Quality Alchemist (品質煉金術師): HKSQ Webinar on: A Holistic Approach to Privacy Compliance and Recent Update of Information Security Standards

2023年5月10日星期三

HKSQ Webinar on: A Holistic Approach to Privacy Compliance and Recent Update of Information Security Standards

HKSQ organized seminar/webinar on “A Holistic Approach to Privacy Compliance and Recent Update of Information Security Standards” on 10 May 2023. SGS is coorganzer and TQM Consultant Ltd is supporting organization. In the beginning, Dr. Jane Wong (Chairman, HKSQ) presented a souvenir to speakers.

(Left: Mr. Ben Tsang, Ms. Natalie Law, Mr. Chris Yau and Dr. Jane Wong)

Mr. Chris Yau (Deputy Director, Products and Services Development, SGS) was the first speaker and his topic mainly focused on privacy, GDPR and ISO/IEC 27701 “Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – requirement and guidelines”.

Firstly, Mr. Yau introduced 6 data processing principles under General Data Protection Regulation (GDPR) in EU. 5 of them cannot be helped by IT/security technologies alone.

Then 8 data subject rights are also mentioned and IT technologies only essential to some of these rights.

And then Mr. Chris Yau introduced the ISO/IEC 27701 which released in Aug 2019. ISO/IEC 27701 is designed to work with ISO/IEC 27001 to form a complete Privacy Information Management System. Thus, organization must first process an ISO/IEC 27001 information security management system.

After that he showed the key structure of both ISO/IEC 27701 and ISO/IEC 27001. That 32 controls in ISO/IEC 27701 are amended with privacy requirement. Annex A – 31 controls used for PII controller and Annex B – 18 controls for PII processor. He then explained the different between Personally Identifiable Information (PII) Controller and Processor. Where PII is information that identifies, relates to, describes, references or is capable of being associated with, or could be reasonably linked - directly or indirectly - with a particular individual consumer or device. The PII controller is the entity that determines the purpose and means for processing PII, define why and how PII is processed, and is responsible for the implementation of privacy and security protocols to meet applicable legal standards. The PII processor then processes PII on behalf of and in accordance with the instructions and privacy controls set by the PII controller.

Finally, Mr. Chris Yau demonstrated some examples such as risk assessment using CIA (Confidentiality, Integrity & Availability) of privacy data and processing of privacy data (e.g. transfer of PII to an overseas). Incident management should be considered on privacy. In the past, many organizations only considered the interruption of operation as incident. Thus, privacy consideration should be included consent methods, opportunity to withdraw consent and bundled with conditions.

Ms. Natalie Law (ISO/IEC 27001 lead auditor) was the second speaker and her topic included ISO/IEC 27001 & 27002 relationships, changes in 2022 version, transition timeline for new standard certification.

Firstly, she briefed the difference between ISO/IEC 27001 & 27002. ISO/IEC 27001 is certifiable and Annex A controls are important. Where ISO/IEC 27002 give guideline for implementation of different controls.

The new version of ISO/IEC 27001 changed the title named “Information security, cybersecurity and privacy protection – Information security management system – Requirements”. New sub-clauses and clause numbering changed to match ISO 9001:2015. Some texts are changed and Annex A controls rearrangement.

Some new or changed texts are summarized and briefed by Ms. Law.

Number of controls changed from 113 controls in ISO/IEC 27001:2013 to 93 controls where 11 new controls, 23 renamed controls and 24 merged controls in ISO/IEC 27001:2022. Moreover, 14 control domains consolidated into 4 control domains and they are A.5 Organization controls (37 Controls), A.6 People controls (8 Controls), A.7 Physical controls (14 Controls) and A.8 Technological controls (34 Controls).

11 New controls are also introduced.

23 controls are renamed and showed in the following table.

24 merged controls and some of them demonstrated in the following diagram.

Finally, Ms. Natalie Law introduced other changes in ISO/IEC 27002:2022 that controls from “Objective” to “Purpose” and added the attribute table that assist user to be more understanding the control.

Lastly, she briefed the transition period that would end on 31 Oct 2025.

During Q&A session, I shared that startup and HR in large company would interest in privacy management system. Mr. Chris Yau said marketing people would more concern and some of their clients are startup company.