ISO27001

Visio – PDCA cycle graphics (EN, FR, NL)

This visio has a editable version of the PDCA cycle hosted on Wiki pedia as image.

Source: https://en.wikipedia.org/wiki/PDCA

Text is available under the Creative Commons Attribution-ShareAlike License  this license applies to this work too.

Quoted from source:

PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products.[1] It is also known as the Deming circle/cycle/wheel, the Shewhart cycle, the control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA.[2] The added “O” stands for observation or as some versions say: “Observe the current condition.” This emphasis on observation and current condition has currency with the literature on lean manufacturing and the Toyota Production System.[3] The PDCA cycle, with Ishikawa’s changes, can be traced back to S. Mizuno of the Tokyo Institute of Technology in 1959.[4]  

Download available on my Github library: Visio – PDCA cycle graphics

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

CCSK – DOMAIN 4 (Compliance and Audit Management) reference material

CCSK

Preparation tool kit (with registration): https://cloudsecurityalliance.org/artifacts/ccskv4_exam_prep_kit

Separate downloads:

(ISC)² Belux Chapter

2019-04-04 meeting presentation on CCSP-CCSK

ISC2-Belux-Chapter-20190404-Event

Additional Reading

PCI-DSS

Download PCI-DSS  without registration: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Documentation library: https://www.pcisecuritystandards.org/document_library

SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Microsoft Azure – Cloud Security Compliance (Trust center)

https://www.microsoft.com/en-us/trustcenter/compliance/compliance-overview

Documents download: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide

Regional & country compliance: https://www.microsoft.com/en-us/trustcenter/compliance/regional-country-compliance

Google Cloud Security Compliance

Google Cloud security compliance – general

ISO27001: https://cloud.google.com/security/compliance/iso-27001/

CSA STAR

ISO Standards

ISO27001

ISO27002

ISO27017 (Cloud security)

ISO27018 (Personal data)

ISO27032 (Cybersecurity)

CSA STAR

https://cloudsecurityalliance.org/star/#_overview

Other

Interesting collection of documents & references on compliance and standards: here,  including, HIPAA, PCI-DSS, ISO27001/27002, …

 

 

 

Useful resources for GDPR starters

I realise, this braindump will never be finished, so come back once in a while to check for updates. Work in progress…

But let’s turn around the thing a bit, you certainly must have smart ideas or articles on GDPR for starters that belong on this list! Let me know and I’ll add it to the list.
Of course, with the proper credits!

DISCLAIMER: These resources are provided / authored by different people, companies, vendors, each of them copyrighted by the original owner.
The resources below are just a collection or interesting documentation, need to have, without any preference or commercial interest for any party.

Table of contents

First of all, before you start with GDPR you must have read the GDPR text.
It’s not as bad (you mean: legalese) as you might suspect.

GDPR official text

You might want to have it a bit more condensed to start.

Vocabulary / Grammar

Do not get confused: European Council vs Council of the European Union vs Council of Europe

More info at:

http://www.caneurope.org/publications/blogs/1295-what-is-the-european-council-or-the-council-of-the-european-union%C2%A0

https://www.coe.int/en/web/about-us/do-not-get-confused

GDPR Table of contents

Once you get through the legal texts… you’ll quickly understand that the GDPR text itself at least lacks 1 important thing: A table of contents (TOC).

This TOC by Intersoft Consulting might help: bookmark https://gdpr-info.eu/

It provides a nice overview of the GDPR Recitals (= reasons the articles of the GDPR have been adopted).

There are 173 recitals, the and the TOC provides a quick topic overview at https://gdpr-info.eu/recitals/.

Also the site provides an overview of the GDPR structure

  • 11 Chapters
  • Sections per chapter
  • 99 Articles (spread over sections / chapters

GDPR Library by EC

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

GDPR Adequacy decisions

Working Party 29

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046

“The composition and purpose of Art. 29 WP was set out in Article 29 of the Data Protection Directive, and it was launched in 1996.”

https://en.wikipedia.org/wiki/Article_29_Data_Protection_Working_Party

The European Data Protection Board (EDPB) will replace the Article 29 Working Party under the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

WP29 articles

Newsroom overview: http://ec.europa.eu/newsroom/article29/news.cfm
Guidelines: http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360

WP 29 Advisory

The Article 29 Working Party Issues Final Guidelines on Data Protection Officers (“DPO”) is available here.

More info

  • Bird & Bird article, explaining
    1. Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime
    2. No “a la carte” DPO appointments
    3. Big data now an example of ‘regular and systematic monitoring’
    4. Preferably, the DPO should be located within this EU
    5. There can only be one DPO, but supported by a team
    6. Duty to ensure the confidentiality of communications between the DPO and employees
    7. Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO
    8. The GDPR does not prevent the DPO from maintaining records of processing
  • For a redline comparison with the earlier draft, click here.

ISO Standards related to GDPR

ISO29100 (Privacy Framework)

PIA: ISO 29134

Get the ISO29100 privacy standard for free at:

http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

ISO27001 (Information Security)

Mandatory ISO27001 documents: ISMS mandatory documentation checklist

Mapping GDPR to ISO27001 schema

Implementing GDPR with ISO27001

https://pecb.com/oldwebinar/26-may-2018-from-gdpr-to-sustainable-gdp

GDPR at a glance

https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf (Credits for Moritz Anders).

Data access request

As published on LinkedIn: The Nightmare Letter: A Subject Access Request under GDPR (By: Constantine Karbaliotis)

You can download the docx Word version in EN (here) and in NL translated version (here).

Useful Tools

Open Source

Monarc – Risk Assessment: http://Monarc.lu

CNIL – DPIA Tool 

CNIL guides for PIA: https://www.cnil.fr/en/PIA-privacy-impact-assessment-en

Implementation Guidance

Visualisation sheet

Have a look what Jonas Holdensen has published, a marvelous sheet to provide a visualization on GDPR.

Also he has provided a nice overview on the DPO requirements & tasks under GDPR.

If you prefer the file in pdf or word, then download the file here: www.kortlink.dk/rhpx

GDPR Privacy Courses (work in progress)

Region Provider Course URL
WW IAPP CIPT, CIPP/E, CIPM, https://iapp.org/train/gdprready/
WW PECB PECB Certified Data protection Officer https://pecb.com/en/education-and-certification-for-individuals/gdpr
BE DP Institute Data Protection Officer Certificatie Training https://www.dp-institute.eu/nl/opleidingen/
WW IT Governance GDPR https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
WW Cranium GDPR & Privacy

And some more

Legislative background

 

Note-to-self: ISO27001 & ISO27002 downloads & tools

Just a quick note if you are looking in to ISO27001 documents, to implement IT security in a best-practices-way, bookmark these:

ISO27001 specific material

BTW: there is a very interesting GDPR-ISO27001 mapping example/exercise published on the ISO27001Security.com website: GDPR-ISO27k mapping

And as a surplus, have a read of the PCI-DSS, aka the ISO27001 for Banks

Check the free download section of the ISO standards organization at: ffwd2.me/FreeISO