ISO27001

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

 SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)

CCSP and CCAK, not versus: build your cloud security expertise path based on your needs.

Last week (ISC)² published a blog post on the choice between CCSP and CCAK.

You can find it here: https://www.isc2.org/articles/CCSP-versus-csa-ccak.

“What is the right certification for you?”

The main title of the (ISC)² article on CCSP vs CCAK is “CCSP Certification vs. CCAK Certificate: What Are the Distinctions?”

That’s exactly what you get. A list of technical differentiators between CCSP and CCAK, but according to (ISC)².

But if you hope to get an actual answer to what the right certification is, for you… they forget to ask …you.

What do you think would be the conclusion, if you ask that question to either one of the contestants while you compare 2 certifications? Of course each party will simply draw the conclusion that their own certification is the best choice.

To answer the most important question, the dilemma CCSP or CCAK, is simple: do you need technical or audit skills for cloud security?

The answer

In essence, the answer is simple:

  • if you need cloud audit skills, dive in to the Cloud Security Alliance (CSA) and ISACA Certificate CCAK.
  • if you want to have architect level technical cloud expertise and knowledge, choose CCSP
  • if you want cloud security knowledge, in basic or advanced hands-on, there are other choices to start with (more about it below)

So, if you ask the question “what is the right certification for you”, you immediately know that there is no right answer, but there are many options.
Options for a multi level expertise roadmap in cloud security, based on your current skills and your future goals.

If you like a tough challenge: why not jump into the CCAK or CCSP, CCSP or CCAK, whatever, right away.

But if you would like to boost your chance of success… take a deep breath and better plan smartly.

And don’t start with CCSP/CCAK, but prepare your track towards CCSP/CCAK first.

First some background to plan your roadmap

Setting expectations

Just to set expectations, this article only focuses on the personal education and certification options, offered by (ISC)², ISACA and CSA. Including other education provider would lead us too far.
There are way more other (cyber)security certifications available, but we focus on the cloud security track, which limits the options…

Feel free to comment with other options for cloud security training. I’ll update the article where relevant.

CSA CCSK

The Cloud Security Alliance launched the CCSK in 2011. And as they explained here, “the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. “

The CCSK is an easy entry, high level introduction to Cloud Security, and it doesn’t require you to have deep technical cloud security expertise.

But it still is a nice baseline for the cloud security essential knowledge.

(ISC)² – CCSP

In short: CCSP = CISSP [by (ISC)²]+ CCSK [by CSA]

The long version is explained in the (ISC)² article comparing CCSP and CCAK.

  • CCSP = Certified Cloud Security Professional
  • You need at least five years of cumulative, paid work experience
  • CCSP is pretty much the same level of difficulty as CISSP, but has focus on cloud security.

The CCSP was launched in 2015, as a cooperation between (ISC)² and CSA. (see CSA press release here), a couple years after the CCSK launch in 2011.
The CCSP is the bigger brother of the CCSK, more advanced, and as CSA rightfully mentions in there CCSK-CCSP comparison blog, the CCSP is on the level of CISSP with a major cloud flavor.

That’s where the dummy math description comes from…

CCSP = CISSP + CCSK.

But CCSP certainly is not an entry level exam.

More information:

ISACA & CSA – CCAK

CCAK = CISA [ISACA] + CCSK [CSA]

CCAK (Certificate of Cloud Auditing Knowledge) is cohosted by ISACA and CSA.
And then you immediately know the approach is different than the approach of (ISC)².

ISACA (Previously known as the Information Systems Audit and Control Association®) stems from audit.
CSA focuses on cloud security.

That’s exactly what CCAK is about : cloud security audit.

See here:

As ISACA mentions on their product page: “The Industry’s First Global Cloud Auditing Credential”.

CISSP

For completeness, I mentioned the CISSP ( Certified Information Systems Security Professional).
I don’t think it needs a lot of explanation, it’s pretty much the reference standard for IT Systems security. (ISC)² references it as “The World’s Premier Cybersecurity Certification”.

It’s a pretty heavy exam, and it does require at least 5 years professional security experience. This is not an entry level exam.

More info: https://www.isc2.org/Certifications/CISSP

SSCP (Systems Security Certified Practitioner)

Due to the experience requirements, CISSP might be a tough credential to start with, although you can pass the exam, and continue to build your experience to grab the CISSP title…

If you want the plan your credentials the smart way, or you’re fresh in cyber-, information or IT-security, you better start with SSCP.

