Enhance your privacy management with ISO 27701

ISO/IEC 27701:2019 provides guidance on data protection, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as the GDPR.

The Standard integrates with the international information security management standard ISO/IEC 27001 to extend an ISMS (information security management system), enabling an organization to establish, implement, maintain and continually improve a PIMS (privacy information management system).

ITG pocket guide ISO/IEC 27701:2019: An introduction to privacy information management is an ideal primer for anyone implementing a PIMS based on ISO 27701.

Improve your privacy information management regime

Co-written by Alan Shipman, an acknowledged expert in the field of privacy and personal information and the project editor of ISO/IEC 27701, this pocket guide will help you understand the basics of privacy management, including:


  • What privacy information management means
  • How to manage privacy information successfully using a PIMS aligned to ISO/IEC 27701
  • Key areas of investment for a business-focused PIMS and
  • How your organization can demonstrate the degree of assurance it offers with regard to privacy information management.
ISO/IEC 27701:2019: An introduction to privacy information management

         Buy now

ISO 27701 Gap Analysis Tool

Download a Security Risk Assessment Steps paper!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Leave a Comment

Privacy eLearning – Staff InfoSec & Compliance Awareness

Privacy eLearning & Staff Awareness

  • Access staff awareness e-learning programs and train staff on best practice processes
  • Ensure staff can spot and respond to cybersecurity and privacy risks
  • Comply with data protection and information security legislation and standards
  • Test learner knowledge to prove compliance for auditing purposes
  • Train staff under one, manageable contract with these cost-effective annual licenses
  • Developed by industry experts our programs are updated every three months to ensure the content remains relevant
  • Gain access to any new content ITG release throughout your year-long contract
  • Customize the courses by adding links to company documents, policies, and procedures
  • Fast deployment with instant access to all of the courses
  • Reinforce awareness with monthly security updates, which include the latest news and tips

1) Complete Staff Awareness E-learning Suite
Complete Staff Awareness E-learning Suite

2) GDPR Challenge E-learning Game
This short and punchy ten-minute game will test your employees’ knowledge on real-life GDPR-relevant scenarios across different industries.

3) GDPR Staff Awareness E-learning Course
GDPR Staff Awareness eLearning Course

4) GDPR: Email Misuse Staff Awareness E-Learning Course
GDPR: Email Misuse Staff Awareness E-Learning Course

5) Information Security & ISO 27001 Staff Awareness E-Learning Course
ITG eLearning Course: Information Security & ISO27001 Staff Awareness

6) PCI DSS Staff Awareness E-Learning Course
PCI DSS Online Staff Awareness eLearning Course

7) Information Security Staff Awareness E-Learning Course
Information Security | eLearning Course

8) Phishing Staff Awareness E-Learning Course
Phishing Staff Awareness E-Learning Course

9) Data Protection Awareness Posters
Data Protection Awareness Posters

10) Phishing Awareness Posters
Phishing Awareness Posters

11) The ISMS Card Game
The ISMS Card Game

Leave a Comment

ISO/IEC 27701 2019 Standard and Toolkit

ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).

Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.


Key features:

* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data

ISO 27701 Gap Analysis Tool

Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.

What does the tool do?

  • Contains a set of sample audit questions
  • Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
  • Provides a clear, colour-coded report on the state of compliance
  • The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.

  • The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.

    ISO 27701 The New Privacy Extension for ISO 27001

    Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard

    General Data Protection Regulation (GDPR) | The California Consumer Privacy Act (CCPA)

    Subscribe to DISC InfoSec blog by Email

    Comments (2)

    What the New NIST Privacy Framework Means to You

    Big news is coming when NIST takes the wraps off a new privacy framework. Thanks to the General Data Privacy Regulation (GDPR) of the European Union, which took full effect in May 2018, privacy is at center stage worldwide. Penalties are being meted out for violations, and organizations of all kinds need to understand and comply with the law. In addition, the California Consumer Privacy Act (CCPA) was enacted in June 2018, with many other states working on similar bills.

