3-tcic-gdpr pims-2018-07-19-1-標準與法遵-r01 daniel liangtw.tcicgroup.com/edm/3-tcic-gdpr...
TRANSCRIPT
© TCIC Global Certification LTD. Class: Controlled Slide 1
ISMS與與與與PIMS的整合與應用的整合與應用的整合與應用的整合與應用
以法規遵循為例以法規遵循為例以法規遵循為例以法規遵循為例
July 19, 2018
Copyright © 2018 TCIC LTD ., All rights reserved.
All other trademarks are trademarks of their respective holders.
*Data sources are from indicated organizations in this presentation.
Prepared by : Daniel Liang梁日誠
TCIC Global Certification Ltd. 環奧國際驗證公司
Email: [email protected]
© TCIC Global Certification LTD. Class: Controlled Slide 2
Mr.Daniel Liang 梁日誠梁日誠梁日誠梁日誠
Cellphone: +886-988292678 email: [email protected]
� TCIC環奧國際驗證公司董事暨全球營運總經理, 稽核師,講師,評鑑員
� Standards Council of Canada (SCC) Canadian advisory committee on GDPR 加拿大國家加拿大國家加拿大國家加拿大國家GDPR諮詢委員會諮詢委員會諮詢委員會諮詢委員會
� Canada’s Mirror Committee for ISO/PC317 - Consumer protection: privacy by design for consumer goods and
services
� 科技部政府資料開放諮詢小組委員
� 汽車聯結聯盟認可稽核師
� 台灣數位鑑識發展協會(ACFD) 能力發展委員會(CDC) 副主任委員
� 加拿大福爾摩沙商業協會會長
� ISO27001/ISO20000 Lead Auditor, TCIC-Canada
� APMG/itSMF Certified ISO20000 Auditor
� APMG/itSMF Certified ISO20000 Consultant
� Cloud Computing Foundation Certificate, APMG
� ITSM Foundation Certificate (based on ITIL)
� Certified Information Security Manager, CIS-Austria
� ISO27001 Lead Auditor, CIS-Austria & TCIC-Canada
� ISO20000 Lead Auditor, CIS-Austria & TCIC-Canada
� ISO22301 Lead Auditor, CIS-Austria & TCIC-Canada
� ISO9001 Lead Auditor, Quality Austria-Austria
� ISO29151/ISO27018/ISO27017 Lead Auditor, CIS-Austria & TCIC-Canada
� Accredited ISO20000 Auditor/Practitioner/Foundation Course Trainer, APMG
� ISO 29100/ISO 29134 Privacy Risk Management Course Trainer, CIS-Austria & TCIC-Canada
� ISO 31000/ISO 27005 Risk Management Course Trainer, TCIC-Canada
� Information Security and Service Management Trainer, CIS-Austria
� Information Security and Service Management Trainer, TCIC-Canada
Andrea Jelinek,
Chairwoman, Article 29 Working Party
Head of Austria's data protection authority
Austria Accreditation Body- the DPA
February 2018
Austria
PIMS/ISMS Certification Body
Personnel Certification Body
© TCIC Global Certification LTD. Class: Controlled Slide 3
Table of Content
�ISMS/PIMS與相關法規
�ISMS/PIMS整合與應用
�他山之石-以Canada為例
�認驗證體制與合規展現
�國際標準驗證的合規展現
© TCIC Global Certification LTD. Class: Controlled Slide 4
ISMS/PIMS與相關法規
ISMS-資訊安全管理系統
PIMS-個資管理系統
GDPR-General Data Protection Regulation
RPEC-
Regulation on Privacy and Electronic Communications
© TCIC Global Certification LTD. Class: Controlled Slide 5
ISMS/PIMS與法規遵循
A.18.1.1
適用之法規與契約的要求事項之識別
Identification of applicable legislation and contractual requirements
控制措施
Control
對每個資訊系統與組織,應明確識別、文件化及保持最新所有相關法律、法
令、法規及契約要求事項,以及組織為符合此等要求之作法。
All relevant statutory, regulatory and contractual requirements and the
organization’s approach to meet these requirements shall be explicitly
identified, documented, and kept up to date for each information system
and the organization.
資通安全管理法
符合資通安全管理法的作法
個資法
符合個資法的作法
GDPR
符合GDPR的作法
資安要求=>ISMS 個資要求=>PIMS
RPEC
符合RPEC的作法
© TCIC Global Certification LTD. Class: Controlled Slide 6
個人資料保護相關法規與風險管理
個人資料保護法施行細則
第十二條
三、個人資料之風險評估及管理機制
GDPR
Article 35
Data Protection Impact Assessment (DPIA)
資料保護衝擊評鑑
風險管理機制 + 隱私衝擊評鑑 = 個資風險管理機制
Privacy Impact Assessment (PIA)隱私衝擊評鑑
亦即GDPR所稱之DPIA
資訊安全風險 => 資訊安全控制措施 => 資訊安全管理系統
個資風險 => 個資控制措施 => 個資管理系統
© TCIC Global Certification LTD. Class: Controlled Slide 7
RPEC與相關影響
1. This Regulation applies to:
(a) the provision of electronic communications services to end-users
in the Union, irrespective of whether a payment of the end-user is
required;
(b) the use of such services;
(c) the protection of information related to the terminal equipment of
end-users located in the Union.
