InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
How to Build a Master Questionnaire as Your Single Source of Truth for ISO 27001, ISO 42001, NIST 800-53, and GDPR
I want to tell you about a problem that is quietly draining compliance teams at SaaS companies right now — and a structural fix that changed how we think about audits entirely.
Here is the situation most security and compliance leaders find themselves in. You hold ISO 27001 certification. Your enterprise customers require NIST 800-53 Rev 5 verification. GDPR applies because you handle European personal data. And now, with AI baked into your product, ISO 42001 is on the table too. Four frameworks. Four sets of controls. Four different auditors asking different versions of the same fundamental questions.
The instinctive response is to build four compliance programs — one for each standard. Four spreadsheets, four evidence libraries, four cycles of internal prep, four rounds of answering the same question about your access control policy worded slightly differently each time.
We did this at client. It was expensive, repetitive, and structurally fragile. Every time a policy changed, we had to update it in four places. Evidence collected for one audit sat invisible to the others. The left hand genuinely did not know what the right hand was doing.
Then we asked a different question: What if there was only one audit?
The Insight That Changes Everything
Across ISO 27001:2022, ISO 42001:2023, NIST SP 800-53 Rev 5, and GDPR, the vast majority of what auditors actually want to know falls into the same 18 operational domains: governance, risk management, access control, data protection, cryptography, incident response, business continuity, supplier management, secure development, and so on.
The standards differ in language, structure, and emphasis. But the underlying security and privacy reality they are probing — your policies, your controls, your evidence — is the same reality. An ISO 27001 auditor asking about your access control policy (A.5.15) and a NIST assessor asking about AC-1 are fundamentally asking the same organization the same question. Your Access Control Policy v1.3 answers both of them.
This is the foundation of the Master Questionnaire approach: write the question once, map the answer to every standard it satisfies simultaneously.
Why Most Multi-Standard Programs Fail Structurally
Before describing what to build, it is worth being precise about why the typical approach breaks down. The problem is not effort or intention — compliance teams work hard. The problem is architecture.
Most organizations build what I call parallel catalogs: one spreadsheet or GRC module per standard, each with its own question set, its own evidence columns, its own status tracking. When the ISO 27001 auditor asks about incident response and the GDPR auditor asks about breach notification, they get two separate answers pointing to the same IR Procedure — but there is no structural connection between them. If you update the procedure, you have to remember to update both rows in both sheets. You usually do not. Inconsistencies accumulate. Auditors notice.
The second failure is ID scheme collision. This sounds technical but it matters enormously in practice. If your internal questionnaire uses “IR-01” for your Incident Response domain questions and NIST SP 800-53 uses “IR-1” for the same family, you end up with ID conflicts that make cross-referencing impossible. You cannot write a formula or filter that reliably maps one to the other. We ran into exactly this problem in our own workbook, discovering 173 NIST Moderate baseline controls that existed only in a standalone NIST catalog with no connection whatsoever to the master question set.
The third failure is scope mismatch. NIST SP 800-53 Rev 5 Moderate baseline has approximately 235 distinct controls across 20 families when enhancements are included. ISO 27001:2022 has 93 Annex A controls. ISO 42001:2023 has 38 AI-specific controls. GDPR has 99 Articles. Organizations routinely under-scope their questionnaires, sampling 26 or 30 NIST controls and calling it “covered.” A real Moderate baseline assessment covers every control — AC-1 through SR-12, including every enhancement number that the baseline requires.
The Architecture of a Single Source of Truth
Here is how to build it correctly.
Start with 18 operational domains, not four standards.
The domains should reflect how your organization actually operates: Governance & Policies, Scope & Context, Risk Management, Access Control & Identity, Data Protection & Privacy, Cryptography & Key Management, Network & Infrastructure Security, Secure Development, Incident Response, Business Continuity, Supplier & Third-Party Management, Physical & Environmental Security, Human Resources Security, Audit Logging & Monitoring, Configuration & Change Management, AI Governance, Compliance & Internal Audit, and Cross-Border Data Transfers.
