, , ,

The increasing importance of ISO 27001 certification

Let’s do a little refresh about the ISO 27001 and 27002 standard. Back in the nineties the British Standard Institution (BSI) published the British Standard 7799, written by the UK Government’s Department of Trade and Industry. This standard consisted of 2 parts:
– Part 1 was a code of practice which could be seen as an ‘extensive buffet’ of security controls which could be implemented to manage information security
– Part 2 contained the specifications on how to implement an ISMS, including the introduction of the Plan-Do-Check-Act cycle in a future release.

Later on, both parts were adopted by ISO. After some revisions and name changes the BS 7799-1 standard is nowadays known as the ISO 27002 standard, while the BS 7799-2 standard is now known as the ISO 27001 standard.

As far as certification is concerned, it is quite obvious that an organisation can only become ISO 27001 certified. ISO 27002 certification is not possible as this standard only contains best practices and guidelines. About a decade ago Belgian companies were not very eager to obtain certification. And why should they? There was no real pressure from governments, clients or other organisations to clearly prove they securely manage information. And of course there were not that many threats as we face today. During the last few years we noticed a significant change. Why? On one hand, organisations need to protect themselves against the continuous introduction of new cyber threats, cyber attacks, vulnerabilities, technologies, social engineering techniques and even human errors. On the other hand, organisations are required to comply with new legislations as well as specific industry standards.

The GDPR requires organisations processing personal data to ‘adequately protect data’. But when is your data ‘adequately protected’ and even more: how can you easily prove you ‘adequately protect’ your data? ISO 27001 certification is one of the answers. Obtaining the certificate indicates that your organisation followed a risk based approach to identify and implement effective and efficient security controls to protect information on a continuous basis. As such, the certificate will be a great value when proving ‘adequate protection of data’ towards data protection authorities.

As far as the Belgian application of the European ‘Directive on security of network and information systems’ (NIS Directive) is concerned, we can determine that ISO certification will also be the preferred way to prove that an ISMS is maintained and that efficient security controls are in place to appropriately protect information. The transposition of the NIS Directive into a Belgian law is still in progress. As soon as the law is effective and the applicable organisations are notified, organisations have twelve months to adapt their information security policy and another twelve months to have all security controls implemented.

Both GDPR and the NIS directive indicate that obtaining or maintaining ISO 27001 certification will become more important than ever. At Toreon we already assist several organisations from different sectors getting ISO 27001 certified. Our direct and pragmatic approach is already appreciated by several customers. The Toreon GRC team will be more than happy to guide you through the complete certification process!

, ,

GDPR ready … or not?

GDPR ready … or not?

Almost half a year ago, European history was written. OK, it was not as exciting as the big bang, the first man on the moon, the millennium bug or Trump’s election, but on May 25th 2018 a brand-new regulation saw the light of life: the GDPR  – or for people who don’t like acronyms the General Data Protection Regulation.

In this blog post, I will tell you about some of my experiences with the state of GDPR compliance in Belgium.

The rush and the fails

A couple of days before and just after the ‘go-live date’, people got overwhelmed with e-mails from companies begging for consent to maintain your personal data. Some mails were original, correct and professional but most of them were so hilariously wrong that I instantly moved them to my “Funny Stuff” folder in my mailbox. Besides that, I even kept all emails asking for consent and did not respond to any of them! Why? Well, I was very curious if these companies were about to contact me again later, even if I didn’t provide consent. And what do you think? Exactly! Most of them are still contacting me …

Any better in the real world?

Is it different in the non-digital world? Unfortunately not. A couple of weeks ago I got in touch with a life insurance agent who will optimize my pension plan. I had to fill in some paperwork and she had a special paper with her. She said “This paper has something to do with the new privacy law … you know … and you just have to sign it. It is a privacy notice and by the way, if you do not want to receive direct marketing from us, you have to check this little box over here. Yes sir, as you can see we are very well aware of the new privacy requirements. Let me just take a picture of your identity card so I can finalize all paperwork in my office…”

At that point I made a deep sigh and gently informed the lady I work for Toreon as a Security and Privacy consultant. She said “Oh … is there something wrong with our privacy notice?” I said “Yes, there is … for example your retention period states that you keep my data “as long as necessary”. This is not very clear to me and the checkbox for direct marketing should be the other way around and you really want to take a picture of my identity card with your smartphone?”. She was a bit disappointed as she stated they already put a lot of effort to get compliant with the privacy regulation. I only said that we would love to help her out to get fully compliant …

A happy life…

Anyway, last weekend I went shopping with my wife. Not my favorite activity … but a happy wife is a happy life. We went to a store, bought some stuff and the shop assistant asked if we already had a loyalty card. We didn’t have one so we just had to give our identity card. With a big lovely smile she said “It is much easier now that we can electronically read the identity card. It’s a new system. A while ago we still had to enter your name, address, e-mail etc. manually. Now we just have to plug it into the reader and all data we need appears on our screen. So it’s very easy now isn’t it?”