ISO27001 A.9存取控制 A.10密碼學 A.12運作安全
A.13通訊安全 A.14系統獲取、開發及維護
ISO/PC317 – ISO23485(WD) Consumer protection:
privacy by design for consumer goods and services
影響領域: 網通業者、網通設備、Smartphone/APP、IoT….
© TCIC Global Certification LTD. Class: Controlled Slide 8
ISMS/PIMS整合與應用
-以GDPR為例
© TCIC Global Certification LTD. Class: Controlled Slide 9
How can I demonstrate that my
Organisation is compliant with the GDPR? - 1
Answer
The principle of accountability is a cornerstone of the General Data Protection Regulation (GDPR).
According to the GDPR, a business/organisation is responsible for complying with all data protection
principles and is also responsible for demonstrating compliance. The GDPR provides
businesses/organisations with a set of tools to help demonstrate accountability, some of which have
to be mandatorily put in place.
For example, in specific cases the establishment of a DPO or conducting data protection impact
assessments (DPIA) may be mandatory. Data controllers can choose to use other tools such as
codes of conduct and certification mechanisms to demonstrate compliance with data protection
principles.
You may adhere to a Code of Conduct prepared by a business association which has been
approved by a DPA. A Code of Conduct may be given EU-wide validity through an implementing act
of the Commission.
You may adhere to a certification mechanism operated by one of the certification bodies that have
received accreditation from a DPA or a national accreditation body or both, as decided in each
Member State law.
Source: https://ec.europa.eu/info/law/law-topic/data-protection_en
© TCIC Global Certification LTD. Class: Controlled Slide 10
How can I demonstrate that my
Organisation is compliant with the GDPR? - 2
Example
The umbrella insurance body in the EU Member State of your company/organisation has had a
Code of Conduct approved by the supervisory authority. A number of rival insurance firms have
adhered to the Code. While adhering is voluntary, the adherence to the Code helps in
demonstrating compliance with the GDPR.
採用採用採用採用Code of Conduct 或或或或 Certification mechanism雖為志願性雖為志願性雖為志願性雖為志願性, 但但但但GDPR中中中中, 如如如如Article 25
Data Protection by design and by default 及及及及 Article 35 Data Protection Impact
Assessment為必須執行的要求且可透過為必須執行的要求且可透過為必須執行的要求且可透過為必須執行的要求且可透過Code of Conduct 或或或或 Certification mechanism展現展現展現展現
其合規性其合規性其合規性其合規性.
Source: https://ec.europa.eu/info/law/law-topic/data-protection_en
© TCIC Global Certification LTD. Class: Controlled Slide 11
GDPR重點 (1)
擴大適用範圍 Art.3
較廣個資定義(包含cookies, IP位址) Art.4
明確有效同意(得隨時撤回同意) Art.7Guidelines on Consent under Regulation 2016/679 (wp259rev.01)
個資當事人權利
更正權及抹除權(被遺忘權) Art.16,17
資料可攜權 Art.20拒絕權(如拒絕全自動化剖繪) Art.21,22
Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)
Guidelines on Automated individual decision-making and Profiling
for the purposes of Regulation 2016/679 (wp251rev.01)
Guidelines on the right to "data portability" (wp242rev.01)
© TCIC Global Certification LTD. Class: Controlled Slide 12
GDPR重點 (2)
控制者負GDPR符合性舉證責任 Art.5
設計及預設的資料保護(DPbDbD) Art.25
書面委託歐盟境內代表(非公務機關與例外) Art.27
處理紀錄文件化要求(大於250人企業與例外) Art.30
個資外洩通報(72小時通報要求) Art.33,34Guidelines on Personal data breach notification under
Regulation 2016/679 (wp250rev.01)
© TCIC Global Certification LTD. Class: Controlled Slide 13
GDPR重點 (3)
資料保護衝擊評鑑(DPIA) Art.35Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)
指定資料保護長(DPO) Art.37~39Guidelines on Data Protection Officers ('DPOs') (wp243rev.01)
跨境傳輸限制 Art.44,45,46~47,49Guidelines on Article 49 of Regulation 2016/679(Pending)
Adequacy Referential(wp254 rev.01)
European Essential Guarantees(wp237)
Opinion 04/2016 on European Commission amendments proposals
related to the powers of Data Protection Authorities in
Standard Contractual Clauses and adequacy decisions - wp241
建議認驗證及行為準則(含監控) Art.40~43Guidelines on the accreditation of certification bodies(Pending)
© TCIC Global Certification LTD. Class: Controlled Slide 14
提高罰則 Art.83Guidelines on the application and setting of administrative fines (wp253)
GDPR重點 (4)
監管權責機構合作(one stop shop) Art.60~67Guidelines on the Lead Supervisory Authority (wp244rev.01)
獨立監管權責機構 Art.51~59
GDPR條款的適用性例外考量:
公務機構與否, 是否為偶發性, 是否為大規模,
是否處理特種個資, 是否處理犯罪紀錄,
高風險與否
© TCIC Global Certification LTD. Class: Controlled Slide 15
GDPR的迷失
業界對GDPR一些迷失.
https://www.ithome.com.tw/news/116876
According to WP243 Rev.01, Guidelines on Data Protection Officers (‘DPOs’):
DPOs are not personally responsible for non-compliance with data protection
requirements. It is the controller or the processor who is required to ensure and to
be able to demonstrate that processing is performed in accordance with this
Regulation. Data protection compliance is the responsibility of the controller or the
processor.
