Briefing Note: GDPR-ISO-27001-PCI
The table below maps GDPR Security requirements against ISO-27001. The infosec aspect of GDPR Art.32 fully satisfied where certification is obtained (GDPR Art.42). As shown in the table below, achieving ISO-27001 certification, leads to a comprehensive level of information security protection that covers all the areas required by GDPR (Art.32).
The table below also maps ISO-2700 against the Payment Card Industry Standard (PCI). The quality of that mapping back from PCI to ISO27k in the range 1-5 (with 5 being best) is also provided for your convenience. ISO-27001 tends to exceed PCI requirements, as a result, the mapping is sometimes poor when reversed.
For help in achieving best practice privacy and information security in your business. Or to gain access to our whitepapers click here
| GDPR | ISO-27001 Control | PCI | |||||
| Article(s) | Specifics | Control # | DSS Req. # | Coverage | Coverage of ISO-27001 controls | ||
| Articles 32 & 42 | 32(1)(a), 32(2) | A.10.1.1 | Policy on the use of cryptographic controls | 1.5 | 3 | Moderately | |
| Articles 32 & 42 | 32(1) | A.10.1.2 | Key management | 3.5, 3.6 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.11.1.1 | Physical security perimeter | 9.1 | 4 | Mostly | |
| Articles 32 & 42 | 32(4) | A.11.1.2 | Physical entry controls | 9.1 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.11.1.3 | Securing offices, rooms and facilities | 0 | Not Addressed | ||
| Articles 32 & 42 | A.11.1.4 | Protecting against external and environmental threats | 0 | Not Addressed | |||
| Articles 32 & 42 | 32(4) | A.11.1.5 | Working in secure areas | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.11.1.6 | Delivery and loading areas | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.11.2.1 | Equipment siting and protection | 0 | Not Addressed | ||
| Articles 32 & 42 | A.11.2.2 | Supporting utilities | 0 | Not Addressed | |||
| Articles 32 & 42 | A.11.2.3 | Cabling security | 9.1.2 | 1 | Minimally | ||
| Articles 32 & 42 | 32(4) | A.11.2.4 | Equipment maintenance | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.11.2.5 | Removal of assets | 9.4, 9.6 | 5 | Fully | |
| Articles 32 & 42 | A.11.2.6 | Security of equipment and assets off-premises | 9.5, 9.6 | 5 | Fully | ||
| Articles 32 & 42 | 32(4) | A.11.2.7 | Secure disposal or reuse of equipment | 9.8 | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.11.2.8 | Unattended user equipment | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.11.2.9 | Clear desk and clear screen policy | Various | 0 | Not Addressed | |
| Articles 32 & 42 | 32(4) | A.12.1.1 | Documented operating procedures | 4 | Mostly | ||
| Articles 32 & 42 | 32(1)(b) | A.12.1.2 | Change management | 6.4 | 2 | Partially | |
| Articles 32 & 42 | A.12.1.3 | Capacity management | 0 | Not Addressed | |||
| Articles 32 & 42 | A.12.1.4 | Separation of development, testing and operational environments | 6.4 | 5 | Fully | ||
| Articles 32 & 42 | 32(4) | A.12.2.1 | Controls against malware | 5.1 | 4 | Mostly | |
| Articles 32 & 42 | 32(1)(c), 32(2) | A.12.3.1 | Information backup | 9.5 | 1 | Minimally | |
| Articles 32 & 42 | A.12.4.1 | Event logging | 10.2 | 5 | Fully | ||
| Articles 32 & 42 | 32(4) | A.12.4.2 | Protection of log information | 10.5 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.12.4.3 | Administrator and operator logs | 10.2, 10.6, 10.7 | 5 | Fully | |
| Articles 32 & 42 | A.12.4.4 | Clock synchronisation | 10.4 | 5 | Fully | ||
| Articles 32 & 42 | 32(4) | A.12.5.1 | Installation of software on operational systems | 0 | Not Addressed | ||
| Articles 32 & 42 | A.12.6.1 | Management of technical vulnerabilities | 6.1 | 5 | Fully | ||
| Articles 32 & 42 | 32(4) | A.12.6.2 | Restrictions on software installation | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(2) | A.12.7.1 | Information systems audit controls | 0 | Not Addressed | ||
| Articles 32 & 42 | A.13.1.1 | Network controls | 1 | 4 | Mostly | ||
| Articles 32 & 42 | A.13.1.2 | Security of network services | 1.1 | 3 | Moderately | ||
| Articles 32 & 42 | A.13.1.3 | Segregation in networks | 1.2, 1.3 | 2 | Partially | ||