    Source: What the New NIST Privacy Framework Means to You

    Developing the NIST Privacy Framework – Part 1

    Developing the NIST Privacy Framework – Part 2

    Developing the NIST Privacy Framework – Part 3

    NIST Privacy Framework: An Enterprise Risk Management Tool

    Leave a Comment

    Data Loss Prevention: Protect Yourself, Your Family, and Your Business

    photo courtesy of Unsplash

    By Jasmine Dyoco

    Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
    Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
    Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:

    Malware and Viruses

    Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.

    According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.

    Security and Compliance

    Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations.  DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.

    For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).


    Protect Your Teens 

    Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.

    To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.


    Credit Freezes and Monitoring

    Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.

    According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.

    How to report and protect yourself from credit card fraud

    How to prevent credit card fraud amid coronavirus pandemic

    The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime

    Comments (1)

    Why do organizations need to conduct a penetration test?

    12 desirable reasons why an organization should carry out a penetration test:

    1.  Assess potential business and operational impacts of successful attacks and determine the feasibility of a particular set of attack vectors.
    2.  Identify higher-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular way.
    3. To comply with security regulations or standards, e.g. ISO 27001, NIST CSF, NIST 800-171HIPAAPCI DSS or the EU GDPR.
    4. To ensure the security of new applications or significant changes to business processes.
    5. To manage the risks of using a greater number and variety of outsourced services.
    6. To assess the risk of critical data or systems being compromised by an incident.
    7. In preparation for any upcoming external audits, such as FFIEC audits performed by third-party providers.
    8. To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
    9. Save Remediation Costs and Reduces Network Downtime.
    10. To develop Efficient Security Measures.
    11. Provide evidence to support increased investments in security personnel and technology.
    12. At the end of the day, it’s basic due diligence, to find out about the vulnerability before someone else does.

    I’ll Let Myself In: Tactics of Physical Pen Testers

    #SANS Pen Test HackFest Summit


    DISC InfoSec Recommended Pen Testing Titles

    Penetration Testing Services Procurement Guide

    Contact DISC InfoSec to discuss your information security assessment (pen test) requirements

    Enter your email address:

    Delivered by FeedBurner

    Leave a Comment

    How to become a data protection officer

    As you might have expected, the GDPR (General Data Protection Regulation) has created a spike in demand for data protection and privacy experts. Organisations are desperate to hire people who can guide them towards regulatory compliance and avoid large fines. In this latest blog discover what a DPO’s tasks are and how to become one.

    For many organizations, this isn’t just a wish; they are legally required to find such a person and appoint them as DPO (data protection officer). 

    The demand for DPOs makes it an ideal job role for those looking to advance their careerYou need plenty of experience, as well as demonstrable soft skills, but it provides an opportunity with plenty of room for growth. Let’s take a look at how you can get started. 


    It’s worth summarising exactly what a DPO’s tasks are because you’ll see that they are responsible for more than simply reviewing GDPR compliance. 

    Yes, they are broadly tasked with advising organizations on how to comply with their legal requirements concerning data protection. But that doesn’t just include things like monitoring policies and looking into the need for DPIAs (data protection impact assessments). 

    It also involves helping staff understand their data protection obligations and serving as a point of contact for individuals who contact the organization with data protection and privacy queries. 

    This means that DPOs will be regularly discussing the GDPR to people who aren’t technically minded. As such, they must have strong communication skills and be capable of explaining complex issues without using jargon. 

    It’s much harder to teach skills like that than to train someone on the ins and outs of the GDPR, but still eminently possible. 



    If you’re interested in becoming a DPO, you will benefit massively from taking a training course dedicated to the roleIt will help you understand the technical requirements of the GDPR and how they apply to each part of your job role and give you practical experience of the tasks you’re responsible for. 