© TCIC Global Certification LTD. Class: Controlled Slide 16
他山之石-以Canada為例
© TCIC Global Certification LTD. Class: Controlled Slide 17
Countries with Adequacy Decision
Recognised third countries providing adequate protection:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands,
Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland,
Uruguay and the US (limited to the Privacy Shield framework).
Adequacy talks are ongoing with Japan and South Korea.
The adoption of an adequacy decision involves :
�a proposal from the European Commission
�an opinion of the of the European Data Protection Board
(Currently, Article 29 Working Party)
�an approval from representatives of EU countries
�the adoption of the decision by the European Commissioners
加拿大(the third country)商業組織(a sector)為範圍取得適
足性認定
國家層面的合規展現 –適足性認定
© TCIC Global Certification LTD. Class: Controlled Slide 18
Third Country Example - Canada (1)According to Para.2.(a) Art.45
� Privacy Act, 1985 (federal act)
� Personal Information Protection and Electronic
Documents Act, 2000 (PIPEDA, federal act)
� Model Code for the Protection of Personal Information,
2003 (CAN/CSA-Q830-03, national standard)
� PERSONAL INFORMATION PROTECTION ACT
(provincial law, except for Newfoundland)
� A GUIDE FOR BUSINESSES AND ORGANIZATIONS
Your Privacy Responsibilities Canada’s Personal Information
Protection and Electronic Documents Act
by: Office of the Privacy Commissioner of Canada (OPC)
� Guidelines Processing Personal Data Across Borders
by: Office of the Privacy Commissioner of Canada
展現展現展現展現
公單位個資法公單位個資法公單位個資法公單位個資法
非公單位個資法非公單位個資法非公單位個資法非公單位個資法
國家標準國家標準國家標準國家標準
省個資法省個資法省個資法省個資法
企業個資保護指引企業個資保護指引企業個資保護指引企業個資保護指引
跨境傳輸指引跨境傳輸指引跨境傳輸指引跨境傳輸指引
© TCIC Global Certification LTD. Class: Controlled Slide 19
PIPEDA for Private Sector
exclusion
Model Code for the Protection of Personal Information
Schedule-1
�Your Privacy Responsibilities Canada’s Personal Information
Protection and Electronic Documents Act
�Guidelines Processing Personal Data Across Borders
�……………….(other PIP Guidelines)
Privacy Act for Public Sector
(federal and provincial)
exclusion
Privacy Commissioner, OPC
Oversee
investigate complaints
Third Country Example - Canada (2)According to Para.2.(a)&(b) Art.45
© TCIC Global Certification LTD. Class: Controlled Slide 20
Organizations (Private sector) shall follow a code for the protection of personal
information, which is included in PIPEDA as Schedule 1.
The 10 principles that businesses shall
follow are:
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure and retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10. Provide recourse
The 10 principles are from Model Code for the Protection of Personal
Information.
Third Country Example - Canada (3)According to Para.2.(a) Art45
ISO/CNS 29100 Privacy Principles with corresponding privacy
controls in ISO29151 and ISO/CNS27018
Consent and choice同意及選擇同意及選擇同意及選擇同意及選擇
Purpose legitimacy and specification目的適法性及規定目的適法性及規定目的適法性及規定目的適法性及規定
Collection limitation蒐集限制蒐集限制蒐集限制蒐集限制
Data minimization資料極小化資料極小化資料極小化資料極小化
Use, retention and disclosure limitation 利用利用利用利用、、、、持有與揭露限制持有與揭露限制持有與揭露限制持有與揭露限制
Accuracy and quality準確性及品質準確性及品質準確性及品質準確性及品質
Openness, transparency and notice 公開公開公開公開、、、、透明及告知透明及告知透明及告知透明及告知
Individual participation and access個人參與及存取個人參與及存取個人參與及存取個人參與及存取
Accountability 可歸責性可歸責性可歸責性可歸責性
Information security 資訊安全資訊安全資訊安全資訊安全
Privacy compliance隱私遵循隱私遵循隱私遵循隱私遵循
展現展現展現展現
© TCIC Global Certification LTD. Class: Controlled Slide 21
Third Country Example - Canada (4)According to Art.55~59 wrt Supervisory Authority
© TCIC Global Certification LTD. Class: Controlled Slide 22
Third Country Example - Canada (4)According to Para.2.(c)Art.45 wrt Supervisory Authority
© TCIC Global Certification LTD. Class: Controlled Slide 23
Third Country Example - Canada (5)According to Para.4 Art.45
Chaired by Industry • Made up of Canadian stakeholders
impacted by/interested in GDPR • Supported by SCC
1
GOALS/
OUTCOMES
↓↓↓↓ risk of doing
business in Europe
↑↑↑↑ market
access (remove barriers)
↑↑↑↑ business
opportunities
Canadian
Advisory
Committee
on GDPR*
• Better understanding of GDPR
• Better understanding of the challenges in meeting compliance to the requirements
• Clear positions on GDPR or data protection and privacy
standards under development
• Tools & guidelines
• Resources/Network
• New business ideas (innovation)
• Etc.
