and/or consent)
  • You must provide notices in a appropriate way
    • by preference in more than 1 way,
    • to make sure the subject can find and consult the notices,
    • digitally and in a easy accessible method
    • also after initial contact
    • As also defined in many GDPR guidelines, the consent standard refers to a multilayer approach (avoiding to provide too much information at the same time, but provide the details when needed)
  • Make sure that the privacy notice is accessible all the time.

Notice content

  • make sure you’re absolutely clear, honest and transparent about your personal data processing
  • Define, document and describe clearly
    • the processing purpose
    • each element of the processing (remember the processing definitions defined in Art. 4 of GDPR)
    • the identification of the data controller
    • the data collection details, incl
      • methods used
      • details of data collected
      • type of collection (direct, indirect, observation, inference…)
      • timing and location of collection
    • use of data, including
      • direct use without data transformation
      • reprocessing data
      • combining, like enrichment
      • automated decision making
      • transfer of data to 3rd party
      • data retention (incl backup)
    • data subject rights
      • access request
      • authentication to provide access
      • timelines
      • any fees that apply
      • how to revoke consent
      • how to file a compliant
      • how to submit a inquiry
    • Evidence about consent provided (and changed) by the subject
    • the legal basis for processing PII/personal data
    • the risks related with the data and the plausible impact to the subject privacy

Consent management

  • Identify if whether consent is appropriate
    • Remember that there are other purposes and reasons for processing data, which usually have a more stable, more solid background, like
      • contracts
      • compliance with legal obligations and regulations
      • vital interest,
      • public interest
      • (legitimate interest, which is usually way more difficult to enforce or to convince the subject)
    • Informed and freely given consent
      • how do you guarantee that the subject is providing consent without any feeling of coercing, force, conditions, …
      • Independence from other processing or consent
        • Remember the GDPR guidelines where you CANNOT force consent as
    • Inform the subject which account this processing is related to
      • provide a clear description of the identifier (userID, mail, login, …)

ISO29184 also introduces the consent lifecycle, meaning that is it’s not sufficient to provide notice at first contact with the subject, but you also need to maintain, to update and to renew it on a regular basis, taking into account that the conditions of consent might change (or might have changed after initial consent).

The last part of the ISO 29184 are annexes with interesting user interface examples.

The perfect document set

To make the online privacy and consent management work, this ISO/IEC 29184 will not do on itself as the standard links to the following documents:

  • (FREE, EN – FR) ISO 27000: ISMS vocabulary
  • (*) ISO27001: ISMS, Information Security Management Systems
  • (*) ISO27002: Code of practice for ISO 27001)
  • ISO27701: PIMS, Privacy Information Management System, the privacy or data protection extension of ISO27001
  • (FREE, EN – FR) ISO29100: Privacy framework
  • ISO29151: Code of Practices – Privacy Framework (the ISO27002 version of ISO29100)
  • ISO29134: PIA, Privacy Impact Assessment (foundation of the DPIA in GDPR)

References

Free downloads

ISO Public documents: https://ffwd2.me/FreeISO

If not available for free download, then you’ll need to purchase the ISO standards documents from the ISO e-shop or from the national standards organisation (like NBN for Belgium, NEN for Netherlands, …)