    For example, you can understand exactly what’s required when performing, say, a DPIA, but you need to be aware of your boundaries. DPOs must operate independently and without any conflict of interest. Taking too active a role in tasks like this jeopardize your status as an advisor and violate the GDPR’s requirements. 

    Certified Data Protection Officer (C-DPO) Masterclass Training CourseIT Governance’s Certified Data Protection Officer (C-DPO) Masterclass Training Course gives you the technical and spatial expertise you need to become a DPO. 

    Over four days, our expert trainers will help you hone your knowledge of the GDPR and show you how to use that knowledge appropriately while fulfilling your tasks as a DPO. 



    Certified Data Protection Officer (C-DPO) Upgrade Training Course

    If you already have a strong understanding of the GDPR, you might prefer our Certified Data Protection Officer (C-DPO) Upgrade Training Course. 

    This two-day course builds on the knowledge you would have gained from passing the GDPR Practitioner exam, focusing on the practical application of the Regulation in the workplace.


    Source: How to become a data protection officer


    GDPR Training

    Enter your email address:

    Delivered by FeedBurner

    Leave a Comment

    Microsoft wants a US privacy law that puts the burden on tech companies

    On the first anniversary of #GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data.

    Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

    Source: Microsoft wants a US privacy law that puts the burden on tech companies



     Subscribe in a reader

    Leave a Comment

    Computer security training courses

    Computer security training courses – Online cyber security courses

    Build your cyber security awareness and InfoSec career to keep your cyber security skills relevant. Learn how to protect your information assets against today’s cyber threats with best online cyber security training courses.


    DISC InfoSec cyber security training curriculum includes specialized InfoSec training and general cyber security courses for all levels.


    Security Penetration Testing (The Art of Hacking Series) LiveLessons

    Security Penetration Testing (The Art of Hacking Series) LiveLessons

    Linux Security and Hardening, The Practical Security Guide

    Linux Security and Hardening, The Practical Security Guide

    CISSP LiveLessons

    CISSP LiveLessons

    Red Hat Certified Engineer (RHCE) with Virtual Machines LiveLessons

    Red Hat Certified Engineer (RHCE) with Virtual Machines LiveLessons, 2nd Edition

    Fundamentals of nerc cip

    Fundamentals of nerc cip

    Cyber Security – Online Scams & How to Avoid Them

    Cyber Security - Online Scams & How to Avoid Them

    Disaster Recovery and Risk Management

    Disaster Recovery and Risk Management



    Penetration Testing

    Kali Linux






    Identity Theft

    Powershell Security

    Programming Courses

    Security Risk Management

    Planning a Security Incident Respose

    AWS Security

    Azure Security

    Network Security

    Wireless Security

    RedHat Security

    InfoSec eLearning

    Social Engineering

    Essentials of CyberSecurity

    Azure Security & Compliance

    Cyber Security Training Courses

    Security Disaster Recovery

    Cloud Security Computing 



     Subscribe in a reader

    Comments (1)

    Why your organisation should consider outsourcing its DPO

    Why your organisation should consider outsourcing its DPO

    By Laura Downes

    Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation. 

    Your organisation will need to appoint a DPO if it:  

    • Is a public authority or body; 
    • Regularly and systematically monitors data subjects; or 
    • Processes special categories of data on a large scale. 

    The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.  

    Why you should consider outsourcing your DPO 

    Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities. 

    An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach. 

    DPO as a service (GDPR) 

    IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will: 

    Find out more >> 

    Leave a Comment

    Equifax fined by ICO over data breach that hit Britons


    Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

    A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

    The compromised systems were also US-based.

    But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

    It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

    Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

    A further 14.5 million British records exposed would not have put people at risk, the company added last October.

    The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

    • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
    • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
    • Up to 15 million UK data subjects had names and dates of birth exposed


    Guard let down

    Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

    And appropriate steps to fix the vulnerability were not taken, according to the ICO.

    Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

    And the fine of £500,000 is the highest possible under that law.

    “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

    “This is compounded when the company is a global firm whose business relies on personal data.”