*silence* Again, a deep sigh was the only thing I could produce at that moment. Privacy? GDPR? Retention? My rights? Where do you store my data? “I don’t know, sir. Our system works faster than before and is much easier to use. Thank you. Goodbye!” …

Goal!… NOT!

And another one to finish. Yesterday I received a mail from the football club where my youngest son is playing. Every year we go abroad to play an international football tournament. Always lots of fun and for the players their ‘time of the year’. So yesterday we received a mail with an Excel sheet of all participants, including their date of birth …

I’m running out of sighs now and I’m going to play postman for the rest of the day. I will deposit the Toreon GDPR flyer in the mailbox of companies. Not sure yet where to begin, but I will surely include an insurance agent, a store and a football club …

(Find out more about getting GDPR compliant as a small business here)

, ,

Does Microsoft ignore the GDPR data subject rights?

Some acquaintances had their Hotmail e-mail accounts blocked by Microsoft because a Microsoft algorithm suspected that unauthorized users had accessed their e-mail accounts.

For starters, I can only applaud that Microsoft takes measures to protect the confidentiality of the information stored in Hotmail mailboxes.

However, the problems started when these acquaintances tried to re-access to their mailboxes. Even after entering a lot of personal information, the Microsoft algorithm concluded that there was insufficient information to restore access.

Furthermore, they weren’t able to regain access to the mailbox through human intervention because the telephone helpdesk (‘helpdesk’ only by name, in practice you are not helped) only refers you to a web page with a procedure that brings you full circle to the same faulty algorithm for regaining access.

In my view, this incident contains a number of clear GDPR non-conformities, such as:

  • Data subjects cannot access their own data;
  • No possibility of human intervention, to bypass an algorithm;
  • No possibility of data portability to another mailbox;
  • No possibility to delete mailbox data if a user is required to create a new account?

In summary, this makes Microsoft non-compliant with the GDPR…

What skills should Data Protection Officers have?

Willem De Beuckelaere, the President of the Belgian Privacy Commission, gave the closing remarks yesterday (26/04/18) at the Cyber Security Coalition’s event in Brussels.

An element of uncertainty in the data privacy industry is the GDPR’s requirement for certain organisations to appoint a DPO. The IAPP has predicted that the world needs 75,000 Data Protection Officers but given the general lack of cyber security skills on the labour market, it’s not clear where these people will come from.

De Beuckelaere highlighted the role’s importance for organisations seeking to achieve GDPR compliance: “The most important tool will be the human tool: the Data Protection Officer. We know today that we need transparency with communication and technology; a legal perspective alone is not enough for compliance in a multidisciplinary world. The person performing the role should be a multidisciplinary expert. I am a lawyer, so I will not do a Shakespeare and say let’s kill all the lawyers, but lawyers should be prepared to step aside and assign duties to communications experts and IT teams”.

De Beuckelaere’s forthright declaration certainly stirred the attention of the audience. His statement was a strong put down for legal professionals selling themselves as omnipotent GDPR authorities.

I asked how he saw this playing out in practice: “What skills should the DPO have? If it shouldn’t be a lawyer, how do you stop lawyers from cannibalizing the profession?”

He responded: “It’s impossible for one person to have all the relevant knowledge necessary to perform the role, what you need is someone who can connect them. I divide the skills into four quadrants: IT, Legal, Internal Communications (project management) and Communications (customer service/public relations). Good ethics are also vital: the DPO needs to be a highly ethical person. Another added bonus is to have someone who understands how the organisation works. I suggest that companies look after their people!” De Beuckleaere later added that he probably should have added another role the DPO needs to take on: that of diplomat!

A follow-up question came from the audience: “So should the DPO be a restricted profession?”

De Beuckelaere: “I don’t know. It’s a very difficult position, hopefully the jurisprudence will give us some guidance. But DPOs should certainly be protected in order to do their jobs”.

So should lawyers really be cut out of the picture? Not entirely, the GDPR is clear that DPOs should have expert knowledge of data protection law, and there are elements of compliance that are impossible without legal expertise. De Beuckelaere’s remarks were presumably intended to encourage organisations into taking a more holistic approach to compliance, rather than hoping the legal department or some magic tool could make it all go away.

New GDPR standard as forerunner for GDPR ISO standardisation

(This article is also available in Dutch.)