| Articles 32 & 42 | A.13.2.1 | Information transfer policies and procedures | 12.8 | 1 | Minimally | ||
| Articles 32 & 42 | 32(4) | A.13.2.2 | Agreements on information transfer | 12.8 | 1 | Minimally | |
| Articles 32 & 42 | A.13.2.3 | Electronic messaging | 4.2 | 3 | Moderately | ||
| Articles 32 & 42 | 32(4) | A.13.2.4 | Confidentiality or nondisclosure agreements | 12.8 | 1 | Minimally | |
| Articles 32 & 42 | 32(2) | A.14.1.1 | Information security requirements analysis and specification | 2.2 | 2 | Partially | |
| Articles 32 & 42 | A.14.1.2 | Securing application services on public networks | 4.1 | 3 | Moderately | ||
| Articles 32 & 42 | A.14.1.3 | Protecting application services transactions | 4.1 | 1 | Minimally | ||
| Articles 32 & 42 | 32(4) | A.14.2.1 | Secure development policy | 2.2, 6.3 | 5 | Fully | |
| Articles 32 & 42 | 32(1)(b) | A.14.2.2 | System change control procedures | 6.4 | 5 | Fully | |
| Articles 32 & 42 | 32(1)(b) | A.14.2.3 | Technical review of applications after operating platform changes | 6.4 | 5 | Fully | |
| Articles 32 & 42 | 32(1)(b) | A.14.2.4 | Restrictions on changes to software packages | 6.4 | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.14.2.5 | Secure system engineering principles | 2.2, 6.3 | 5 | Fully | |
| Articles 32 & 42 | A.14.2.6 | Secure development environment | 0 | Not Addressed | |||
| Articles 32 & 42 | A.14.2.7 | Outsourced development | 2.2, 6.3, 12.8 | 2 | Partially | ||
| Articles 32 & 42 | 32(4) | A.14.2.8 | System security testing | 11 | 3 | Moderately | |
| Articles 32 & 42 | 32(4) | A.14.2.9 | System acceptance testing | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.14.3.1 | Protection of test data | 1 | Minimally | ||
| Articles 32 & 42 | 32(4) | A.15.1.1 | Information security policy for supplier relationships | 12.8.3 | 2 | Partially | |
| Articles 32 & 42 | 32(4) | A.15.1.2 | Addressing security within supplier agreements | 12.8, 12.9 | 2 | Partially | |
| Articles 32 & 42 | 32(4) | A.15.1.3 | Information and communication technology supply chain | 12.8, 12.9 | 2 | Partially | |
| Articles 32 & 42 | 32(4) | A.15.2.1 | Monitoring and review of supplier services | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(1)(b) | A.15.2.2 | Managing changes to supplier services | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.16.1.1 | Responsibilities and procedures | 12.7, 12.10 | 5 | Fully | |
| Articles 32 & 42 | A.16.1.2 | Reporting information security events | 12.10. | 2 | Partially | ||
| Articles 32 & 42 | A.16.1.3 | Reporting information security weaknesses | 12.10. | 1 | Minimally | ||
| Articles 32 & 42 | A.16.1.4 | Assessment of and decision on information security events | 12.10. | 1 | Minimally | ||
| Articles 32 & 42 | 32(4) | A.16.1.5 | Response to information security incidents | 12.10. | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.16.1.6 | Learning from information security incidents | 12.10. | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.16.1.7 | Collection of evidence | 12.10. | 1 | Minimally | |
| Articles 32 & 42 | A.17.1.1 | Planning information security continuity | 12.10. | 1 | Minimally | ||
| Articles 32 & 42 | A.17.1.2 | Implementing information security continuity | 12.10. | 1 | Minimally | ||
| Articles 32 & 42 | A.17.1.3 | Verify, review and evaluate information security continuity | 12.10. | 1 | Minimally | ||
| Articles 32 & 42 | A.17.2.1 | Availability of information processing facilities | 0 | Not Addressed | |||
| Articles 32 & 42 | A.18.1.1 | Identification of applicable legislation and contractual requirements | 12.10. | 5 | Fully | ||
| Articles 32 & 42 | A.18.1.2 | Intellectual property rights | 0 | Not Addressed | |||
| Articles 32 & 42 | 32(4) | A.18.1.3 | Protection of records | 3 | Moderately | ||
| Articles 32 & 42 | 32(4) | A.18.1.4 | Privacy and protection of personally identifiable information | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(1)(a), 32(2) | A.18.1.5 | Regulation of cryptographic controls | 4, 12.8 | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.18.2.1 | Independent review of information security | All | 4 | Mostly | |