Deliverables
.
CEN/CENELEC
ETSI ISO/IEC
Solutions in Canada for
Canadians
*Governance: ToRs, Code of Conduct (to be developed) Open, fair and transparent
Mandate: Identify challenges Canadian organizations face in complying with and/or in
seizing business opportunities regarding EU GDPR. Propose and implement solutions that can be supported by SCC and disseminated broadly to Canadian organizations.
Canadian Advisory Committee on GDPR – ONGOING BASIS
Working Groups on
法規詮釋法規詮釋法規詮釋法規詮釋,資訊分享資訊分享資訊分享資訊分享,法規遵循法規遵循法規遵循法規遵循
© TCIC Global Certification LTD. Class: Controlled Slide 24
認驗證體制與合規展現
-以GDPR為例
© TCIC Global Certification LTD. Class: Controlled Slide 25
Article 24 Responsibility of the controller
Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as
referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of
the controller
Article 25 Data protection by design and by default
An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate
compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Article 28 Processor
Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification
mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient
guarantees as referred to in paragraphs 1 and 4 of this Article.
Article 32 Security of processing
Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism
as referred to in Article 42 may be used as an element by which to demonstrate compliance with the
requirements set out in paragraph 1 of this Article.
Article 35 Data protection impact assessment
Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors
shall be taken into due account in assessing the impact of the processing operations performed by such
controllers or processors, in particular for the purposes of a data protection impact assessment.
GDPR認驗證體制之良善管理展現 - 1
© TCIC Global Certification LTD. Class: Controlled Slide 26
Article 46 Transfers subject to appropriate safeguards
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of
the controller or processor in the third country to apply the appropriate safeguards, including as regards data
subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable
commitments of the controller or
Article 57 Tasks
(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve
such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);
(n) encourage the establishment of data protection certification mechanisms and of data protection seals and
marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);
Article 83 General conditions for imposing administrative fines
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms
pursuant to Article 42; and
GDPR認驗證體制之良善管理展現 - 2
© TCIC Global Certification LTD. Class: Controlled Slide 27
GDPR認驗證體制相關條文
CHAPTER IV Controller and processor
�Section 5 Codes of conduct and certification
�Article 40 Codes of conduct
�Article 41 Monitoring of approved codes of conduct
�Article 42 Certification
�Article 43 Certification bodies
© TCIC Global Certification LTD. Class: Controlled Slide 28
�歐洲理事會European Council: Heads of state or government of EU countries,
European Commission President, High Representative for Foreign Affairs & Security Policy
�歐盟執行委員會European Commission: A team or 'College' of Commissioners, 1 from each EU country.
The European Commission is the EU's politically independent executive arm.
It is alone responsible for drawing up proposals for new European legislation,
and it implements the decisions of the European Parliament and the Council of the EU
�歐洲議會European Parliament: Directly-elected EU body with legislative,
supervisory, and budgetary responsibilities
�歐洲法院European Court of Justice
�歐盟資料保護委員會(前身為Article 29 Working Party)European Data Protection Board
https://europa.eu/european-union/about-eu/institutions-bodies_en
EU Institutions
© TCIC Global Certification LTD. Class: Controlled Slide 29
GDPR的認證體制關係圖 Article 40&41
協會或其它團體
Associations and other bodies
監督機構
Monitoring Body
控制者Controller/處理者Processor
監管機構監管機構監管機構監管機構supervisory authority
歐盟會員國歐盟會員國歐盟會員國歐盟會員國Member State
監督Monitor
認證
accredit
起草Draft/核准Approve
歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會
European Data Protection Board
提交Submit
維持Maintain
行為準則Code of Conduct
如果有多個
歐盟會員國
If multiple
Member Sates
The Commission執行委員會執行委員會執行委員會執行委員會
提交Submit 確保Ensure
中国个人信息保护法中国个人信息保护法中国个人信息保护法中国个人信息保护法(草案草案草案草案, 2017) 第第第第39条条条条【【【【自律规范自律规范自律规范自律规范】】】】