Many organizations would like to obtain a certificate in order to objectively demonstrate GDPR compliance towards the market.
The General Data Protection Regulation (GDPR) mentions in article 42 that the creation and usage of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with GDPR, will be promoted. However, until recently there were no widely accepted certification standards available within the Benelux.

Therefore, lots of organizations are trying to obtain the ISO27001:2013 certificate as it is promoted by data protection authorities as a good way to objectively demonstrate that personal data is adequately protected. However, ISO27001 covers only one of the GDPR principles; the principle of confidentiality, and cannot be used to demonstrate full GDPR compliance.

Recently, BrandCompliance, one of our partners, has created a new standard (BC5701:2018) based on the GDPR. This standard facilitates the implementation of a privacy management system, which is the base to demonstrate GDPR compliance.

This standard uses a similar structure as the ISO standards and therefore can be easily combined with other standards such as ISO27001 to implement an integrated privacy and information security management system.

This BC5701:2018 standard will be proposed as the basis for the creation of an internationally harmonized GDPR standard which can be used by organization such as NBN and NEN, the Belgian and Dutch certification institutes, and which would allow organizations to obtain a market recognized certification.

The cross table below (in Dutch) shows how GDPR requirements are integrated within the BC5701:2018 chapters. The entire cross table can be found within the BC5701:2018 standard.











Toreon will be one of the first companies that will adopt these standard within the Belgian market in order to aid organizations in their quest to become demonstrable compliant with the GDPR.

To be clear, the implementation of a privacy management system based upon BC5701:2018 is not a legal requirement but does position your company as a privacy pioneer within your industry. Allowing you to leverage compliance as a competitive advantage.

Purchase and download the standard.

For implementation advise, please reach out to or call us at +32 33 69 33 96.

GDPR: adequate security measures and awareness

The GDPR requires that both controllers and processors implement adequate security measures in order to protect the processed personal data. The word ‘adequate’ seems vague and open to interpretation to most.

For security experts however, it is clear that ’adequate meausures’ means that risk based security control measures should be implemented. These have to be based on internationally recognised security standards, such as ISO2700x, NIST and ISF. These standards provide enough guidelines for security experts to objectively implement an Information Security Management System (ISMS) within organisations. A well implemented ISMS contains a sustained improvement cycle which allows for continuous progress of security controls that keep providing the necessary adequate protection of personal data when the security landscape changes.

And it will change over time…

The GDPR is even more vague when it comes to awareness requirements for controllers and processors. The GDPR only mentions – in article 39 on the tasks of the Data Protection Officer -, that the DPO has the task of raising privacy awareness and training staff.
I would argue that this means that the DPO must ensure sufficient privacy and information security awareness, which is a basic requirement in every ISMS, as one cannot guarantee adequate security without adequate awareness .
Adequate awareness means that at least every department of an organisation has the necessary information on the privacy legislation and information security aspects relevant to their function in order to prevent and/or detect unauthorised data processing activities or data breaches. The required privacy and information security knowledge depends on the operational activities of the different organisational departments and roles.

In my next blog, I will give some tips for reaching awareness compliance.


Embedding GDPR in the secure development lifecycle (SDLC)

Did you know that the GDPR and SDLC re-inforce each other and that the GDPR can be used as the ideal business case to start with SDLC? Siebe and I explained how and why during the OWASP AppSec Europe conference in Belfast. Couldn’t attend? You can find the presentation in our previous blog, or begin by reading the introduction below.

We all know that in less than a year the GDPR (General Data Protection Regulation) enters into force to unify the privacy legislation within Europe and the UK and improve the protection of personal data and data subject rights. And I don’t need to tell you that the secure development lifecycle (SDLC) method is thé go to methodology when planning for, designing, building, testing and delivering information systems. But if you play it smart, you can improve your SDLC by including GDPR activities and use SDLC artifacts to demonstrate compliance with GDPR.

A lot of articles in the GDPR specifically refer to security. Article 25 for instance, on privacy by design & default, article 32 on Security of Processing and article 35 on DPIA’s all specifically mention the security levels and assessments that should be considered. The most efficient way to comply with these GDPR security requirements when developing (new) applications, is by integrating them into your Secure Development Lifecycle.

You can find more information on the OWASP Software Assurance Maturity Model (SAMM) and how it can be integrated into any existing SDLC here. For now, it suffices if you know that OpenSAMM is defined in different levels.

  • At the highest level it is divided into four tasks or concerns to consider while developing or using software. They align well with a typical organisational structure, and this is how software security typically ties into an organisation.
  • At a lower level, several security practices are defined that should be considered for improving software security.
  • At the lowest level, every security practice consists of a set of activities, ordered in maturity levels or objectives.