That the little brother of CISSP, and it’s an excellent way to step up to CISSP. More info: https://www.isc2.org/Certifications/SSCP

Where to start?

Cybersecurity & Information security essentials

As explained earlier, for tech skills in cyber-, IT and information security: look into SSCP first.

(Then step up to CISSP.)

Cloud security essentials: CCSK

Now it’s obvious what your first step in cloud security education should be: CCSK.

The CCSK is the perfect introduction to cloud security essentials.

Although it’s very helpful to have some technical IT basic knowledge, the CCSK is very accessible for general audience.

To prepare for the CCSK, you can follow classes or self-study via a completely free preparation toolkit.

Source: CSA CCSK v4 exam (https://cloudsecurityalliance.org/artifacts/ccskv4-exam-prep-kit/)

You can buy a double-try access ticket for the CCSK online exam (60 questions, 90 minutes), so if you would fail the first attempt, study again and retry the exam.

Then plan your track: only technical (no interest for audit) or audit, or both

Only technical

If you focus on technical expertise in cloud security, CCSP is a reference standard (at least, on of them…) .

As mentioned: CCSP = CISSP + CCSK.

So the track is clear

  • After passing the CCSK exam,
  • Take the CISSP exam
  • then take the CCSP

This is the easier route if you already have 5yr+ experience. It’s not the cheapest route, as you pass the CISSP first, but it’s worth the effort. (you only need to pay 1 yearly fee at (ISC)², so after 1 certification, … no extra cost in yearly membership fee)
For junior, less experienced, security engineers, start with SSCP before jumping into CISSP, and then CCSP.

Audit

When you target IT security audits, you need to take a different route depending your background.
Having the CCSP/CISSP background is extremely useful to boost your career in audit.

But for the CCAK, the core audit baseline is CISA.

Keep in mind, similar to CISSP and CCSP, CISA has the same requirements regards professional experience, 5 years.

But if you’re a ISACA CISA, you can add CCSK to the track and land on the CCAK.

Both?

Then it’s obvious, first tech, then audit, meaning a smart combination of

  1. CCSK
  2. (SSCP > ) CISSP
  3. CCSP
  4. CISA (or alternative)
  5. CCAK

Alternative routes

ISO27001 Implementer & Auditor

And alternative route to the auditing experience is ISO27001 auditing, but you’ll need some implementation experience before you can audit.

CISM

Within the ISACA portfolio, the CISM (Certified Information Security Manager), covers the same areas as most ISO27001 (lead) implementer courses.

Which can be helpful to ramp up for the CISA audit part, to gain some hands-on in IT & Infosec governance.

Visualizing your cloud security education roadmap

Lots of blah for a simple choice?

Allow me to visualize the options…

The difference between “certification” and “certificate”, does it really matter?

In it’s blog post (ISC)² tries to put CCSP above CCAK by saying “CCSP is a certification; CCAK is a certificate.”

And they continue “A certification recognizes a candidate’s knowledge, skills, and abilities, typically framed by a job role, while a certificate’s scope is narrower and only documents training course completion. A certification often requires continuing professional education (CPE) to stay in front of trends, while a certificate’s body of knowledge does not evolve over time or require CPE credits to maintain.

And their explanation is at least flawed and cutting corners to benefit CCSP.

There are many explanations and interpretations of “certification”, depending the context.
But in essence, “certification” is a process and a certificate is a document (the result).

When you certify for “CCSP” at (ISC)², you need to comply with the CCSP condition and then get a document, your CCSP certificate.
Idem for CCAK, you need to comply with their conditions.

Both the certification process for CCSP as the process for the CCAK are used by other similar education providers.

Eg, PECB, ISACA, EC-COUNCIL, … and others require to pay a yearly fee, keep CPE/CPD (continous professional education or development). Some yearly fees are cheaper as others.

Like CSA, Microsoft and others ask for a 1 time exam fee, and then update the exam on longer term, not yearly, and do not require a yearly maintenance fee.

It’s a choice of the certificate owner, how the evaluation and exams are done.

Some of them comply to the ISO17024, and education standard. There are huge benefits to comply (like increased credibility, compatibility with other certifications, …). But it’s not mandatory.

(ISC)² uses an exam, with experience requirement and continuous education once you pass the exam, but you do not need to pass the exam again, unless it’s upgraded to a new build or major version.

But CSA does exactly the same, for example when CCSK was upgraded from v3 to v4, you needed to pass the exam again.

Not on a yearly basis, but the program is updated, the exam is updated… on a regular basis, without yearly fee.

