EU GDPR & ISO 27001 Integrated Documentation Toolkit

2y ago
89 Views
18 Downloads
598.27 KB
7 Pages
Last View : 2d ago
Last Download : 2m ago
Upload by : Wade Mabry
Transcription

EU GDPR & ISO 27001 Integrated Documentation iso-27001-integrated-documentation-toolkitNote: The documentation should preferably be implemented in the order in which it is listed here. Theorder of implementation of documentation related to folder 11 (Security Controls) is defined in the RiskTreatment Plan.Please note that some documents in this Toolkit are not mandatory – depending on the size andcomplexity of your company, you can choose whether to implement them or not.No.Documentcode01001201.1301.22Document nameDocument ManagementProcedure for Document andRecord ControlPreparations for the ProjectEU GDPR ReadinessAssessmentProject Plan for Complyingwith the EU GDPR and ISO27001Identification ofRequirementsProcedure for Identification ofRequirementsAppendix – List of Legal,Regulatory, Contractual andOther RequirementsISMS ScopeISMS Scope DocumentGeneral Policies402502.163034704.1804.2904.31004.4Privacy Notice1104.5Register of Privacy Notices1204.6Data Retention PolicyInformation Security PolicyPersonal Data ProtectionPolicyEmployee Personal DataProtection PolicyList of documents for EU GDPR & ISO 27001Integrated Documentation ToolkitRelevant articles inGDPR / clauses inISO 27001Mandatoryaccordingto GDPRMandatoryaccording toISO 27001ISO/IEC 27001clause 7.5ISO/IEC 27001 4.2and A.18.1.1ISO/IEC 27001 4.2and A.18.1.1*ISO/IEC 27001 4.3ISO/IEC 27001 5.2and 5.3GDPR Article 24(2)GDPR Article 24(2)GDPR Articles 12,13 and 14GDPR Articles 12,13 and 14GDPR Articles5(1)(e), 13(1), 17,30ver 1.0 from 2017-11-20Page 1 of 7

2707.382808.12908.29Document nameAppendix – Data RetentionScheduleData Protection Officer JobDescriptionMapping of ProcessingActivitiesGuidelines for Data Inventoryand Processing ActivitiesMappingAppendix – Inventory ofProcessing ActivitiesManaging Data Subject RightsData Subject Consent FormData Subject ConsentWithdrawal FormParental Consent FormParental Consent WithdrawalFormData Subject Access RequestProcedureData Subject Access RequestFormData Subject Disclosure FormRisk Assessment and RiskTreatmentRisk Assessment and RiskTreatment MethodologyAppendix 1 – Risk AssessmentTableAppendix 2 – Risk TreatmentTableAppendix 3 – Risk Assessmentand Treatment ReportData Protection ImpactAssessmentData Protection ImpactAssessment MethodologyDPIA RegisterApplicability of ControlsList of documents for EU GDPR & ISO 27001Integrated Documentation ToolkitRelevant articles inGDPR / clauses inISO 27001Mandatoryaccordingto GDPRMandatoryaccording toISO 27001GDPR Article 30GDPR Articles 37,38, 39**GDPR Article 30GDPR Article 30GDPR Articles6(1)(a), 7(1), 9(2)GDPR Article 7(3)GDPR Article 8GDPR Article 8GDPR Articles 7(3),15, 16, 17, 18, 20,21, 22GDPR Article 15GDPR Article 15ISO/IEC 270016.1.2, 6.1.3, 8.2,and 8.3ISO/IEC 27001 6.1.2and 8.2ISO/IEC 27001 6.1.3and 8.3ISO/IEC 27001 8.2and 8.3GDPR Article 35GDPR Article 35ver 1.0 from 2017-11-20Page 2 of 7

No.Documentcode3009Statement of Applicability10Implementation Plan10Risk Treatment Plan11Security Controls31Document name32A.6.1Bring Your Own Device (BYOD)Policy33A.6.2Mobile Device andTeleworking Policy34A.7.1Confidentiality Statement35A.7.2Statement of Acceptance ofISMS Documents36A.8.1Inventory of Assets37A.8.2IT Security Policy38A.8.3Information ClassificationPolicy39A.9.1Access Control PolicyList of documents for EU GDPR & ISO 27001Integrated Documentation ToolkitRelevant articles inGDPR / clauses inISO 27001ISO/IEC 27001 6.1.3d)Mandatoryaccordingto GDPRMandatoryaccording toISO 27001ISO/IEC 270016.1.3, 6.2 and 8.3ISO/IEC 27001A.6.2.1, A.6.2.2,A.13.2.1GDPR Article 32ISO/IEC 27001 A.6.2A.11.2.6GDPR Article 32ISO/IEC 27001A.7.1.2, A.13.2.4,A.15.1.2ISO/IEC 27001A.7.1.2ISO/IEC 27001A.8.1.1, A.8.1.2ISO/IEC 27001A.6.2.1, A.6.2.2,A.8.1.2, A.8.1.3,A.8.1.4, A.9.3.1,A.11.2.5, A.11.2.6,A.11.2.8, A.11.2.9,A.12.2.1, A.12.3.1,A.12.5.1, A.12.6.2,A.13.2.3, A.18.1.2GDPR Article 32ISO/IEC 27001A.8.2.1, A.8.2.2,A.8.2.3, A.8.3.1,A.8.3.3, A.9.4.1,A.13.2.3GDPR Article 32ISO/IEC 27001A.9.1.1, A.9.1.2,A.9.2.1, A.9.2.2,A.9.2.3, A.9.2.4,A.9.2.5, A.9.2.6,ver 1.0 from 2017-11-20*****Page 3 of 7

