Data Security and Privacy-related ISO/IEC Certifications
Written by Ashwin Chaudhary, CEO of Accedere.
In this blog, we will focus on Data Security and Privacy-related ISO/IEC Certifications. With the cybercrime market targeting 10.5 Trillion USD and increasing data security breaches, the need for third-party vendor certifications is also increasing.
The most popular ISO/IEC Certification is the 27001:2013 which has shown an increasing trend in the adoption by organizations, and we see YOY growth in the ISO 27001 certification requirements. The ISO/IEC 27001 standard is expected to be revised with major updates sometime in 2022, although the standard had minor updates in 2018. The ISO 27001 comprises the leading certifiable standard in the ISO/IEC 27000 family.
Due to the increasing privacy concerns, new standards such as ISO/IEC 27701:2019 or Privacy Information Management System (PIMS) are catching in demand too. The 27001:2019 is an Extension to the 27001 & 27002. Organizations will need to be first certified for ISO/IEC 27001 to be also certified for ISO 27701, though they both could be done in the same engagement.
To help the privacy implementation, recently ISO published a new standard ISO/IEC 27555:2021 Information security, cybersecurity, and privacy protection — Guidelines on personally identifiable information deletion. This standard contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organizations by specifying:
- a harmonized terminology for PII deletion;
- an approach for efficiently defining deletion rules;
- a description of required documentation; and,
- a broad definition of roles, responsibilities, & processes.
PII data is lucrative for some of the following reasons:
- Data is being bought and sold as a commodity on the dark web.
- Scanned Passports sell for about $ 15 each. US passports for $ 1000-2000.
- Social Security numbers with other information fetch about $ 8 each.
- Credit card data value can range from $ 5 to $ 45 depending on the volume and data with SSN, Date of Birth, CVV.
- Educational Diplomas may be between $ 100-400.
- Medical records can get about $ 2000.
- PII Data combined analytics can be misused for political, financial gains as in the case of Cambridge Analytica.
- According to the U.S. General Accounting Office, 87% of the U.S. population can be uniquely identified using only gender, date of birth, and ZIP code.
We also have the ISO/IEC 27018 that provides a code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors in line with the privacy principles in ISO/IEC 29100 for the public Cloud computing environment.
ISO/IEC 29100:2011 provides a privacy framework which:
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
ISO/IEC 29100:2011 applies to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.
This new standard defines a common terminology to be used in the context of third-party payment (TPP). It establishes two logical structural models in which the assets to be protected are clarified and specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies & assumptions. These security objectives are set out to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP).
With increasing data security and privacy fines, these new ISO/IEC standards can help towards compliance for data security and privacy mandates like GDPR, CCPA, the new Colorado Privacy Act, and many other regulations. Organizations can use these ISO/IEC standards to demonstrate their controls and provide some assurance to their customers that they do follow the international best practices to keep their customer's data safe. The new AICPA Privacy Management Framework (PMF) also helps in adapting to an Enterprise Privacy Standard that can align with many of such privacy regulations. This new Privacy Management Framework replaces the old GAPP (Generally Accepted Privacy Principles). The SOC 2 approach uses the AICPA Trust Services Criteria 2017 for auditors to attest to the privacy controls. The new CCM 4 version by Cloud Security Alliance also has many of the data security and privacy controls as applied to cloud environments. The CCM 4 also has mappings to the ISO/IEC and SOC 2 along with other mappings.
About the Author
Ashwin Chaudhary is an MBA & CPA with certifications such as CIPT, CISSP, CCSK, CISA, CISM, CRISC, CGEIT, ISO27001LA, ITIL, PMP, etc. Ashwin is the CEO of Accedere Inc, a CSA empanelled auditor firm for the STAR Certification as well as the CSA Attestation. Accedere Inc is also an ISO/IEC Accredited Certification Body as well as a CPA Firm that can Attest to the SOC reports. Accedere has been providing the CSA STAR Level 2 Attestation for the past 3 years.