Every question you write lives in one of these domains. The domain structure is standard-agnostic — it reflects your operational reality, not any single framework’s chapter structure.
Write questions that satisfy multiple standards simultaneously.
Take access control as an example. Rather than writing four separate questions — one citing ISO 27001 A.5.16, one citing NIST AC-2, one citing GDPR Art. 32, one citing ISO 42001 A.6.2.2 — you write one question: “Describe the complete joiner-mover-leaver process. How are accounts created, modified, and deactivated? What is the maximum time to deprovision a terminated user?”
This single question satisfies ISO 27001:2022 A.5.16 and A.5.18, NIST SP 800-53 Rev 5 AC-2, AC-2(1), AC-2(3), and AC-2(5), and GDPR Art. 32. One answer. Four standards. That is not a shortcut — that is what a mature account management process actually looks like when described completely.
Use a collision-free ID scheme from the start.
This is a technical detail that pays significant dividends. Cross-standard questions should use domain-based prefixes that do not clash with any standard’s own naming: G- for Governance, A- for Access Control, INC- for Incident Response (not IR-, which collides with the NIST IR family), BCP- for Business Continuity, CFG- for Configuration Management (not CM-, which collides with NIST CM), CRY- for Cryptography, and so on.
NIST-specific questions — those covering Moderate baseline controls not addressed by any cross-standard question — should use a clearly distinct scheme: NIST-{family}-{sequence}, for example NIST-AC-07 for AC-7, NIST-PE-04 for PE-13. This makes the source of every question unambiguous and allows you to filter programmatically by standard without collision.
The Master tab is the only place answers live.
Every auditor view — ISO 27001 tab, ISO 42001 tab, NIST tab, GDPR tab — is a filtered subset of the Master, not an independent document. When the answer to a question changes, you update it once in the Master. The filter propagates to all auditor views automatically. If you find yourself maintaining two versions of an answer, your architecture has a flaw.
Add a Question Source column.
This single column distinguishes between cross-standard questions (one question, many standards) and NIST-specific questions (one control, one question). It tells any auditor looking at the sheet exactly what they are looking at and why the question exists. It also tells your team where to invest effort — cross-standard questions with a “★ Shared” marker satisfy three or more frameworks simultaneously and should be answered first.
What the Numbers Look Like in Practice
When we implemented this at client, the numbers clarified the approach nicely.
We ended up with 213 total questions in the Master: 104 cross-standard questions covering all 18 operational domains, and 109 NIST-specific questions covering NIST Moderate baseline controls that needed dedicated coverage. The NIST auditor view contains 212 questions — covering 235 distinct NIST controls — all filtered directly from the Master. The ISO 27001 view contains 209 questions. The GDPR view contains 206. The ISO 42001 view contains 138, reflecting that ISO 42001’s scope is intentionally narrower.
Of the 213 total questions, 56 are marked as shared controls — meaning a single answer to that question satisfies three or more standards simultaneously. These 56 questions are the highest-leverage evidence collection effort in your entire audit programme. Answer them well and you have satisfied the core control requirements of all four frameworks for the most critical domains: risk management, access control, encryption, incident response, supplier management, data protection, logging, and business continuity.
Before this restructure, we had a v3 workbook with 104 questions in the Master and 187 in a standalone NIST tab with zero structural connection between them. The root cause was that the NIST tab had been built as a separate catalog with NIST family-based IDs that clashed with our domain IDs, making cross-referencing impossible. This is a common mistake and worth naming explicitly: a NIST tab that cannot be proven to be a filtered view of the Master is not a single source of truth — it is a second source of truth, which is the same as no single source of truth at all.
The Columns That Make It Work
A Master Questionnaire has a specific anatomy. Every row needs:
Q-ID — unique, collision-free identifier following your scheme.