| Articles 32 & 42 | 32(4) | A.18.2.2 | Compliance with security policies and standards | All | 2 | Partially | |
| Articles 32 & 42 | A.18.2.3 | Technical compliance review | All | 2 | Partially | ||
| Articles 32 & 42 | 32(4) | A.5.1.1 | Policies for information security | 1.5, 12.1 | 5 | Fully | |
| Articles 32 & 42 | A.5.1.2 | Review of the policies for information security | 1.5, 12.1. | 5 | Fully | ||
| Articles 32 & 42 | 32(4) | A.6.1.1 | Information security roles and responsibilities | 12.5 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.6.1.2 | Segregation of duties | 3.3, 7.1, 7.2, 7.3 | 3 | Moderately | |
| Articles 32 & 42 | A.6.1.3 | Contact with authorities | 12.10.1 | 3 | Moderately | ||
| Articles 32 & 42 | A.6.1.4 | Contact with special interest groups | 6.1, 6.3 | 1 | Minimally | ||
| Articles 32 & 42 | A.6.1.5 | Information security in project management | 6.3 | 1 | Minimally | ||
| Articles 32 & 42 | A.6.2.1 | Mobile device policy | 1.4, 4, 11.1, 12.3 | 2 | Partially | ||
| Articles 32 & 42 | 32(4) | A.6.2.2 | Teleworking | 1.4, 4, 11.1, 12.3 | 2 | Minimally | |
| Articles 32 & 42 | 32(4) | A.7.1.1 | Screening | 12.7 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.7.1.2 | Terms and conditions of employment | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.7.2.1 | Management responsibilities | 12.1 | 2 | Partially | |
| Articles 32 & 42 | 32(4) | A.7.2.2 | Information security awareness, education and training | 12.6 | 2 | Partially | |
| Articles 32 & 42 | 32(4) | A.7.2.3 | Disciplinary process | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.7.3.1 | Termination or change of employment responsibilities | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.8.1.1 | Inventory of assets | 2.4 | 2 | Partially | |
| Articles 32 & 42 | 32(4) | A.8.1.2 | Ownership of assets | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.8.1.3 | Acceptable use of assets | 12.3 | 3 | Moderately | |
| Articles 32 & 42 | 32(4) | A.8.1.4 | Return of assets | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.8.2.1 | Classification of information | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.8.2.2 | Labelling of information | 9.6 | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.8.2.3 | Handling of assets | 9.5, 9.6, 9.7, 9.8 | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.8.3.1 | Management of removable media | 9.6 | 3 | Moderately | |
| Articles 32 & 42 | 32(4) | A.8.3.2 | Disposal of media | 9.8 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.8.3.3 | Physical media transfer | 9.6, 9.7 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.9.1.1 | Access control policy | 7.1 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.9.1.2 | Access to networks and network services | 7.1, 7.2 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.9.2.1 | User registration and de-registration | 7.2, 8 | 4 | Mostly | |
| Articles 32 & 42 | 32(4) | A.9.2.2 | User access provisioning | 7.2, 8 | 4 | Mostly | |
| Articles 32 & 42 | 32(4) | A.9.2.3 | Management of privileged access rights | 7.2, 8 | 4 | Mostly | |
| Articles 32 & 42 | 32(4) | A.9.2.4 | Management of secret authentication information of users | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.9.2.5 | Review of user access rights | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.9.2.6 | Removal or adjustment of access rights | 7.2, | 1 | Minimally | |
| Articles 32 & 42 | 32(4) | A.9.3.1 | Use of secret authentication information | 8.4 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.9.4.1 | Information access restriction | 7.1 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.9.4.2 | Secure log-on procedures | 7.1, 8.2 | 5 | Fully | |
| Articles 32 & 42 | 32(4) | A.9.4.3 | Password management system | 8.2 | 4 | Mostly | |
| Articles 32 & 42 | 32(4) | A.9.4.4 | Use of privileged utility programs | 0 | Not Addressed | ||
| Articles 32 & 42 | 32(4) | A.9.4.5 | Access control to program source code | 6, 7.1 | 5 | Fully | |
Copyright The AI, Privacy and Security Agency 2023 all rights reserved.
Leave a Reply