HKSQ
organized seminar/webinar on “A Holistic Approach to Privacy Compliance and
Recent Update of Information Security Standards” on 10 May 2023. SGS is
coorganzer and TQM Consultant Ltd is supporting organization. In the beginning,
Dr. Jane Wong (Chairman, HKSQ) presented a souvenir to speakers.
(Left:
Mr. Ben Tsang, Ms. Natalie Law, Mr. Chris Yau and Dr. Jane Wong)
Mr.
Chris Yau (Deputy Director, Products and Services Development, SGS) was the
first speaker and his topic mainly focused on privacy, GDPR and ISO/IEC 27701 “Extension
to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management –
requirement and guidelines”.
Firstly,
Mr. Yau introduced 6 data processing principles under General Data Protection
Regulation (GDPR) in EU. 5 of them cannot be helped by IT/security technologies
alone.
Then
8 data subject rights are also mentioned and IT technologies only essential to
some of these rights.
And
then Mr. Chris Yau introduced the ISO/IEC 27701 which released in Aug 2019.
ISO/IEC 27701 is designed to work with ISO/IEC 27001 to form a complete Privacy
Information Management System. Thus, organization must first process an ISO/IEC
27001 information security management system.
After
that he showed the key structure of both ISO/IEC 27701 and ISO/IEC 27001. That
32 controls in ISO/IEC 27701 are amended with privacy requirement. Annex A – 31
controls used for PII controller and Annex B – 18 controls for PII processor. He
then explained the different between Personally Identifiable Information
(PII) Controller and Processor. Where PII is information that
identifies, relates to, describes, references or is capable of being associated
with, or could be reasonably linked - directly or indirectly - with a
particular individual consumer or device. The PII controller is the
entity that determines the purpose and means for processing PII, define why and
how PII is processed, and is responsible for the implementation of privacy and
security protocols to meet applicable legal standards. The PII processor
then processes PII on behalf of and in accordance with the instructions and
privacy controls set by the PII controller.
Finally,
Mr. Chris Yau demonstrated some examples such as risk assessment using CIA (Confidentiality,
Integrity & Availability) of privacy data and processing of privacy data
(e.g. transfer of PII to an overseas). Incident management should be considered
on privacy. In the past, many organizations only considered the interruption of
operation as incident. Thus, privacy consideration should be included consent
methods, opportunity to withdraw consent and bundled with conditions.
Ms.
Natalie Law (ISO/IEC 27001 lead auditor) was the second speaker and her topic
included ISO/IEC 27001 & 27002 relationships, changes in 2022 version,
transition timeline for new standard certification.
Firstly,
she briefed the difference between ISO/IEC 27001 & 27002. ISO/IEC 27001 is
certifiable and Annex A controls are important. Where ISO/IEC 27002 give
guideline for implementation of different controls.
The
new version of ISO/IEC 27001 changed the title named “Information security, cybersecurity
and privacy protection – Information security management system – Requirements”.
New sub-clauses and clause numbering changed to match ISO 9001:2015. Some texts
are changed and Annex A controls rearrangement.
Some
new or changed texts are summarized and briefed by Ms. Law.
Number
of controls changed from 113 controls in ISO/IEC 27001:2013 to 93 controls
where 11 new controls, 23 renamed controls and 24 merged controls in ISO/IEC
27001:2022. Moreover, 14 control domains consolidated into 4 control domains
and they are A.5 Organization controls (37 Controls), A.6 People controls (8
Controls), A.7 Physical controls (14 Controls) and A.8 Technological controls
(34 Controls).
11
New controls are also introduced.
23
controls are renamed and showed in the following table.
24
merged controls and some of them demonstrated in the following diagram.
Finally,
Ms. Natalie Law introduced other changes in ISO/IEC 27002:2022 that controls
from “Objective” to “Purpose” and added the attribute table that assist user to
be more understanding the control.
Lastly,
she briefed the transition period that would end on 31 Oct 2025.
During
Q&A session, I shared that startup and HR in large company would interest
in privacy management system. Mr. Chris Yau said marketing people would more
concern and some of their clients are startup company.
At
the end, Dr. Jane Wong also presented HKSQ 35th anniversary book and
crystal to speakers.
Reference:
HKSQ - https://hksq.org/
(Remark: you
can download SGS white paper after fill the form below.)
SGS white paper - https://www.sgs.com/en/whitepapers/key-changes-in-iso-iec-27002-2022-form#white-paper-detail-signup-form
沒有留言:
發佈留言