Domain — the operational domain, not the standard’s chapter.
Audit Question — written to satisfy all applicable standards simultaneously, framed around your actual controls and evidence.
Audit Type — Document Review, Technical Review, Interview, Sample, or combinations. This tells both your team and the auditor what kind of evidence the question expects.
ISO 27001:2022 reference — official Annex A control IDs (A.5.1 through A.8.34) and Clause references (Cl.4 through Cl.10). Not approximated — exact.
ISO 42001:2023 reference — official Annex A control IDs (A.2.2 through A.10.4) and Clause references. ISO 42001 Annex A objectives (A.x.1 entries) are not controls — the controls begin at A.x.2. This distinction matters when an ISO 42001 auditor checks your SoA.
NIST SP 800-53 Rev 5 reference — official control IDs with enhancement numbers. AC-2(1) is a different control from AC-2. A Moderate baseline assessment distinguishes between them. If your questionnaire collapses AC-2 and all its enhancements into a single cell without specifying which enhancements apply, your NIST assessor will push back.
GDPR reference — specific Article numbers at sub-article precision. Art. 5(1)(c) is different from Art. 5(1)(e). Art. 28(3) specifies the mandatory clauses in a DPA. Approximated references like “Art. 32 generally” are insufficient for a DPO-level review.
Answer column — blank, awaiting your response. This is the most important column in the workbook. It is where your security reality meets the standards’ requirements.
Status — a dropdown: Implemented, Partial, Not Implemented, N/A, Not Tested. The Partial status is particularly important — it tells auditors and management exactly where gaps exist without overstating or understating compliance.
Evidence / Document Reference — the policy name, version, section, screenshot, log excerpt, or configuration that proves the answer. This column is pre-filled with hints when you build the questionnaire (e.g., “Access Control Policy v1.3; 90-day review evidence; LastPass configuration”) and updated with actual references during audit preparation.
Question Owner — the individual responsible for providing the answer and evidence. Compliance does not happen in a CISO’s office alone. Owners span IT, HR, Legal, DevOps, the AI Officer, and the DPO.
Auditor Notes — reserved for the auditor. Your team does not pre-fill this column. It is the auditor’s workspace during the actual audit session.
Shared Control flag — a star marker for questions satisfying three or more standards. Your audit preparation team should complete all starred questions first. They represent the core of your compliance posture across every framework.
The Audit Session Experience
Here is what this looks like in practice when you sit down with an auditor.
Your ISO 27001 auditor receives the ISO 27001 filtered view tab. They see 209 questions, each with official Annex A or Clause references, your pre-populated answer, a status, and an evidence reference. They work through the Auditor Notes column adding their observations. They do not need to navigate the NIST questions or the AI governance section unless a control overlaps.
Your NIST assessor receives the NIST view tab: 212 questions covering 235 controls across all 20 families from AC through SR. Both cross-standard questions (where your Access Control Policy satisfies AC-1, AC-2, AC-3 simultaneously) and NIST-specific questions (AC-7 lockout thresholds, AC-11 device lock, SC-15 collaborative device controls) are visible, with the Question Source column clearly labeling each type.
Your DPO or privacy auditor receives the GDPR view: 206 questions covering Articles 5 through 83, with cross-references to the ISO 27001 and ISO 42001 controls that satisfy the same requirement. The RoPA question, the DPIA question, the data subject rights process question, the breach notification procedure — all answered once in the Master, surfaced here for the privacy auditor’s review.
What none of these auditors receive is a contradictory answer. Because there is only one answer. There is only one Master.
The AI Governance Layer
ISO 42001:2023 deserves specific attention because it is the newest of the four standards and the one most organizations are building from scratch rather than extending from existing programs.