No.DocumentcodeDocument name40A.9.2Password Policy (note: it canbe implemented as part of theAccess Control Policy)41A.10.1Policy on the Use ofEncryption Controls42A.10.2Anonymization andPseudonymization Policy43A.11.1Clear Desk and Clear ScreenPolicy (note: it can beimplemented as part of ITSecurity Policy)Disposal and DestructionPolicy (note: it can beimplemented as part ofSecurity Procedures for ITDepartment)44A.11.245A.11.3Procedures for Working inSecure Areas46A.12.1Security Procedures for ITDepartment47A.12.248A.12.3Change Management Policy(note: it can be implementedas part of Security Proceduresfor IT Department)Backup Policy (note: it can beimplemented as part ofList of documents for EU GDPR & ISO 27001Integrated Documentation ToolkitRelevant articles inGDPR / clauses inISO 27001A.9.3.1, A.9.4.1,A.9.4.3GDPR Article 32ISO/IEC 27001A.9.2.1, A.9.2.2,A.9.2.4, A.9.3.1,A.9.4.3GDPR Article 32ISO/IEC 27001A.10.1.1, A.10.1.2,A.18.1.3, A.18.1.5GDPR Article 32ISO/IEC 27001A.10.1.1, A.18.1.3,A.18.1.5GDPR Article 32Mandatoryaccordingto GDPRMandatoryaccording toISO 27001ISO/IEC 27001A.11.2.8, A.11.2.9GDPR Article 32ISO/IEC 27001A.8.3.2, A.11.2.7GDPR Article 32ISO/IEC 27001A.11.1.5GDPR Article 32ISO/IEC 27001A.8.3.2, A.11.2.7,A.12.1.1, A.12.1.2,A.12.3.1, A.12.4.1,A.12.4.3, A.13.1.1,A.13.1.2, A.14.2.4GDPR Article 32*ISO/IEC 27001A.12.1.2, A.14.2.4GDPR Article 32ISO/IEC 27001A.12.3.1ver 1.0 from 2017-11-20Page 4 of 7

No.DocumentcodeDocument nameRelevant articles inGDPR / clauses inISO 27001Mandatoryaccordingto GDPRMandatoryaccording toISO 27001Security Procedures for ITDepartment)49A.1350A.13.151A.13.252Cross Border Personal DataTransfer ProcedureAnnex 1 – StandardContractual Clauses for theTransfer of Personal Data toControllersAnnex 2 – StandardContractual Clauses for theTransfer of Personal Data toProcessorsA.14Secure Development Policy53A.14.1Appendix – Specification ofInformation SystemRequirements54A.1555A.15.1Processor GDPR ComplianceQuestionnaire56A.15.2Supplier Data ProcessingAgreementSupplier Security PolicyList of documents for EU GDPR & ISO 27001Integrated Documentation ToolkitISO/IEC 27001A.13.2.1, A.13.2.2GDPR Articles 1(3),44, 45, 46, 47, 49ISO/IEC 2700113.2.2GDPR Article 46(5)*ISO/IEC 2700113.2.2GDPR Article 46(5)*ISO/IEC A.14.1.2,A.14.1.3, A.14.2.1,A.14.2.2, A.14.2.5,A.14.2.6, A.14.2.7,A.14.2.8, A.14.2.9,A.14.3.1GDPR Article 32ISO/IEC 27001A.14.1.1GDPR Article 32ISO/IEC 27001A.7.1.1, A.7.1.2,A.7.2.2, A.8.1.4,A.14.2.7, A.15.1.1,A.15.1.2, A.15.1.3,A.15.2.1, A.15.2.2GDPR Article 28, 32ISO/IEC 27001A.7.1.1GDPR Articles 28,32ISO/IEC 27001A.7.1.2, A.15.1.2,A.15.1.3GDPR Articles 28,32, 82ver 1.0 from 2017-11-20***Page 5 of 7