    An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

    “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

    “The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

    By BBC.com

    Leave a Comment

    4 bad things happening every minute on the Internet

    4 bad things happening every minute on the Internet

    Risk IQ’s Evil Internet Minute infographic tells you the bad things happening every minute on the Internet:

    • 5 successful ransomware attacks
    • 9 phishing attacks
    • 1,274 new malware variants
    • 5,518 records compromised

    Any data you look at shows that the scale of ‘Internet evil’ increases every year. The economic impact of cyber crime now exceeds $1.1 million per minute. This is a major corporate risk, irrespective of organisational size, and cyber insurance is an inadequate response – insurers will not pay out where you have been negligent.

    The EU’s GDPR (General Data Protection Regulation) makes the tests for negligence pretty clear: absence of accountability, insufficient corporate governance and countermeasures that do not adequately respond to the frequency and virulence of today’s attacks.

    In an environment where four potentially vulnerable web components are discovered every minute, an annual penetration test is only slightly better than not bothering at all. We run penetration tests about once a month; you should be doing them at least quarterly. However, even if you do this, you need to recognise that purely technical responses have limited benefits. Staff are the weakest of your links, particularly as phishing and ransomware attacks get smarter every day. And your supply chain may increasingly be your attackers’ fastest route into what passes for your secure environment. Staff awareness training only every year or two would be desperately short-sighted.

    We’re going to see more and more organisations reporting data breaches – it’s now an offence to not report one, and you can be punished with significant fines. The costs don’t stop there. After you report a breach, and undergo investigation, fines and reputational damage, you still have to spend the money to get secure. It therefore probably works out less expensive in the long run to make comprehensive cyber security investments before you are breached (assuming that you haven’t already been breached, and you just don’t know it yet).

    Leave a Comment

    What is ‘privacy by design’?

    What is ‘privacy by design’?

    Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).

    The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:

    • Building new IT systems to store or access personal data;
    • Needing to comply to regulatory or contractual requirements;
    • Developing internal policies or strategies with privacy implications;
    • Collaborating with an external party that involves data sharing; or
    • Existing data is used for new purposes.

    Privacy by design and the GDPR

    The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.

    Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.

    Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.

    Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.

    The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

    IT Governance free green paper ‘Conducting a data flow mapping exercise under the GDPR’ will help you understand how to effectively map your data in compliance with the GDPR.

    Steps to GDPR Compliance

    Leave a Comment

    4 reasons you should get a cyber security qualification

    The dramatic rise in cyber attacks over the past few years has caught most businesses off guard. Their cyber security departments are severely understaffed, causing them to look desperately for qualified professionals to help tackle the threat.

    There has never been a better time to get into cyber security, so if you’re looking to enter the field, or further your career in it, you could benefit massively from gaining a relevant qualification. Here are four reasons why:

    1. Cyber security professionals are well paid

    Money isn’t everything when it comes to choosing your career, but it’s obviously a big factor for many people. We mentioned recently that people with a CISM®PCIor GDPR qualification could earn £60,000 or more a year.

    Of these, the CISM (Certified Information Security Manager) qualification is the most versatile. It’s the globally accepted standard of achievement among information security, information systems audit and IT governance professionals.

    According to ITJobsWatch, people with a CISM qualification earn £64,000 a year on average. This figure has grown by more than 9% in the past two years.

    1. There’s a high level of job security

    The shortage of qualified cyber security professionals means that those in the field are less likely to be replaced or made redundant. Their skills are hard to find elsewhere, and the more someone gets to know the company, the more valuable they will become.

    Additionally, because almost every organisation currently needs cyber security professionals, those with the relevant qualifications are more likely to find a position in a location or company that suits them.

    1. There’s room for career growth

    For the same reason that cyber security is a safe career, it’s also one that offers plenty of room for growth. Qualifications plus experience is a powerful combination that can help you move into more senior positions.