It’s rather a (small) financial effort, not of significance for most companies paying the bill. (Although as an individual, the cost of certification can become a serious burden…)

And it’s certainly not relevant when choosing between CCSP and CCAK. CCAK is cheaper, as referenced in the (ISC)² comparison chart.

References

(ISC)²: CCSP Certification vs. CCAK Certificate: What Are the Distinctions?

Cloud Security Alliance (CSA)

CSA Certificate of Cloud Security Knowledge (CCSK)

CSA & ISACA CCAK

CCAK learning material

CCSK vs CCSP

Vocabulary (alphabetical)

CCAK: Certificate of Cloud Auditing Knowledge (https://cloudsecurityalliance.org/education/ccak/)

CCSK: Certificate of Cloud Security Knowledge (https://cloudsecurityalliance.org/education/ccsk/)

CCSP: Certified Cloud Security Professional (https://www.isc2.org/Certifications/CCSP)

CSA: Cloud Security Alliance (https://cloudsecurityalliance.org/)

(ISC)²:  International Information System Security Certification Consortium (https://www.isc2.org/)

PECB MS : Building your data protection foundation by using the ISO/IEC 27701 core components

I had a great opportunity working with PECB MS, writing an article on building a #dataprotection foundation, using #ISO27701,.. perfectly fit for small business #SMB/#smebusiness.

Your data protection is a very strong #marketing tool to become the #trustedpartner of your customers.

No doubt: Get started! Doing nothing will cost you.

You can find the article over here:

Enjoy!

And even better, get in touch if you want to have a chat building your data protection.

Extended mapping of CIS Controls to ISO27001 security controls

Introduction

The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks.
The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.

Here is the link: https://www.cisecurity.org/controls/cis-controls-list/

Many companies use this controls list already, but also require to map their CIS security controls to ISO27001, for various reasons.

Implementing security controls with regards to the NIS directive, is one of them, eg when you’re implementing OT…

ISO27001 controls mapping

For that purpose the CIS provided a XLS mapping between the CIS controls and ISO27001.

You can download the sheet from the CIS website: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a

Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)

Alternatively, it’s available from the CIS Workbench community at: https://workbench.cisecurity.org/files/2329 (registration might be needed to access the download)

FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping.
And after review, a new version (1.1) with updates has been published on the CIS workbench.

Direct download for version 1.1 available at: https://workbench.cisecurity.org/files/2329/download/3615

Still some gaps

You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.


But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)

But the license for use of the CIS controls mapping does not allow redistribution of modified materials…

Disclaimer (the small print)

Here’s the License from the mapping file:

Their work (quote) “is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”

So I CANNOT distribute the XLS as modified material (Why not?).

Extending the mapping

If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:

CIS sectionCoverageISO27001 Control
2.2=A.12.5.1
2.5=A.8.1.1
2.8small subsetA.12.5.1
2.10small supersetA.9.4.1/A.8.2
3.1small subsetA.12.6.1
3.2small subsetA.12.6.1
3.4small subsetA.12.6.1
3.5small subsetA.12.6.1
3.6small subsetA.12.6.1
4.1small supersetA.8.1.1/A.9.2.3 
6.5small subsetA.12.4.1 
6.6small subsetA.12.4.1 
6.8small subsetA.12.4.1 
7.3small subsetA.12.2.1
7.5small supersetA.8./A.13.1.1
7.6small subsetA.13.1.1
8.3small subsetA12.2.1
9.5small subsetA.13.1.1
10.2small subsetA.12.3.1
10.5=A.12.3.1
11.1small subsetA.13.1.1
11.2small subsetA.13.1.1
11.6small subsetA.13.1.1
12.1small subsetA.13.1.1
12.5small subsetA.13.1.1
12.10small subsetA.13.1.1
13.2small subsetA.11.2.5
14.7small subsetA.8.2.3
16.2small subsetA.9.3.1
16.3small subsetA.9.3.1
16.9small subsetA.9.2.1
16.10small subsetA.9.2.1
16.12A.12.4.1
16.13A.12.4.1
17.1=Clause 7.2
18.3=A.12.5.1
18.4A.12.5.1
18.7A.14.2.9
18.10small subsetA.14.2.5 
18.11small subsetA.14.2.5 
19.3small subsetA16.1.1
19.6small subsetA16.1.2
19.7small subsetA16.1.1
19.8small subsetA16.1.4
20.1small subsetA18.2.3
20.2small subsetA18.2.3
20.3small subsetA18.2.3
20.4small subsetA18.2.3
20.5small subsetA18.2.3
20.6small subsetA18.2.3
20.7small subsetA18.2.3
20.8small subsetA18.2.3

Planning for ISO Certification using CIS Controls?