非国家机关信息处理主体依据本法制定的自律性规范非国家机关信息处理主体依据本法制定的自律性规范非国家机关信息处理主体依据本法制定的自律性规范非国家机关信息处理主体依据本法制定的自律性规范,,,,达到本法要求标准达到本法要求标准达到本法要求标准达到本法要求标准
的的的的,,,,经主管部门审批后具有与本法同等的效力经主管部门审批后具有与本法同等的效力经主管部门审批后具有与本法同等的效力经主管部门审批后具有与本法同等的效力。。。。
© TCIC Global Certification LTD. Class: Controlled Slide 30
GDPR的認驗證體制關係圖 Article 42&43
認證機構認證機構認證機構認證機構
Accreditation Body (AB)
驗證機構
Certification Body (CB)
以ISO 17065及附加要求治理
監管機構監管機構監管機構監管機構supervisory authority
歐盟會員國歐盟會員國歐盟會員國歐盟會員國Member State
資料保護驗證certification, 印章seals或標章marks
治理準則
治理規定 (EC) No 765/2008
以奧地利以奧地利以奧地利以奧地利
Austria為例為例為例為例
共通
驗證
co
mm
on
ce
rtific
atio
n,
歐盟
資料
保護印章
the
Eu
rop
ea
n D
ata
Pro
tectio
n S
ea
l
最長5年
最長3年
加入Join
維持
核發核發
歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會
European Data Protection Board
控制者Controller/處理者Processor
© TCIC Global Certification LTD. Class: Controlled Slide 31
Data protection certification
mechanisms, Seals and Marks
�European Privacy Seal (EuroPriSe), which provides certifications for IT-
based products and services throughout the EU. [需要SA, AB or The Board
認證或同意]
�French data protection authority’s “Label CNIL” privacy certification
scheme. [需要The Board認證或同意][單一國家]
�PIMS, BS10012 promoted by BSI in UK. [需要SA, AB or The Board認證
或同意][單一國家,惟該國對此標準驗證不提供認證, 且UK於2019年3月脫歐
後,EU將難考量任何第三國標準]
�Privacy Information Management System (PIMS), published
by ISO under existing accreditation and certification scheme of
ISO27001.[已經存在於AB認證之下][歐盟會員國俱為ISO會員國等同採用
ISO標準]
© TCIC Global Certification LTD. Class: Controlled Slide 32
ISO/IEC JTC1/SC27與WP29/EDPB
�Before Feb 2018, Head of French DPA(CNIL)
is the chairperson of WP29.
�CNIL played admin and coordination roles in WP29
�WP29 is focusing on ISO standards instead of specific
national standards e.g., BS10012
�ISO has its own perspectives in PIMS
�The withdrawal of UK in EU is one of reasons WP29
excluded BS standards in its PIMS planning
© TCIC Global Certification LTD. Class: Controlled Slide 33
國際標準驗證的合規展現Demonstration of Compliance by PIMS Certification
On ISO Standards
© TCIC Global Certification LTD. Class: Controlled Slide 34
ISO組織發展的個資保護驗證
ISO/IEC 27001
ISO/IEC 27009
醫療醫療醫療醫療
ISO 27799
雲個資保護雲個資保護雲個資保護雲個資保護
ISO 27018
個資保護個資保護個資保護個資保護
ISO 29151
雲安全雲安全雲安全雲安全
ISO 27017電信電信電信電信
ISO 27011
能源能源能源能源
ISO 27019
一般企業一般企業一般企業一般企業/組織組織組織組織
特定特定特定特定領域領域領域領域
註 : ISO仍持續發展資安與個資保護標準(如, ISO 27552 Enhancement to ISO/IEC
27001 for privacy management – Requirements) 來因應世界潮流(如, GDPR).
© TCIC Global Certification LTD. Class: Controlled Slide 35
ISMS與PIMS
•ISO/IEC 27002
•(Security controls)
•ISO/IEC 27001
(Requirements for MS)
Management System/framework
•ISO/IEC 27002
•(Security controls)
•ISO/IEC 29151
(PII protection
controls)
•ISO/IEC 27018
•ISO/IEC 27001 (Requirements for MS)
•ISO/IEC 29100 : Privacy framework
• ISO/IEC 27005
• ISO/IEC 29134
•PIMS•ISMS
•Security
risk
treatment Risk
Management Controls
Source: ISO及及及及TCIC綜整綜整綜整綜整
© TCIC Global Certification LTD. Class: Controlled Slide 36
ISO標準的PIMS驗證實績
Source: Internet
© TCIC Global Certification LTD. Class: Controlled Slide 37
GDPR Principles mapping ISO 29100 Privacy Principles
GDPR Principles ISO 29100 Privacy Principles
Article 5 Principles relating to processing of
personal data
1.(a) lawfulness, fairness and transparency
7. Openness, transparency and
notice 公開、透明及告知
8. Individual participation and access
個人參與及存取
11. Privacy compliance 隱私遵循
(b) purpose limitation 3.Collection limitation蒐集限制
(c) data minimisation 4. Data minimization 資料極小化
(d) accuracy 6. Accuracy and quality 準確性及品質
(e) storage limitation 4. Data minimization 資料極小化
5. Use, retention and disclosure
limitation 利用、持有與揭露限制
(f) integrity and confidentiality 10. Information security 資訊安全
2. accountability 9. Accountability 可歸責性
Article 6 Lawfulness of processing 2.Purpose legitimacy and
specification 目的適法性及規定
Article 7 Conditions for consent 1. Consent and choice 同意及選擇
© TCIC Global Certification LTD. Class: Controlled Slide 38
ISO/IEC &CNS 29100標準簡介
�Prepared by ISO/IEC JTC1/SC27
�Title - Information technology — Security
techniques — Privacy framework 隱私權框架
�First edition published on the 2011-12-15
國家標準CNS 29100於民國103年6月4日公布
�Purpose of this International Standard – Provides a
high-level framework for the protection of personally
identifiable information (PII,個人可識別資訊) within
information and communication technology (ICT) systems. It
is general in nature and places organizational, technical,
and procedural aspects in an overall privacy framework.
