, , ,

The increasing importance of ISO 27001 certification

Let’s do a little refresh about the ISO 27001 and 27002 standard. Back in the nineties the British Standard Institution (BSI) published the British Standard 7799, written by the UK Government’s Department of Trade and Industry. This standard consisted of 2 parts:
– Part 1 was a code of practice which could be seen as an ‘extensive buffet’ of security controls which could be implemented to manage information security
– Part 2 contained the specifications on how to implement an ISMS, including the introduction of the Plan-Do-Check-Act cycle in a future release.

Later on, both parts were adopted by ISO. After some revisions and name changes the BS 7799-1 standard is nowadays known as the ISO 27002 standard, while the BS 7799-2 standard is now known as the ISO 27001 standard.

As far as certification is concerned, it is quite obvious that an organisation can only become ISO 27001 certified. ISO 27002 certification is not possible as this standard only contains best practices and guidelines. About a decade ago Belgian companies were not very eager to obtain certification. And why should they? There was no real pressure from governments, clients or other organisations to clearly prove they securely manage information. And of course there were not that many threats as we face today. During the last few years we noticed a significant change. Why? On one hand, organisations need to protect themselves against the continuous introduction of new cyber threats, cyber attacks, vulnerabilities, technologies, social engineering techniques and even human errors. On the other hand, organisations are required to comply with new legislations as well as specific industry standards.

The GDPR requires organisations processing personal data to ‘adequately protect data’. But when is your data ‘adequately protected’ and even more: how can you easily prove you ‘adequately protect’ your data? ISO 27001 certification is one of the answers. Obtaining the certificate indicates that your organisation followed a risk based approach to identify and implement effective and efficient security controls to protect information on a continuous basis. As such, the certificate will be a great value when proving ‘adequate protection of data’ towards data protection authorities.

As far as the Belgian application of the European ‘Directive on security of network and information systems’ (NIS Directive) is concerned, we can determine that ISO certification will also be the preferred way to prove that an ISMS is maintained and that efficient security controls are in place to appropriately protect information. The transposition of the NIS Directive into a Belgian law is still in progress. As soon as the law is effective and the applicable organisations are notified, organisations have twelve months to adapt their information security policy and another twelve months to have all security controls implemented.

Both GDPR and the NIS directive indicate that obtaining or maintaining ISO 27001 certification will become more important than ever. At Toreon we already assist several organisations from different sectors getting ISO 27001 certified. Our direct and pragmatic approach is already appreciated by several customers. The Toreon GRC team will be more than happy to guide you through the complete certification process!

,

GDPR ready … or not?

GDPR ready … or not?

Almost half a year ago, European history was written. OK, it was not as exciting as the big bang, the first man on the moon, the millennium bug or Trump’s election, but on May 25th 2018 a brand-new regulation saw the light of life: the GDPR  – or for people who don’t like acronyms the General Data Protection Regulation.

In this blog post, I will tell you about some of my experiences with the state of GDPR compliance in Belgium.

The rush and the fails

A couple of days before and just after the ‘go-live date’, people got overwhelmed with e-mails from companies begging for consent to maintain your personal data. Some mails were original, correct and professional but most of them were so hilariously wrong that I instantly moved them to my “Funny Stuff” folder in my mailbox. Besides that, I even kept all emails asking for consent and did not respond to any of them! Why? Well, I was very curious if these companies were about to contact me again later, even if I didn’t provide consent. And what do you think? Exactly! Most of them are still contacting me …

Any better in the real world?

Is it different in the non-digital world? Unfortunately not. A couple of weeks ago I got in touch with a life insurance agent who will optimize my pension plan. I had to fill in some paperwork and she had a special paper with her. She said “This paper has something to do with the new privacy law … you know … and you just have to sign it. It is a privacy notice and by the way, if you do not want to receive direct marketing from us, you have to check this little box over here. Yes sir, as you can see we are very well aware of the new privacy requirements. Let me just take a picture of your identity card so I can finalize all paperwork in my office…”

At that point I made a deep sigh and gently informed the lady I work for Toreon as a Security and Privacy consultant. She said “Oh … is there something wrong with our privacy notice?” I said “Yes, there is … for example your retention period states that you keep my data “as long as necessary”. This is not very clear to me and the checkbox for direct marketing should be the other way around and you really want to take a picture of my identity card with your smartphone?”. She was a bit disappointed as she stated they already put a lot of effort to get compliant with the privacy regulation. I only said that we would love to help her out to get fully compliant …

A happy life…

Anyway, last weekend I went shopping with my wife. Not my favorite activity … but a happy wife is a happy life. We went to a store, bought some stuff and the shop assistant asked if we already had a loyalty card. We didn’t have one so we just had to give our identity card. With a big lovely smile she said “It is much easier now that we can electronically read the identity card. It’s a new system. A while ago we still had to enter your name, address, e-mail etc. manually. Now we just have to plug it into the reader and all data we need appears on our screen. So it’s very easy now isn’t it?”

*silence* Again, a deep sigh was the only thing I could produce at that moment. Privacy? GDPR? Retention? My rights? Where do you store my data? “I don’t know, sir. Our system works faster than before and is much easier to use. Thank you. Goodbye!” …

Goal!… NOT!

And another one to finish. Yesterday I received a mail from the football club where my youngest son is playing. Every year we go abroad to play an international football tournament. Always lots of fun and for the players their ‘time of the year’. So yesterday we received a mail with an Excel sheet of all participants, including their date of birth …

I’m running out of sighs now and I’m going to play postman for the rest of the day. I will deposit the Toreon GDPR flyer in the mailbox of companies. Not sure yet where to begin, but I will surely include an insurance agent, a store and a football club …

(Find out more about getting GDPR compliant as a small business here)

, ,

Does Microsoft ignore the GDPR data subject rights?

Some acquaintances had their Hotmail e-mail accounts blocked by Microsoft because a Microsoft algorithm suspected that unauthorized users had accessed their e-mail accounts.

For starters, I can only applaud that Microsoft takes measures to protect the confidentiality of the information stored in Hotmail mailboxes.

However, the problems started when these acquaintances tried to re-access to their mailboxes. Even after entering a lot of personal information, the Microsoft algorithm concluded that there was insufficient information to restore access.

Furthermore, they weren’t able to regain access to the mailbox through human intervention because the telephone helpdesk (‘helpdesk’ only by name, in practice you are not helped) only refers you to a web page with a procedure that brings you full circle to the same faulty algorithm for regaining access.

In my view, this incident contains a number of clear GDPR non-conformities, such as:

  • Data subjects cannot access their own data;
  • No possibility of human intervention, to bypass an algorithm;
  • No possibility of data portability to another mailbox;
  • No possibility to delete mailbox data if a user is required to create a new account?

In summary, this makes Microsoft non-compliant with the GDPR…