When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.


And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls.
CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer.
If you compare both systems in a table the story gets clear:

The “red” areas require extra work to make it ISO27001 compliant.

And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.

A quick walk-through of the new ISO29184 – Online Privacy notices and consent

Source and download: https://www.iso.org/standard/70331.html

With the publication of the GDPR in 2016, it quickly became clear that it would massively impact the direct marketing sector, simply because direct marketing runs on personal data.

On 25 may 2018, the GDPR came into force, changing the global mindset on data protection (and privacy by extension).

Anno 2020, 2 years after the publication, many enterprises, large and small still struggle to apply the data protection regulation and best practices.

And for the direct marketing companies, this is a particular difficult topic, after 4 years.

So, maybe, the newly (june 2020) published standard can provide a practical help to implement consent management. Please remind that the GDPR is a regulation/law… not a best practice with hints and tips.

For hints & tips and practical advice on GDPR, check the EDPB (previously known as WP29) website: https://edpb.europa.eu/our-work-tools/general-guidance_en (Check the Our Work & Tools menu).

While there has been a lot of guidance, communication & education on implementing a direct marketing that is compliant with GDPR and ePrivacy/eCommunication regulation and directives.

Even, for other markets than direct marketing where managing personal data is optional (meaning, not part of core business), you can use this guide to manage privacy or data protection notices for your newsletters and website.

Side note

The ISO 29184 is strictly and only about privacy notices and consent, it’s not an in depth guide for direct marketing, but it’s an essential part of it.

If you need more information on the EU ePrivacy/eCommunications directive , see here: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058

ISO 29184 content walk through

Document structure

After the mandatory basic chapters (Foreword, 1. Scope), the document hints to ISO 29100 in chapter 2 (Normative References) and 3. (Terms and definitions.

Important note here is that the definition of “explicit consent” has been updated to match the GDPR requirement for unambiguous affirmative consent.

Chapter 5 contains the “general requirements and recommendations”.

A major requirement (and typical for ISO compliance like in ISO9001 and ISO27001) is that you need to document the implementation of each control in this standard.

The content is structured in 5 chapters (Level 2)

  1. Overall objective
  2. Notice
  3. Contents of notice
  4. Consent
  5. Change of conditions

To read the full details, you know what to do,…

But it’s interesting to see the technical/operations controls required in this standard

General conditions on privacy notice

  • Provide information to all interested parties about your privacy practices, including
    • the identity and registered address of the data controller, and
    • contact points where the subject (in this standard the subject is called “PII principal”)
  • Provide clear and easy to understand information
    • with regards the target audience,
    • which are usually NOT lawyers or data protection specialists),
    • taking care of the expected language of your audience
  • You must determine and document the appropriate time for providing notice
    • Remember the Art. 13 and Art 14 definitions in GDPR
    • By preference, you should notify the subject immediately before collecting PII (and/or consent)
  • You must provide notices in a appropriate way
    • by preference in more than 1 way,
    • to make sure the subject can find and consult the notices,
    • digitally and in a easy accessible method
    • also after initial contact
    • As also defined in many GDPR guidelines, the consent standard refers to a multilayer approach (avoiding to provide too much information at the same time, but provide the details when needed)
  • Make sure that the privacy notice is accessible all the time.

Notice content

  • make sure you’re absolutely clear, honest and transparent about your personal data processing
  • Define, document and describe clearly
    • the processing purpose
    • each element of the processing (remember the processing definitions defined in Art. 4 of GDPR)
    • the identification of the data controller
    • the data collection details, incl
      • methods used
      • details of data collected
      • type of collection (direct, indirect, observation, inference…)
      • timing and location of collection
    • use of data, including
      • direct use without data transformation
      • reprocessing data
      • combining, like enrichment
      • automated decision making
      • transfer of data to 3rd party
      • data retention (incl backup)
    • data subject rights
      • access request
      • authentication to provide access
      • timelines
      • any fees that apply
      • how to revoke consent
      • how to file a compliant
      • how to submit a inquiry
    • Evidence about consent provided (and changed) by the subject
    • the legal basis for processing PII/personal data
    • the risks related with the data and the plausible impact to the subject privacy

