Skip to main content
SpringerLink
Log in

From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance

  • Conference paper
  • First Online:
Book cover Computer Security (CyberICPS 2019, SECPRE 2019, SPOSE 2019, ADIoT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11980))

Abstract

With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.iso.org/the-iso-survey.html.

  2. 2.

    Provision of remote access to a secure system that would provide the data subject with direct access to their personal data.

References

  1. European Commission: Directive 95/46/EC of the European parliament and of the council. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046. Accessed 14 May 2017

  2. European Parliament: Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (2016)

    Google Scholar 

  3. Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the octave approach. Technical report, Software Engineering Institute, Carnegie-Mellon University Pittsburgh, PA (2003)

    Google Scholar 

  4. Cavoukian, A., et al.: Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009)

    Google Scholar 

  5. CNIL 2018: Privacy impact assessment (PIA) - knowledge bases. Technical report (2018)

    Google Scholar 

  6. CSA 2018: GDPR preparation and challenges survey report from cloud security alliance (CSA). Technical report (2018). https://cloudsecurityalliance.org/articles/gdpr-preparation-and-challenges-survey-report/. Accessed 09 July 2019

  7. Diamantopoulou, V., Tsohou, A., Karyda, M.: General data protection regulation and ISO/IEC 27001:2013: synergies of activities towards organisations’ compliance. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 94–109. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_7

    Chapter  Google Scholar 

  8. ENISA: Recommended cryptographic measures - securing personal data. Technical report (2013)

    Google Scholar 

  9. Ernst & Young 2018: Global forensic data analytics survey. Technical report (2018). https://www.ey.com/Publication/vwLUAssets/ey-how-can-you-disrupt-risk-in-an-era-of-digital-transformation/%24FILE/ey-how-can-you-disrupt-risk-in-an-era-of-digital-transformation.pdf. Accessed 09 July 2019

  10. Fredriksen, R., Kristiansen, M., Gran, B.A., Stølen, K., Opperud, T.A., Dimitrakos, T.: The CORAS framework for a model-based risk management process. In: Anderson, S., Felici, M., Bologna, S. (eds.) SAFECOMP 2002. LNCS, vol. 2434, pp. 94–105. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45732-1_11

    Chapter  Google Scholar 

  11. Gartner 2017: Gartner says organizations are unprepared for the 2018 European data protection regulation. Technical report (2017). https://www.gartner.com/en/newsroom/press-releases/2017-05-03-gartner-says-organizations-are-unprepared-for-the-2018-european-data-protection-regulation. Accessed 09 July 2019

  12. IAAP: Privacy tech vendor report. Technical report (2018)

    Google Scholar 

  13. IAPP 2018: Annual governance report. Technical report (2018). https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/. Accessed 09 July 2019

  14. IAPP 2019: GDPR one year later: looking backward and forward. Technical report (2019). https://iapp.org/news/a/gdpr-one-year-later-looking-backward-and-forward/. Accessed 09 July 2019

  15. ISO/IEC: ISO 27001:2013 information technology - security techniques - code of practice for information security controls. Technical report (2013)

    Google Scholar 

  16. ISO/IEC: ISO 27001:2013 information technology - security techniques - information security management systems - requirements. Technical report (2013)

    Google Scholar 

  17. Lambrinoudakis, C.: The general data protection regulation (GDPR) era: ten steps for compliance of data processors and data controllers. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 3–8. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_1

    Chapter  Google Scholar 

  18. Palmieri III, N.F.: Data protection in an increasingly globalized world. Ind. LJ 94, 297 (2019)

    Google Scholar 

  19. Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (2010)

    Google Scholar 

  20. Spiekermann, S., Acquisti, A., Böhme, R., Hui, K.L.: The challenges of personal data markets and privacy. Electron. Mark. 25(2), 161–167 (2015)

    Article  Google Scholar 

  21. Thomson Reuters 2019: Study finds organizations are not ready for GDPR compliance issues. Technical report (2019). https://legal.thomsonreuters.com/en/insights/articles/study-finds-organizations-not-ready-gdpr-compliance-issues. Accessed 09 July 2019

  22. Working Party 29: Guidelines on data protection impact assessment. Technical report (2019)

    Google Scholar 

  23. Yazar, Z.: A qualitative risk analysis and management tool-CRAMM. In: SANS InfoSec Reading Room White Paper, vol. 11, pp. 12–32 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece

    Vasiliki Diamantopoulou & Maria Karyda

  2. Department of Informatics, Ionian University, Corfu, Greece

    Aggeliki Tsohou

Authors
  1. Vasiliki Diamantopoulou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aggeliki Tsohou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Karyda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vasiliki Diamantopoulou .

Editor information

Editors and Affiliations

  1. Open University of Cyprus, Latsia, Cyprus

    Sokratis Katsikas

  2. IMT Atlantique, Brest, France

    Frédéric Cuppens

  3. IMT Atlantique, Brest, France

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  8. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

  9. Technical University of Berlin, Berlin, Germany

    Frank Pallas

  10. Alexander von Humboldt Institute for Internet and Society, Berlin, Germany

    Jörg Pohle

  11. Ruhr University Bochum, Bochum, Germany

    Angela Sasse

  12. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  13. University of Plymouth, Plymouth, UK

    Steven Furnell

  14. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Diamantopoulou, V., Tsohou, A., Karyda, M. (2020). From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42048-2_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42047-5

  • Online ISBN: 978-3-030-42048-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation