Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Annex A controls to be applied while mitigating GDPR related risks

  Quote
Guest
Guest user Created:   Oct 12, 2020 Last commented:   Oct 13, 2020

Annex A controls to be applied while mitigating GDPR related risks

We are ISO 27001 compliant and we have the GDPR controls in place as well. Last time we had an external audit, the auditor had suggested that while we mentioned the GDPR related risk in the ISMS risk assessment sheet the control numbers listed were not mapped correctly. Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks? Also, do we have any other Annex for GDPR related risks controls?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Oct 13, 2020

In general, there are no "GDPR-related risks", there are only risks related to confidentiality, integrity and availabilty of personal data.

To answer your questions:

1) Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks?

Answer: Article 32 (Security of processing) of GDPR requires the following safeguards to be implemented:

  • Risk management - ISO 27001 clause 6.1
  • Encryption - ISO 27001 section A.10
  • Ability to restore the availability - ISO 27001 section A.17
  • Access control - ISO 27001 section A.9
  • Regular testing, assessing and evaluating the effectiveness - ISO 27001 clause 9.2 (Internal audit)

Further, GDPR Articles 28, 32, 33, 34, 39 and 82 require the following:

  • Relationship with suppliers / processors - ISO 27001 section A.15
  • Handling incidents / data breaches - ISO 27001 section A.16
  • Training and awareness - ISO 27001 clauses 7.3 and 7.4; control A.7.2.2
  • Ensuring confidentiality, integrity and availability - this is basically the whole ISO 27001 standard

You can find more information in this free webinar: How to integrate GDPR with ISO 27001 https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

 

2) Also, do we have any other Annex for GDPR related risks controls?

Answer: ISO 27001 does not have some other Annex that would cover privacy nor GDPR, however ISO 27701 standard covers privacy management in more details - here's some info: Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 12, 2020

Oct 13, 2020

Suggested Topics