    As you gain experience, you’ll also get the opportunity to earn more advanced qualifications. For example, you must have at least three years’ experience in IT governance to be eligible for a Certified in Risk and Information Systems Control (CRISC) qualification, and five years’ experience to be eligible for a Certified in the Governance of Enterprise IT (CGEIT®) qualification.

    1. The work is rewarding

    Cyber security is still a relatively young field, making it an exciting and prosperous place. The threats that organisations face are constantly evolving, so you’ll always have new challenges. Plus, you know that your hard work is for a good cause: to stop cyber criminals and keep your organisation safe.

    What qualifications do I need?

    The qualifications you need will depend on the career path you choose. If you’re interested in governance, risk management, and compliance, for instance, a CGEIT qualification is essential. If you’re interested in information security, you’ll need a CRISC qualification.

    We’re currently running promotions on our CRISC, CGEIT, CISA and CISM training courses. If you book before 22 December, you’ll receive a 10% discount on the courses and a 5% discount on all reading materials.

    Find out more about our:

    Leave a Comment

    Fundamentals of Information Risk Management Auditing

    New information and IT risks seem to be everywhere, so it is essential that organizations address these risks in the context of enterprise risk management (ERM).
    ERM is a practice that has become increasingly popular. It’s important that an organization’s information risk management specialist or auditor understands this practice because much of their work will need to be in the context of ERM.
    Kick-start your career in information risk management with introductory guidance.

    Fundamentals of Information Risk Management Auditing

    Provides insight and guidance into information risk management and ERM, ideal for those considering a career in information risk management, for non-specialist auditors, and for managers.
    This book will give you an introduction to:
    Risk and risk management
    Information security and management risks
    Concepts of application controls

    Gain an insight into the risks and controls/mitigations that you might encounter when performing or managing an audit of information risk.
    Buy Now >>>


    Author Podcast: Fundamentals of Information Risk Management Auditing, with Christopher Wright

    In the podcast Christopher discusses Lean, Agile, the EU General Data Protection Regulation (GDPR), and ERM.
    Listen now >>

    Leave a Comment

    Why is ISO 27001 so important for US technology firms?

    by Rob Freeman

    At IT Governance, we have long known that compliance with the ISO 27001 information security management standard is essential for all US companies that wish to do business with the rest of the world. This requirement is fuelled by the ever growing threat of cybercrime and the increasing awareness of the data privacy rights of all individuals in target markets globally.

    Win international business

    To win and maintain international business, your firm needs to demonstrate that it takes cybersecurity and data privacy seriously, and fully complies with all of the relevant laws and regulations.

    This is particularly true for US technology companies, many of which deliver services and products using online web-based channels. Modern Internet marketing and sales methodology demands the acquisition of large databases of customers’ personal data. In return for purchasing goods and services, these customers expect that their data will be secured, stored, and used in an appropriate manner. From the big guys like Microsoft or Salesforce.com to the little guys trading internationally on Ebay, ensuring the data security and privacy of customers is just as important as delivering a great product.

    Although now a little dated, I can recommend that you view the August news release from InsideView, a CA-based market intelligence company, which announced “InsideView Expands ISO/IEC 27001:2013 Certification to Include ISO/IEC 27018”. This somewhat innocuous headline is hiding a really big message that is buried in the second paragraph:

    A global priority

    Protection of personal information has become a globally recognized priority. Emerging regulations and frameworks, such as European Union Data Protection Directive (GDPR) and the US Department of Commerce Privacy Shield, will require data processors to provide specific protections and rights of access regarding personal information.

    “This extension of our ISO 27001 information security management system to include the ISO 27018 controls for personal data shows that InsideView is leading the market in preparation for new privacy regulations,” said Jenny Cheng, Chief Product Officer at InsideView.

    If you are not aware of the importance of ISO 27001, I can recommend that you purchase and read this textbook: IT Governance – An International Guide to Data Security and ISO27001/ISO27002, Sixth Edition.

    Leave a Comment