© TCIC Global Certification LTD. Class: Controlled Slide 39
ISO/IEC 29100 - Clause 5
The privacy principles of ISO/IEC 29100
項次 名稱
1 Consent and choice同意及選擇
2 Purpose legitimacy and specification目的適法性及規定
3 Collection limitation蒐集限制
4 Data minimization資料極小化
5 Use, retention and disclosure limitation利用、持有與揭露限制
6 Accuracy and quality 準確性及品質
7 Openness, transparency and notice公開、透明及告知
8 Individual participation and access個人參與及存取
9 Accountability 可歸責性
10 Information security資訊安全
11 Privacy compliance隱私遵循
© TCIC Global Certification LTD. Class: Controlled Slide 40
A DPIA is required whenever processing is likely to result in a high risk to the rights and
freedoms of individuals. A DPIA is required at least in the following cases:
a systematic and extensive evaluation of the personal aspects of an individual, including
profiling; processing of sensitive data on a large scale; systematic monitoring of public areas
on a large scale.
National Data Protection Authorities, in concertation with the European Data Protection Board,
may provide lists of cases where a DPIA would be required. The DPIA should be conducted
before the processing and should be considered as a living tool, not merely as a one-off
exercise. Where there are residual risks that can’t be mitigated by the measures put in place,
the DPA must be consulted prior to the start of the processing.
Examples
DPIA required
A bank screening its customers against a credit reference database; a hospital about to
implement a new health information database with patients’ health data; a bus operator about
to implement on-board cameras to monitor drivers’ and passengers’ behaviour.
DPIA not required
A community doctor processing personal data of his patients. In that case, there is no need
for a DPIA since the processing by the community doctors isn’t done on a large scale in
cases where the number of patients is limited.
Source: https://ec.europa.eu/info/law/law-topic/data-protection_en
GDPR Article 35展現 - 1
© TCIC Global Certification LTD. Class: Controlled Slide 41
ISO29134 is adopted by WP29, EC in a multiple member states base
WP248 by ARTICLE 29 DATA PROTECTION WORKING PARTY
GDPR Article 35展現 - 2
Source: EC
© TCIC Global Certification LTD. Class: Controlled Slide 42
GDPR Article 35展現 - 3
Source: ISO 29151
Clause A.11.2, ISO/IEC 29151
© TCIC Global Certification LTD. Class: Controlled Slide 43
ISO/IEC 29134:2017標準簡介
� Prepared by ISO/IEC JTC1/SC27
Title - Information technology -- Security techniques -- Guidelines
for privacy impact assessment
� Stage: 60.60
� 加拿大的PIA為重要參考文獻之一:
Treasury Board of Canada Secretariat Directive on Privacy
Impact Assessments
http://www.tbssct.gc.ca/pol/inconspicuous?id=18308
� 對應於GDPR Article 35 Data protection impact assessment
ISO29134是全球首個適用於是全球首個適用於是全球首個適用於是全球首個適用於一般組織一般組織一般組織一般組織的隱私衝擊評鑑的國際標準的隱私衝擊評鑑的國際標準的隱私衝擊評鑑的國際標準的隱私衝擊評鑑的國際標準
Source: ISO
© TCIC Global Certification LTD. Class: Controlled Slide 44
Answer
Companies/organisations are encouraged to implement technical and organisational
measures, at the earliest stages of the design of the processing operations, in such a way
that safeguards privacy and data protection principles right from the start (‘data protection by
design’). By default, companies/organisations should ensure that personal data is processed
with the highest privacy protection (for example only the data necessary should be
processed, short storage period, limited accessibility) so that by default personal data isn’t
made accessible to an indefinite number of persons (‘data protection by default’).
Examples
Data protection by design
使用擬匿名化(pseudonymization)(用人工識別符代替個人可識別資訊)和加密,將訊息編碼,
只有被授權的人才能閱讀。
The use of pseudonymisation (replacing personally identifiable material with artificial
identifiers) and encryption (encoding messages so only those authorised can read them).
Data protection by default
社交媒體平台宜鼓勵用戶的隱私基本設置限制用戶個人資料的可訪問性,以在預設的情況下不
會讓所有的人可以訪問。
A social media platform should be encouraged to set users’ profile settings in the most
privacy-friendly setting by, for example, limiting from the start the accessibility of the users’
profile so that it isn’t accessible by default to an indefinite number of persons.