The GDPR articles related to security fall perfectly into these activities. Just check out this table:

SAMM domains


So, when you divide for example the GDPR requirements on Policy & Compliance into three objective levels, this is the result:


More examples and details can be found in the presentation in our previous blog. Or get in touch!


7 ways to create trust by implementing the GDPR

The GDPR brings many challenges, but it is also an opportunity to create and leverage customer trust. When people trust a brand, they are more likely to recommend it and are even willing to pay more for its products or services, studies show. This is especially true in data-driven industries. So when companies whose main competitive advantage is customer data, gain a track record of being trustworthy, they will outperform their competitors.

But how can we create trust when it comes to processing personal data? These seven principles are all required by the GDPR. But if handled well, they can be used to boost customer trust in your business significantly.

  1. Ask for permission, not for forgiveness
    You should always ask permission for the collection of all types of personal data and explain the purposes of data processing. This also means that covert methods for obtaining personal data (such as cookies) should be avoided without informing and getting approval from your customers first. Be clear about the data you collect and how it is treated and stick to your own rules!
  2. Limit yourself
    Do not ask customers for more information than necessary. Requesting unnecessary information is often seen as a red flag. Buying customer data also negatively affects trust and should be avoided.
  3. Deliver value in exchange for personal data
    If you are able to show your users that by sharing their data, their experience improves, they will be willing to provide their information more easily. Make sure this is a fair trade.
  4. Give customers control
    The best way to build trust is by giving people direct control over their information. You can achieve this by providing a platform on which your customers can easily rectify and delete their personal data and manage their privacy settings. Or at the least you should provide customer centric processes that make it easy for customers to execute their rights.
  5. Adequately protect
    Consumers will never be able to trust you with their data if you cannot prove that their data is secure. So it is of the utmost importance to implement a security management system within your organisation. Obtaining security certificates (such as ISO27001:2013) are a good way to show that information security best-practices are implemented within your organisation.
  6. Be honest
    Your incident response plan should incorporate an incident communication strategy that informs affected people and data protection authorities correctly. Withholding information or trying to cover up incidents will have long-lasting negative consequences on your company. Handling a breach well and communicating effectively can show maturity and responsibility, especially if you can show that the breach happened despite strong security measures.
  7. Educate your customers
    Users can’t trust you if they don’t know what you are doing. To maximise the trust gained from your implemented control measures, inform users about your personal data practices trough infotainment advertisements. Companies that think it’s sufficient to simply provide disclosures in an end-user licensing agreement or present the terms and conditions of data use at sign-up, are missing an opportunity. They may be addressing regulatory requirements, but they are doing little if anything to educate consumers and build trust.

These seven principles can never be obtained & maintained within an organisation without the implementation of an eight principle: Governance. Governance is the principle that rules the other principles. It can be explained as the implementation of a set of rules and control measures through technological solutions, roles, policies and processes. This leads to the establishment of a privacy management system within your organisation which allows you to monitor and manage the effectiveness of the other implemented principles. If you communicate effectively and in simple terms about your measures, this will convince your customers that you care and that their data is in good hands.

Toreon partners up with Nymity for GDPR compliance

We’ve signed an agreement with Canadian firm Nymity Inc., the global privacy research company, which allows us the use of their specialised privacy management platform. Consequently, we will be able to even better support the delivery of implementation services to comply with the EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018.

What is the GDPR?

Of course you know what the GDPR is and you are almost completely compliant, but just in case you don’t/aren’t: the GDPR will replace the Data Protection Directive 95/46/ec. Its aim is to harmonise the current data protection laws across all EU member states. It gives citizens back the control over their personal data, but it’s also a much-needed update as it will simplify data protection routines for businesses operating in the EU.

Many companies have already adopted several privacy processes and procedures in alignment with the Data Protection Directive. However, the GDPR contains a number of new protections for EU data citizens. Moreover, there will be significant fines and penalties for non-compliant data controllers and processors.

The route to compliance

Information security and data protection are indispensable to live and work with trust in our digital society. Companies need to reinforce the mechanisms they have designed to protect personal data as a result of many regulations in the world. From the GDPR compliance perspective, there will be three types of companies: the non-compliant, the compliant and the ones that can demonstrate compliance. Ideally, your company becomes type 3.

New privacy service

Since Nymity offers information on the regulations all over the world, we are happy that we can share the knowledge of their analysts with our customers. Moreover, we will use the Nymity AttestorTM platform as dashboard to help us help you become a type 3 company.

Are you ready to show your compliance to GDPR? Or could you use a hand?