The standard requires several things that have no direct analog in ISO 27001 or NIST. AI System Impact Assessments (AISIAs) are mandatory for every AI system in scope — a structured analysis of potential impacts on individuals, groups, and society, resulting in a Low, Medium, or High impact classification. This feeds directly into how much human oversight, transparency, and testing is required for each system. Your AI governance questions need to cover this lifecycle: system registration, AISIA, responsible design principles (A.6.1.3), verification and validation testing (A.6.2.4), controlled deployment (A.6.2.5), monitoring (A.8.5), and AI-specific incident management (A.8.4).
The AI data governance controls — A.7.2 through A.7.6 covering data quality, provenance, and preparation — have meaningful overlap with GDPR’s data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b)), and privacy by design (Art. 25) requirements. A single well-written question about AI data governance can cover all of these simultaneously, but only if you know both standards well enough to write it that way.
The EU AI Act adds a classification layer that sits above ISO 42001 rather than within it: your AI systems need to be assessed against the Act’s risk tiers (prohibited, high-risk Annex III, limited risk, minimal risk) with resulting compliance obligations. This is an AIX-domain question in the Master with no NIST equivalent — which is fine, because not every question needs to satisfy all four standards. The single source of truth principle does not mean every question covers every standard; it means every answer lives in one place.
Five Principles to Build By
If I were starting this process from scratch at a new organization, I would anchor on five principles from day one.
Official control IDs only. Approximated references create ambiguity that auditors exploit. If your ISO 27001 reference says “A.5 generally” instead of “A.5.15; A.5.16; A.5.18,” a thorough auditor will ask which specific controls you are claiming coverage for and you will have to reconstruct the mapping under pressure. Use the exact IDs from the published standards. ISO 27001:2022 Annex A runs from A.5.1 to A.8.34. NIST 800-53 Rev 5 AC-2(1) is a separate control from AC-2. These distinctions are in the standards for a reason.
Full coverage, not sampling. A Moderate NIST baseline assessment covers approximately 235 controls. An ISO 27001 audit covers all 93 Annex A controls. Sampling — picking representative controls from each family — may satisfy a checkbox exercise but it will not satisfy a thorough assessor and it will not actually tell you where your gaps are. The discipline of building complete coverage is also the discipline of discovering what you do not have implemented yet.
One answer, not four. If you catch yourself writing the same answer in two different tabs, your architecture is broken. Fix the architecture, not the duplicate. The structural constraint — all auditor views are filtered subsets of the Master — should make duplication physically impossible.
Gaps are information, not failure. The Partial and Not Implemented status options are not admissions of guilt — they are the output of an honest audit programme. A questionnaire where everything is marked Implemented before an auditor has looked at it is not a compliance programme; it is a liability. Real compliance posture requires knowing where you stand, including the uncomfortable parts.
The questionnaire is a living document, not a pre-audit scramble. The most valuable thing a Master Questionnaire does is shift compliance from a periodic event to a continuous state. When your IR procedure changes, you update the INC-01 answer. When you onboard a new AI service provider, you update the AIX-09 answer and the SUP-03 answer. The questionnaire should be reviewed quarterly, updated continuously, and owned by named individuals — not assembled in the three weeks before an auditor arrives.
A Note on AI-Assisted Compliance
One of the most significant changes in compliance practice over the last two years is the ability to use AI tools to populate questionnaire answers from an organization’s existing knowledge base — policies, procedures, security documentation, vendor assessments, architecture documents.
This does not replace human judgment. The Answer column in a Master Questionnaire still requires a human to verify accuracy, attach actual evidence references, and set a status they are willing to defend in an audit. But it dramatically compresses the time between “questionnaire template built” and “questionnaire ready for auditor review.”
At ShareVault, where our knowledge base includes our Security Policy, Access Control Policy, AI Management Policy, Incident Response Procedure, Risk Assessment Procedure, Privacy Policy, and Security & Availability documentation, an AI tool can populate an initial draft of most answers from these sources and flag which questions have insufficient documentation to answer — which is itself valuable information.
The key discipline is the same as for all AI-assisted work: the human remains accountable for the output. The AI drafts; the owner reviews, corrects, and signs off. The auditor evaluates the answer, not the method used to produce it.
