We are presenting a series of articles in this series to spread the awareness and understanding of ISO 27001, ISO 27701 and PDPCSI.
ISO 27001 is a certifiable standard while ISO 27701 is a requirement which can be certified only along with ISO 27001. ISO 27001 refers to ISMS where as ISO 27701 refers to PIMS.
On the other hand, PDPCSI (Personal Data Protection Compliance Standard of India) is a framework for Personal Data Protection by organizations in India in compliance with the legal standards such as Information Technology Act 2000/8 and the upcoming DPDPB 2023. PDPCSI refers to PDPCMS which is the personal data protection compliance management system.
Since PDPCMS/PDPCSI is focussed only on personal data, it compares directly with ISO 27701 instead of ISO 27001. However, since ISO 27701 cannot be implemented without ISO 27001 which is a foundation standard, an understanding of ISO 27001 will help us understand PDPCSI better. Also ISO 27001 is relevant for the preservation of CIA of personal data within PDPCSI where Model Implementation Specifications (MIS) 31-50 address different aspects of security under the CIA concept. Hence there is some comparison between PDPCSI and ISO 27001 which may be relevant.
Readers may kindly appreciate the context in which this series of articles have been presented and read all articles in the series besides information available on PDPCSI.
In this article let us continue our discussion on ISO 27001 and discuss the recommended Governance Structure to meet the objectives of ISO 27001:2022.
Clause 5 of ISO 27001 on leadership lists out the following requirements as “demonstration of leadership and Commitment” of an organization.
a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
Under Clause 5.3, the standard prescribes that
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this document;
b) reporting on the performance of the information security management system to top management.
We can interpret the above requirements as projecting a need of a designated Information Security Manager (ISM) or Chief Information Security Officer (CISO) so that there is accountability for implementation and reporting to the top management.
Even ISO 27701 does not clearly specify the need of a DPO which is mandatory in many laws for certain category of implementers.
Under PDPCSI which requires compliance of law directly, it is essential to define the role of the implementing organization and the mandatory need for a designated role of a Data Protection Officer. It suggests the three levels of governance Governance Committee, DPO and Process Level Data Controllers besides a “Privacy Officer” in a large organization.
As a recommendation, most experienced auditors recommend that under ISO 27001 there shall be a “CISO” or “ISM” who will be responsible for implementation and monitoring as well as internal audit. It is common for organizations to use the assistance of external consultants when ISO 27001 is implemented for the first time and also get Certified by an independent auditor. Maintenance is done by the CISO and the certification audit is renewed from time to time normally after 3 years.
Naavi suggests that the Governance system
- A Governance Committee (Steering Committee) to provide overall guidance
- CISO to be the designated person responsible for coordinating the entire activity
- Support team which can be called the IS organization.
Though not specified by most ISO auditors, Naavi suggests that it is necessary to identify the following support roles.
a) Data Custodians for each data store
b) Controllers who monitor incoming data and data disclosures
c) Controllers who monitor the different data transformation processes within the organization.
If an organization has multiple locations and business divisions, it would be better if Information Security Champions are identified at each of the divisions and the locations to assist the CISO as a central coordinator.
The Steering committee will have representation of all stake holders within the organization and will ensure that there is cooperation of all stakeholders in the implementation on a continuing basis.
The organization should not project ISMS as the responsibility of only the IT department since it is more an organizational responsibility than the IT responsibility. The “Security Culture” should pervade the entire organization.
Some of these suggestions cannot be directly indicated in a framework document and has to suggested by experienced consultants.
We shall discuss the Annex A controls individually which provides the high level indication of what is expected as a “Control” within which we shall draw inferences on not only the suggested Governance Structure but on other aspects as well.