Abstract
With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Provision of remote access to a secure system that would provide the data subject with direct access to their personal data.
References
European Commission: Directive 95/46/EC of the European parliament and of the council. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046. Accessed 14 May 2017
European Parliament: Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (2016)
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the octave approach. Technical report, Software Engineering Institute, Carnegie-Mellon University Pittsburgh, PA (2003)
Cavoukian, A., et al.: Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009)
CNIL 2018: Privacy impact assessment (PIA) - knowledge bases. Technical report (2018)
CSA 2018: GDPR preparation and challenges survey report from cloud security alliance (CSA). Technical report (2018). https://cloudsecurityalliance.org/articles/gdpr-preparation-and-challenges-survey-report/. Accessed 09 July 2019
Diamantopoulou, V., Tsohou, A., Karyda, M.: General data protection regulation and ISO/IEC 27001:2013: synergies of activities towards organisations’ compliance. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 94–109. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_7
ENISA: Recommended cryptographic measures - securing personal data. Technical report (2013)
Ernst & Young 2018: Global forensic data analytics survey. Technical report (2018). https://www.ey.com/Publication/vwLUAssets/ey-how-can-you-disrupt-risk-in-an-era-of-digital-transformation/%24FILE/ey-how-can-you-disrupt-risk-in-an-era-of-digital-transformation.pdf. Accessed 09 July 2019
Fredriksen, R., Kristiansen, M., Gran, B.A., Stølen, K., Opperud, T.A., Dimitrakos, T.: The CORAS framework for a model-based risk management process. In: Anderson, S., Felici, M., Bologna, S. (eds.) SAFECOMP 2002. LNCS, vol. 2434, pp. 94–105. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45732-1_11
Gartner 2017: Gartner says organizations are unprepared for the 2018 European data protection regulation. Technical report (2017). https://www.gartner.com/en/newsroom/press-releases/2017-05-03-gartner-says-organizations-are-unprepared-for-the-2018-european-data-protection-regulation. Accessed 09 July 2019
IAAP: Privacy tech vendor report. Technical report (2018)
IAPP 2018: Annual governance report. Technical report (2018). https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/. Accessed 09 July 2019
IAPP 2019: GDPR one year later: looking backward and forward. Technical report (2019). https://iapp.org/news/a/gdpr-one-year-later-looking-backward-and-forward/. Accessed 09 July 2019
ISO/IEC: ISO 27001:2013 information technology - security techniques - code of practice for information security controls. Technical report (2013)
ISO/IEC: ISO 27001:2013 information technology - security techniques - information security management systems - requirements. Technical report (2013)
Lambrinoudakis, C.: The general data protection regulation (GDPR) era: ten steps for compliance of data processors and data controllers. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 3–8. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_1
Palmieri III, N.F.: Data protection in an increasingly globalized world. Ind. LJ 94, 297 (2019)
Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (2010)
Spiekermann, S., Acquisti, A., Böhme, R., Hui, K.L.: The challenges of personal data markets and privacy. Electron. Mark. 25(2), 161–167 (2015)
Thomson Reuters 2019: Study finds organizations are not ready for GDPR compliance issues. Technical report (2019). https://legal.thomsonreuters.com/en/insights/articles/study-finds-organizations-not-ready-gdpr-compliance-issues. Accessed 09 July 2019
Working Party 29: Guidelines on data protection impact assessment. Technical report (2019)
Yazar, Z.: A qualitative risk analysis and management tool-CRAMM. In: SANS InfoSec Reading Room White Paper, vol. 11, pp. 12–32 (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Diamantopoulou, V., Tsohou, A., Karyda, M. (2020). From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-42048-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42047-5
Online ISBN: 978-3-030-42048-2
eBook Packages: Computer ScienceComputer Science (R0)