Where to Start
If you are managing compliance across multiple standards and you recognize the structural problems described here, the path forward is straightforward even if the work is substantial.
Start with a gap analysis of what you currently have. Count your actual questions per standard. Map each one to the official control ID it is claiming to satisfy. Find the NIST families you have not covered at all (typically MA, MP, PE, PL, and SR are the most common gaps). Identify whether your auditor view tabs are provably filtered subsets of a master, or independent catalogs that happen to cover some of the same ground.
Then rebuild the Master with the architecture described above. It takes time to write 213 questions with precise official references. But you write them once. After that, every audit, every evidence collection cycle, and every questionnaire from a customer or prospect draws from the same source.
That is the value of a single source of truth. Not that compliance becomes easy — but that every effort you invest in it compounds instead of fragmenting.
The client team holds ISO 27001:2022 certification (SHA-27K-PRI) and ISO 42001:2023 certification (SHA-AIMS-20260129), maintains NIST SP 800-53 Rev 5 Moderate baseline verification, and operates under GDPR as both a data controller and processor for European customers. The Master Audit Questionnaire described in this article was built through iterative refinement of our own internal compliance programme.
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*
All the pre-written policies and procedures you’ll ever need.
Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.
Reviewed throughout the year to ensure you’re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.
Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.
Are you planning a career as a DPO (data protection officer)?
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.
Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.
The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.
French data protection authority says Google Analytics is in violation of GDPR
The French national data protection authority, CNIL, issued a formal notice to managers of an unnamed local website today arguing that its use of Google Analytics is in violation of the European Union’s General Data Protection Regulation, following a similar decision by Austria last month.
The root of the issue stems from the website’s use of Google Analytics, which functions as a tool for managers to track content performance and page visits. CNIL said the tool’s use and transfer of personal data to the U.S. fails to abide by landmark European regulations because the U.S. was deemed to not have equivalent privacy protections.
European regulators including CNIL have been investigating such complaints over the last two years, following a decision by the EU’s top court that invalidated the U.S.’s “Privacy Shield” agreement on data transfers. NOYB, the European Center for Digital Rights, reported 101 complaints in 27 member states of the EU and 3 states in the European Economic Area against data controllers who conduct the transatlantic transfers.
Privacy Shield, which went into effect in August of 2016, was a “self-certification mechanism for companies established in the United States of America,” according to CNIL.
Originally, the Privacy Shield was considered by the European Commission to be a sufficient safeguard for transferring personal data from European entities to the United States. However, in 2020 the adequacy decision was reversed due to no longer meeting standards.
An equivalency test was used to compare European and U.S. regulations which immediately established the U.S.’s failure to protect the data of non-U.S. citizens. European citizens would remain unaware that their data is being used and how it is being used, and they cannot be compensated for any misuse of data, CNIL found.
CNIL concluded that Google Analytics does not provide adequate supervision or regulation, and the risks for French users of the tool are too great.
“Indeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,” CNIL said.
The unnamed site manager has been given a month to update its operations to be in compliance with GDPR. If the tool cannot meet regulations, CNIL suggests transitioning away from the current state of Google Analytics and replacing it with a different tool that does not transmit the data.
The privacy watchdog does not call for a ban of Google Analytics, but rather suggests revisions that follow the guidelines. “Concerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers,” the watchdog said.
Most management systems, compliance, and certification projects require documented policies, procedures, and work instructions. GDPR compliance is no exception. Documentation of policies and processes are vital to achieve compliance.
ITG GDPR Documentation Toolkit gives you a complete set of easily customizable GDPR-compliant documentation templates to help you demonstrate your compliance with the GDPR’s requirements quickly, easily, and affordably.