Consent management

  • Identify if whether consent is appropriate
    • Remember that there are other purposes and reasons for processing data, which usually have a more stable, more solid background, like
      • contracts
      • compliance with legal obligations and regulations
      • vital interest,
      • public interest
      • (legitimate interest, which is usually way more difficult to enforce or to convince the subject)
    • Informed and freely given consent
      • how do you guarantee that the subject is providing consent without any feeling of coercing, force, conditions, …
      • Independence from other processing or consent
        • Remember the GDPR guidelines where you CANNOT force consent as
    • Inform the subject which account this processing is related to
      • provide a clear description of the identifier (userID, mail, login, …)

ISO29184 also introduces the consent lifecycle, meaning that is it’s not sufficient to provide notice at first contact with the subject, but you also need to maintain, to update and to renew it on a regular basis, taking into account that the conditions of consent might change (or might have changed after initial consent).

The last part of the ISO 29184 are annexes with interesting user interface examples.

The perfect document set

To make the online privacy and consent management work, this ISO/IEC 29184 will not do on itself as the standard links to the following documents:

  • (FREE, EN – FR) ISO 27000: ISMS vocabulary
  • (*) ISO27001: ISMS, Information Security Management Systems
  • (*) ISO27002: Code of practice for ISO 27001)
  • ISO27701: PIMS, Privacy Information Management System, the privacy or data protection extension of ISO27001
  • (FREE, EN – FR) ISO29100: Privacy framework
  • ISO29151: Code of Practices – Privacy Framework (the ISO27002 version of ISO29100)
  • ISO29134: PIA, Privacy Impact Assessment (foundation of the DPIA in GDPR)

References

Free downloads

ISO Public documents: https://ffwd2.me/FreeISO

If not available for free download, then you’ll need to purchase the ISO standards documents from the ISO e-shop or from the national standards organisation (like NBN for Belgium, NEN for Netherlands, …)

Visio – PDCA cycle graphics (EN, FR, NL)

This visio has a editable version of the PDCA cycle hosted on Wiki pedia as image.

Source: https://en.wikipedia.org/wiki/PDCA

Text is available under the Creative Commons Attribution-ShareAlike License  this license applies to this work too.

Quoted from source:

PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products.[1] It is also known as the Deming circle/cycle/wheel, the Shewhart cycle, the control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA.[2] The added “O” stands for observation or as some versions say: “Observe the current condition.” This emphasis on observation and current condition has currency with the literature on lean manufacturing and the Toyota Production System.[3] The PDCA cycle, with Ishikawa’s changes, can be traced back to S. Mizuno of the Tokyo Institute of Technology in 1959.[4]  

Download available on my Github library: Visio – PDCA cycle graphics

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

CCSK – DOMAIN 4 (Compliance and Audit Management) reference material

CCSK

Preparation tool kit (with registration): https://cloudsecurityalliance.org/artifacts/ccskv4_exam_prep_kit

Separate downloads:

(ISC)² Belux Chapter

2019-04-04 meeting presentation on CCSP-CCSK

ISC2-Belux-Chapter-20190404-Event

Additional Reading

PCI-DSS

Download PCI-DSS  without registration: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Documentation library: https://www.pcisecuritystandards.org/document_library

SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Microsoft Azure – Cloud Security Compliance (Trust center)

https://www.microsoft.com/en-us/trustcenter/compliance/compliance-overview

Documents download: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide

Regional & country compliance: https://www.microsoft.com/en-us/trustcenter/compliance/regional-country-compliance

Google Cloud Security Compliance

Google Cloud security compliance – general

ISO27001: https://cloud.google.com/security/compliance/iso-27001/

CSA STAR

ISO Standards

ISO27001

ISO27002

ISO27017 (Cloud security)

ISO27018 (Personal data)

ISO27032 (Cybersecurity)

CSA STAR

https://cloudsecurityalliance.org/star/#_overview

Other

Interesting collection of documents & references on compliance and standards: here,  including, HIPAA, PCI-DSS, ISO27001/27002, …

 

 

 

Useful resources for GDPR starters

I realise, this braindump will never be finished, so come back once in a while to check for updates. Work in progress… (updated 2021-02-23)

But let’s turn around the thing a bit, you certainly must have smart ideas or articles on GDPR for starters that belong on this list! Let me know and I’ll add it to the list.
Of course, with the proper credits!

DISCLAIMER: These resources are provided / authored by different people, companies, vendors, each of them copyrighted by the original owner.
The resources below are just a collection or interesting documentation, need to have, without any preference or commercial interest for any party.

Table of contents

First of all, before you start with GDPR you must have read the GDPR text.
It’s not as bad (you mean: legalese) as you might suspect.

GDPR official text

You might want to have it a bit more condensed to start.

Vocabulary / Grammar

Do not get confused: European Council vs Council of the European Union vs Council of Europe

More info at:

http://www.caneurope.org/publications/blogs/1295-what-is-the-european-council-or-the-council-of-the-european-union%C2%A0

https://www.coe.int/en/web/about-us/do-not-get-confused

GDPR Table of contents

Once you get through the legal texts… you’ll quickly understand that the GDPR text itself at least lacks 1 important thing: A table of contents (TOC).

This TOC by Intersoft Consulting might help: bookmark https://gdpr-info.eu/

It provides a nice overview of the GDPR Recitals (= reasons the articles of the GDPR have been adopted).

There are 173 recitals, the and the TOC provides a quick topic overview at https://gdpr-info.eu/recitals/.

Also the site provides an overview of the GDPR structure

  • 11 Chapters
  • Sections per chapter
  • 99 Articles (spread over sections / chapters

GDPR Library by EC

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

GDPR Adequacy decisions

Working Party 29

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046

“The composition and purpose of Art. 29 WP was set out in Article 29 of the Data Protection Directive, and it was launched in 1996.”

https://en.wikipedia.org/wiki/Article_29_Data_Protection_Working_Party

The European Data Protection Board (EDPB) will replace the Article 29 Working Party under the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

WP29 articles

Newsroom overview: http://ec.europa.eu/newsroom/article29/news.cfm
Guidelines: http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360

WP 29 Advisory

The Article 29 Working Party Issues Final Guidelines on Data Protection Officers (“DPO”) is available here.

More info

  • Bird & Bird article, explaining
    1. Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime
    2. No “a la carte” DPO appointments
    3. Big data now an example of ‘regular and systematic monitoring’
    4. Preferably, the DPO should be located within this EU
    5. There can only be one DPO, but supported by a team
    6. Duty to ensure the confidentiality of communications between the DPO and employees
    7. Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO
    8. The GDPR does not prevent the DPO from maintaining records of processing
  • For a redline comparison with the earlier draft, click here.

ISO Standards related to GDPR

ISO29100 (Privacy Framework)

PIA: ISO 29134

Get the ISO29100 privacy standard for free at:

http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

ISO27001 (Information Security)

Mandatory ISO27001 documents: ISMS mandatory documentation checklist

Mapping GDPR to ISO27001 schema

Implementing GDPR with ISO27001

https://pecb.com/oldwebinar/26-may-2018-from-gdpr-to-sustainable-gdp

GDPR at a glance

https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf (Credits for Moritz Anders).

Data access request

As published on LinkedIn: The Nightmare Letter: A Subject Access Request under GDPR (By: Constantine Karbaliotis)

You can download the docx Word version in EN (here) and in NL translated version (here).

Useful Tools

Open Source

Monarc – Risk Assessment: http://Monarc.lu

CNIL – DPIA Tool 

CNIL guides for PIA: https://www.cnil.fr/en/PIA-privacy-impact-assessment-en

Implementation Guidance

Visualisation sheet

Have a look what Jonas Holdensen has published, a marvelous sheet to provide a visualization on GDPR.

Also he has provided a nice overview on the DPO requirements & tasks under GDPR.

If you prefer the file in pdf or word, then download the file here: www.kortlink.dk/rhpx

GDPR Privacy Courses (work in progress)

Region Provider Course URL
WW IAPP CIPT, CIPP/E, CIPM, https://iapp.org/train/gdprready/
WW PECB PECB Certified Data protection Officer https://pecb.com/en/education-and-certification-for-individuals/gdpr
BE DP Institute Data Protection Officer Certificatie Training https://www.dp-institute.eu/nl/opleidingen/
WW IT Governance GDPR https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
WW Cranium GDPR & Privacy

And some more

Legislative background

Note-to-self: ISO27001 & ISO27002 downloads & tools

Just a quick note if you are looking in to ISO27001 documents, to implement IT security in a best-practices-way, bookmark these:

ISO27001 specific material

BTW: there is a very interesting GDPR-ISO27001 mapping example/exercise published on the ISO27001Security.com website: GDPR-ISO27k mapping

And as a surplus, have a read of the PCI-DSS, aka the ISO27001 for Banks

Check the free download section of the ISO standards organization at: ffwd2.me/FreeISO