No.Documentcode57A.15.358A.1659A.16.1Data Breach Register60A.16.2Data Breach Notification Formto the Supervisory Authority61A.16.3Data Breach Notification Formto Data Subjects62A.17Disaster Recovery Plan12Training & Awareness12Training and Awareness Plan13Internal Audit6413Internal Audit Procedure6513.1Appendix 1 – Annual InternalAudit Program6613.2Appendix 2 – Internal AuditReport6713.3Appendix 3 – Internal AuditChecklist6368Document nameSecurity Clauses for Suppliersand PartnersData Breach Response andNotification Procedure14Management Review14.1Measurement ReportList of documents for EU GDPR & ISO 27001Integrated Documentation ToolkitRelevant articles inGDPR / clauses inISO 27001ISO/IEC 27001A.7.1.2, A.14.2.7,A.15.1.2, A.15.1.3ISO/IEC 27001A.7.2.3, A.16.1.1,A.6.1.2, A.16.1.3,A.16.1.4, A.16.1.5,A.16.1.6, A.16.1.7GDPR Articles 4(12),33, 34ISO/IEC 27001A.16.1.6GDPR Article 33(5)ISO/IEC 27001 7.4,A.16.1.5GDPR Article 33ISO/IEC 27001 7.4,A.16.1.5GDPR Article 34ISO/IEC 27001A.17.1.2GDPR Article 32Mandatoryaccordingto GDPRMandatoryaccording toISO 27001***ISO/IEC 27001clauses 7.2, 7.3GDPR Article 39(1)ISO/IEC 27001clause 9.2GDPR Article 32ISO/IEC 27001clause 9.2GDPR Article 32ISO/IEC 27001clause 9.2GDPR Article 32ISO/IEC 27001clause 9.2GDPR Article 32ISO/IEC 27001clauses 6.2, 9.1ver 1.0 from 2017-11-20Page 6 of 7

No.DocumentcodeDocument name6914.2Management Review Minutes15Corrective ActionsProcedure for CorrectiveActionAppendix – Corrective ActionForm70157115.1Relevant articles inGDPR / clauses inISO 27001ISO/IEC 27001clause 9.3Mandatoryaccordingto GDPRMandatoryaccording toISO 27001ISO/IEC 27001clause 10.1ISO/IEC 27001clause 10.1* The listed documents are only mandatory if the corresponding controls are identified as applicable in theStatement of Applicability.** This document is mandatory if (a) the processing is carried out by a public authority or body, except for courtsacting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, bytheir nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a largescale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuantto Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10of the EU GDPR.List of documents for EU GDPR & ISO 27001Integrated Documentation Toolkitver 1.0 from 2017-11-20Page 7 of 7

List of documents for EU GDPR & ISO 27001 Integrated Documentation Toolkit ver 1.0 from 2017-11-20 Page 4 of 7 No. Document code Document name Relevant articles in GDPR / clauses in ISO 27001 Mandatory according to GDPR Mandatory according to ISO 27001 A.9.3.1, A.9.4.1, A.9.4

Related Documents:

ISO 27001:2013 published All ISO 27001:2005 certificates to have transitioned to ISO 27001:2013 30th September 2016 30th September 2015 No new ISO 27001:2005 certificates to be issued Initial audit to ISO 27001:2005 available Initial audit to ISO 27001:2013 available Transition to ISO 27001:2013 may be mandated by CB

1. Overview of ISO/IEC 27001:2022Information Security Management System 22 2. ISO/IEC 27001:2022 requirements 45 3. ISO/IEC 27001:2022Terms and Definitions 07 4. ISMS Documented information 18 5. ISO 27001 ISMS Internal auditing process 40 6. Steps for ISO 27001 certification 18 7. Risk management 18 8. Risk Assessment& Treatment 25 9.

ISO/IEC 27001:2005 has been superseded by ISO/IEC 27001:2013. The International Accreditation Forum (IAF) has announced that, as of 1 October 2014, no more accredited certificates to ISO 27001:2005 will be issued. From that date, certification bodies may only issue certificates to the new version of the Standard, ISO 27001:2013.

ISO 27001:2022. The new standard is more streamlined and easier to follow. What Happens to Organisations that Are Already Certified to ISO 27001:2013? Any current ISO 27001:2013 certificates are valid until they expire their 3-year lifetime. After it has expired, you will be assessed against ISO 27001:2022. For most, there is no rush to update

ISO/IEC 27001:2005 ISO/IEC 27002:2005 . ISMS Standards ISO/IEC 27001, 27002 . 23 / VSE-Gruppe 2013 . Standardization under ISO/IEC 27000 Standards Series in Cooperation with Additional Consortia . ISO/IEC 27001: Information Security Management System (ISMS) ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 Con

and Auditor according to ISO 27001 EXPERIENCE Managing Director, LanguageWire München GmbH Chief Solutions Officer, Xplanation NV (Leuven) Co-founder, Technical Lead and Member of the Board, Matrix Communications AG (Munich) Implementation of GDPR ISO 27001 Compliance and successful audits according to TISAX and ISO 27001 in international .

ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. First and foremost, the revision has taken account of practical experience of using the standard: there are now over 17,000 registrations worldwide. However, there have been two other major influences on the revision. The first is an ISO requirement that all new and revised

Anatomy and physiology for sports massage The aim of this unit is to develop the knowledge and understanding of anatomy and physiology relevant to sports massage. You will explore the anatomy and physiology of each of the body systems and look at the physical, physiological, neurological and psychological effects of sports massage on these systems.