“Having recently kicked off a GDPR project with a large international organisation I was tasked with creating their Privacy Compliance Framework. The GDPR toolkit provided by IT Governance proved to be invaluable providing the project with a well organised framework of template documents covering all elements of the PIMS framework. It covers areas such as Subject Access Request Procedure, Retention of Records Procedure and Data Protection Impact Assessment Procedure helping you to put in practice policies and procedures to enable the effective management of personal information on individuals. For anyone seeking some support with their GDPR plans the toolkit is well work consideration.”
Two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home, according to a new study from Go Shred.
The confidential shredding and records management company discovered that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. Such documents include meeting notes/agendas (42%), internal documents including procedure manuals (32%), contracts and commercial documents (30%) and receipts/expense forms (27%).
Furthermore, 20% of home workers admitted to printing confidential employee information including payroll, addresses and medical information, with 13% having printed CVs or application forms.
The issue is that, to comply with the GDPR, all companies that store or process personal information about EU citizens within EU states are required to have an effective, documented, auditable process in place for the collection, storage and destruction of personal information.
However, when asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven’t disposed of them yet as they plan to take them back to the office and a further 24% said they used a home shredding machine but disposed of the documents in their own waste. This method of disposal is not recommended due to personal waste bins not providing enough security for confidential waste and therefore still leaving employers open to a data breach and potential fines, Go Shred pointed out.
Most concerning of all, 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven’t done so because they do not know how to.
Here are our five key data privacy trends for this year.
1. There will be more public awareness of privacy rights
This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.
All of this information is helping consumers become more aware of their rights.
Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.
The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.
There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.
Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.
2. Brexit will continue to cause headaches
Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.
For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.
Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.
3. We shouldn’t expect an adequacy decision imminently
Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.
For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.
But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.
Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.
In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.
The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.
4. GDPR enforcement will be more consistent
In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.
In some cases, the fines were miniscule, but in others the penalties were large.
It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.
We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.
Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.
5. Cookie laws will come under greater scrutiny
From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.
So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.
Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.
Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.
Meet your data privacy requirements with IT Governance
One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.
GDPR compliance got even more complicated this summer when the CJEU (European Court of Justice) ruled the EU–US Privacy Shield invalid.
Organizations that had relied on the framework for transatlantic data transfers have been scrambling for a solution – with even some multinationals unsure how to proceed.
If you’re among those trying to understand how the ruling affects your data transfer processes, then ITGP updated books can help.
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide
This comprehensive guide covers:
DPO (data protection officer) requirements, including which organizations need a DPO and what DPOs do;
When organizations must conduct DPIAs (data protection impact assessments);
GDPR implementation FAQs;
Guidance on how to create data protection processes that are in line with best practices; and
ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).
Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.
SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS
Key features:
* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data
ISO 27701 Gap Analysis Tool
Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).
It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.
What does the tool do?
Contains a set of sample audit questions
Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
Provides a clear, colour-coded report on the state of compliance
The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.
The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.
ISO 27701 The New Privacy Extension for ISO 27001
httpv://www.youtube.com/watch?v=-NUfTDXlv30
Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
httpv://www.youtube.com/watch?v=ilw4UmMSlU4
As you might have expected, the GDPR (General Data Protection Regulation) has created a spike in demand for data protection and privacy experts. Organisations are desperate to hire people who can guide them towards regulatory compliance and avoid large fines. In this latest blog discover what a DPO’s tasks are and how to become one.
For many organizations, this isn’t just a wish; they are legally required to findsuch a person and appoint them as a DPO (data protection officer).
The demand for DPOs makes it an ideal job role for those looking to advance their career. You need plenty of experience, as well as demonstrable soft skills, but it provides an opportunity with plenty of room for growth. Let’s take a look at how you can get started.
WHAT A DPO DOES
It’s worth summarising exactly what a DPO’s tasks are because you’ll see that they are responsible for more than simply reviewing GDPR compliance.
Yes, they are broadly tasked withadvisingorganizations on how to comply with their legal requirements concerning data protection. But that doesn’t just include things like monitoring policies and looking into the need for DPIAs (data protection impact assessments).