What does data protection ‘by design’
and ‘by default’ mean? [Article 25, GDPR] -1
Source: https://ec.europa.eu/info/law/law-topic/data-protection_en
© TCIC Global Certification LTD. Class: Controlled Slide 45
Clause 4.4, ISO/IEC 29151
The controls in this Specification are explained in more detail in
clauses 5 to 18, along with implementation guidance. Implementation
may be made simpler if requirements for the protection of PII have
been considered in the design of the organization's information system,
services and operations. Such consideration is an element of the
concept that is often called privacy by design (PBD). More information
about selecting controls and other risk treatment options can be found
in ISO/IEC 29134. Other relevant references are listed in the
bibliography.
What does data protection ‘by design’
and ‘by default’ mean? [Article 25, GDPR] -2
Source: ISO 29151
© TCIC Global Certification LTD. Class: Controlled Slide 46
ISO/IEC 29151標準簡介
� Prepared by ISO/IEC JTC1/SC27
Title - Information technology -- Security techniques -- Code of
practice for personally identifiable information protection
� Stage: 60.60
This Recommendation | International Standard establishes control objectives, controls and
guidelines for implementing controls, to meet the requirements identified by a risk and impact
assessment related to the protection of Personally Identifiable Information (PII).
In particular, this Recommendation | International Standard specifies guidelines based on
ISO/IEC 27002, taking into consideration the requirements for processing PII which may be
applicable within the context of an organization's information security risk environment(s).
This Recommendation | International Standard is applicable to all types and sizes of
organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and
private companies, government entities, and not-for-profit organizations, which process PII.
ISO29151是全球首個適用於是全球首個適用於是全球首個適用於是全球首個適用於所有類型組織所有類型組織所有類型組織所有類型組織的個資保護控制措施的國際標準的個資保護控制措施的國際標準的個資保護控制措施的國際標準的個資保護控制措施的國際標準
Source: ISO
© TCIC Global Certification LTD. Class: Controlled Slide 47
ISO/IEC 29151:2017 目錄
Foreword 前言
0. Introduction 介紹
1. Scope 適用範圍
2. Normative references 引用標準
3. Definitions and abbreviated terms 定義及縮寫用語
4. Overview 概述
5. Information security policies 資訊安全政策
6. Organization of information security 資訊安全的組織
7. Human resource security 人力資源安全
8. Asset management 資產管理
9. Access control 存取控制
10. Cryptography 密碼學
11. Physical and environmental security 實體與環境安全
12. Operations security 作業安全
© TCIC Global Certification LTD. Class: Controlled Slide 48
ISO/IEC 29151:2017 目錄
13. Communications security 通訊安全
14. System acquisition, development and maintenance 系統獲取、發展與維護
15. Supplier relationships 供應商關係
16. Information security incident management 資訊安全事故管理
17. Information security aspects of business continuity management 營運持續管理的資訊安全方面
18. Compliance 遵循性
Annex A (normative) Extended control set for PII protection PII保護的擴增控制措施 (This annex forms an integral part of this Recommendation | International Standard. 此附錄為此標準完整的一部份)
© TCIC Global Certification LTD. Class: Controlled Slide 49
ISO 27002:2013 ISO 29151:2017
條款 名稱 擴增指引
5 Information security policies 資訊安全政策 1
6 Organization of information security資訊安全之組織 5
7 Human resource security人力資源安全 2
8 Asset management資產管理 8
9 Access control存取控制 5
10 Cryptography 密碼學 0
11 Physical and environmental security實體及環境安全 1
12 Operations security運作安全 5
13 Communications security通訊安全 2
14 System acquisition, development and maintenance系統獲取、開發及維護 3
15 Supplier relationships 供應者關係 1
16 Information security incident management資訊安全事故管理 2
17 Information security aspects of business continuity management
營運持續管理之資訊安全層面0
18 Compliance遵循性 2
37
© TCIC Global Certification LTD. Class: Controlled Slide 50
ISO 29151:2017 依ISO 29100之privacy principles新增控制措施
條款 名稱 新增控制目標
及控制措施
A.1 General 一般 0
A.2General policies for the use and protection of PII對於PII的利用
和保護的一般性政策1
A.3 Consent and choice同意及選擇 2
A.4 Purpose legitimacy and specification目的適法性及規定 2
A.5 Collection limitation蒐集限制 1
A.6 Data minimization資料極小化 1
A.7 Use, retention and disclosure limitation利用、持有與揭露限制 5
A.8 Accuracy and quality 準確性及品質 1
