From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance controls
Autor: | Maria Karyda, Vasiliki Diamantopoulou, Aggeliki Tsohou |
---|---|
Rok vydání: | 2020 |
Předmět: |
Information Systems and Management
Computer Networks and Communications Computer science Certification Security controls Management Information Systems Identification (information) Risk analysis (engineering) Management of Technology and Innovation General Data Protection Regulation Data Protection Act 1998 Security management Software Information Systems |
Zdroj: | Information & Computer Security. 28:645-662 |
ISSN: | 2056-4961 |
DOI: | 10.1108/ics-01-2020-0004 |
Popis: | Purpose This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation. Design/methodology/approach This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR. |
Databáze: | OpenAIRE |
Externí odkaz: |