It also involves helping staff understand their data protection obligations and serving as a point of contact for individuals who contact the organization with data protection and privacy queries.
This means that DPOs will be regularly discussing the GDPR to people who aren’t technically minded. As such, they must have strong communication skills and be capable of explaining complex issues without using jargon.
It’s much harder to teach skills like that than to train someone on the ins and outs of the GDPR, but still eminently possible.
SPECIALIST DPO TRAINING
If you’re interested in becoming a DPO, you will benefit massively fromtaking atraining course dedicated to the role. It will help you understand the technical requirements of the GDPR and how they apply to each part of your job roleandgive you practical experience of the tasks you’re responsible for.
For example, you can understand exactly what’s required when performing, say, a DPIA, but you need to be aware of your boundaries. DPOs must operate independently and without any conflict of interest. Taking too active a role in tasks like this jeopardize your status as an advisor and violate the GDPR’s requirements.
Over four days, our expert trainers will help you hone your knowledge of the GDPR and show you how to use that knowledge appropriately while fulfilling your tasks as a DPO.
This two-day course builds on the knowledge you would have gained from passing the GDPR Practitioner exam, focusing on the practical application of the Regulation in the workplace.
Personal data breach notification procedures under the GDPR
Organizations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.
Help with creating a data breach notification template
The picture above is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organization to communicate the breach from:
ISO/IEC 27018:2014, 1st Edition: Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.
Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).
The GDPR says that the information you provide must be:
Concise, transparent, intelligible and easily accessible;
Written in clear and plain language, particularly if addressed to a child; and
Free of charge.
Help with creating a privacy notice template
The privacy notice should address the following to sufficiently inform the data subject:
If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:
A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
Helpful dashboards and project tools to ensure complete GDPR coverage;
Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation.
Your organisation will need to appoint a DPO if it:
Is a public authority or body;
Regularly and systematically monitors data subjects; or
Processes special categories of data on a large scale.
The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.
Why you should consider outsourcing your DPO
Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities.
An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach.
DPO as a service (GDPR)
IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will:
Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.
A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.
The compromised systems were also US-based.
But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.
A further 14.5 million British records exposed would not have put people at risk, the company added last October.
The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:
19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
637,430 UK data subjects had names, dates of birth and telephone numbers exposed
Up to 15 million UK data subjects had names and dates of birth exposed
Guard let down
Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.
And appropriate steps to fix the vulnerability were not taken, according to the ICO.
And the fine of £500,000 is the highest possible under that law.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.
“This is compounded when the company is a global firm whose business relies on personal data.”
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.
“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”
Any data you look at shows that the scale of ‘Internet evil’ increases every year. The economic impact of cyber crime now exceeds $1.1 million per minute. This is a major corporate risk, irrespective of organisational size, and cyber insurance is an inadequate response – insurers will not pay out where you have been negligent.
The EU’s GDPR (General Data Protection Regulation) makes the tests for negligence pretty clear: absence of accountability, insufficient corporate governance and countermeasures that do not adequately respond to the frequency and virulence of today’s attacks.
In an environment where four potentially vulnerable web components are discovered every minute, an annual penetration test is only slightly better than not bothering at all. We run penetration tests about once a month; you should be doing them at least quarterly. However, even if you do this, you need to recognise that purely technical responses have limited benefits. Staff are the weakest of your links, particularly as phishing and ransomware attacks get smarter every day. And your supply chain may increasingly be your attackers’ fastest route into what passes for your secure environment. Staff awareness training only every year or two would be desperately short-sighted.
We’re going to see more and more organisations reporting data breaches – it’s now an offence to not report one, and you can be punished with significant fines. The costs don’t stop there. After you report a breach, and undergo investigation, fines and reputational damage, you still have to spend the money to get secure. It therefore probably works out less expensive in the long run to make comprehensive cyber security investments before you are breached (assuming that you haven’t already been breached, and you just don’t know it yet).