A.9 Openness, transparency and notice公開、透明及告知 2
A.10 Individual participation and access個人參與及存取 3
A.11 Accountability 可歸責性 6
A.12 Information security資訊安全 1
A.13 Privacy compliance隱私遵循 2
27
© TCIC Global Certification LTD. Class: Controlled Slide 51
ISMS vs PIMS
�ISMS:
� Information Security Management System
�資訊安全管理系統資訊安全管理系統資訊安全管理系統資訊安全管理系統
�驗證標準驗證標準驗證標準驗證標準: ISO/CNS27001
�PIMS :
� Privacy Information Management System
�個資管理系統個資管理系統個資管理系統個資管理系統
�驗證標準驗證標準驗證標準驗證標準: ISO29151 & ISO/CNS27018(有對外雲服務有對外雲服務有對外雲服務有對外雲服務
時適用時適用時適用時適用, PII Processor) including ISO29134 and
based on ISO/CNS27001 and ISO/CNS29100
© TCIC Global Certification LTD. Class: Controlled Slide 52
Case Study –資安與個資管理標準運用
ISO27001
ISO29100
ISO27018
公眾服務公眾服務公眾服務公眾服務
個資安全管理個資安全管理個資安全管理個資安全管理
ISMS/ISO27001
ISO 29100/29134 組織的個資安全管理組織的個資安全管理組織的個資安全管理組織的個資安全管理
ISO27001/29100/29151/27018
PIMS
© TCIC Global Certification LTD. Class: Controlled Slide 53
ISO組織直接對應GDPR的標準(正發展中)
- ISO/IEC 27552
ISO/IEC CD 27552
Information technology -- Security techniques -- Enhancement to
ISO/IEC 27001 for privacy management -- Requirements
�ISO/IEC 27552 is a Privacy information Management System (PIMS)
Introduced by French DPA (CNIL) = WP29 = EDPB (GDPR)
�Based on something organizations already know how to do
�PIMS is a new management system extending 27001 with privacy
requirements (new) as well as controls (ISO 27018 +)
�Certification standard, like ISO 27001, with the same ecosystem
of auditor, accreditation bodies and certificates
Source: Presentation by Laura Lindsay on
ISO/IEC JTC 1/SC 27 Work in Support of Legislation
© TCIC Global Certification LTD. Class: Controlled Slide 54
�PIMS-specific requirements and other information regarding the information security
controls in ISO/IEC 27001 and PIMS-specific controls, appropriate to an organization acting
as either a PII controller or a PII processor, are given in clause 5.
�PIMS-specific guidance and other information regarding the information security
controls in ISO/IEC 27002 and PIMS-specific controls, appropriate to an organization acting
as either a PII controller or a PII processor, are given in clause 6.
�Additional guidance for PII controllers is given in clause 7, and additional guidance for
PII processors is given in clause 8.
�Annex A (normative) Reference control objectives and controls (PII Controllers)
�Annex B (normative) Reference control objectives and controls (PII Processors)
�Annex C (informative) Mapping to the General Data Protection Regulations
�Annex D (informative) Mapping to ISO/IEC 29100
�Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151
The proposed title is:
Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy
information management – Requirements and guidelines
Content of ISO 27552
Source: ISO CD 27552
© TCIC Global Certification LTD. Class: Controlled Slide 55
ISO27552與GDPR的直接對應關係
Source: ISO/IEC CD 27552
© TCIC Global Certification LTD. Class: Controlled Slide 56
EU各國對ISO27552的工作進展 –德國
Source: ISO, DIN
© TCIC Global Certification LTD. Class: Controlled Slide 57
EU各國對ISO27552的工作進展 –英國
Source: BCS, The Chartered Institute for IT, BSI
© TCIC Global Certification LTD. Class: Controlled Slide 58
Management System/framework
•ISO 27002
•(Security controls)
•ISO 29151
(PII Controller
controls)
•ISO 27018
(PII Processor controls)
•ISO 27001 (Requirements for MS)
•ISO 29100 : Privacy framework
• ISO
27005/31000
• ISO 29134
ISMS & PIMS
Risk
Management Controls
CBPR/PRP
Compliance
GDPR
Compliance
ISO27552(Under Development) or
GDPR Certification Criteria
ISMS+PIMS Demonstration
Art.47 BCR
Para.2.(c) Art.45
Referential
WP212
台灣地區
資安/個資保護法規
© TCIC Global Certification LTD. Class: Controlled Slide 59
ISO國際標準(ISO27001, ISO31000, ISO29134,
ISO29151,ISO27018)與對應的CNS標準為GDPR
合規展現的最佳對策!
加拿大驗證機構(TCIC)在台分公司(環奧國際驗證
公司)與CSA加拿大標準協會合作, 於2018-3月提
出CNS29134及CNS29151制定建議案函送經濟部
標準檢驗局, 已通過標準委員會審查.
個資國家標準(CNS)的落實與推動為第三國安全適
足性的有效展現, 若有國家標準卻出現政府機關與
企業使用其它國家標準或單行/行業標準而無法展
現與國家標準的一致性, 將是一大負面影響.
© TCIC Global Certification LTD. Class: Controlled Slide 60
For further information or enquiries, please contact :
TCIC環奧國際驗證公司
Email: [email protected] , TEL: 02-27260262, FAX: 02-27260663
Any questions ?
Thank you....謝謝謝謝謝謝謝謝.... Merci
Slide 60