The EU General Data Protection Regulation (GDPR) is designed to organize and harmonize data privacy laws across Europe. The auditing standard focuses on the technology and services provided to EU citizens, and the approach service providers take to protect their data, even data crossing boundaries to outside the EU. If you process data about individuals in the context of selling goods or services to citizens in EU countries then you will need to comply with the GDPR, irrespective of whether or not the UK retains GDPR post-Brexit. This regulation is a binding legislative act. Following the May, 2018 2-year post-adoption grace period, the GDPR will become fully enforceable.
ADHERE, Inc. can help ensure that your organization has the controls in place to comply with the GDPR auditing standard regulations. Here’s how:
Phase 1: Plan
In the Planning phase, ADHERE, Inc. works with your Senior Management to identify your business objectives, taking into account several factors such as the organization’s size, business sector (industry specific considerations), existing Information Security maturity level, existing compliance/regulatory standards, and management commitment to the initiative.
ADHERE, Inc. will …
- Identify the budget, timeline, key stakeholders, risk factors, and inventory of company assets;
- Discover whether your company or service is operating in compliance with requirements for GDPR (Corp and services);
- Discover if all requirements of the security rules are met, including administering
administrative, physical and technical safeguards;
- Discover if your company or service adheres to the following obligations:
- Appointment of a Data Protection/Privacy Officer,
- 72-hour ability to notify of breach,
- Right to Access & Data Portability (no right to access for customers),
- Right to be forgotten, and
- Assessment of 8 Principles
- Perform a gap analysis; and
- Provide Project Management.
Phase 2: Document and Advise
In the Documentation and Recommendation phase, we take a look at your Policies and Procedures, what type of Risk Assessments is in place, and the extent of your InfoSec staff resources and training.
Policies and Procedures
Once engaged, ADHERE, Inc. will review your organization’s security-related Policies and Procedures against the GDPR reporting type controls. If there are gaps in the Policy or Procedures as they relate to the controls, ADHERE, Inc. will work with your organization’s respective stakeholders and legal counsel to create and deliver, or remediate any required documents.
If your organization already has security-related Policies and Procedures in place, ADHERE, Inc. will review your existing documents and provide both a gap analysis and recommendations to bring you into compliance with the standard.
Throughout this process, ADHERE, Inc. will work with your team members to ensure the documentation and implementation processes of your Policies and Procedures are fully understood.
Technical Security Requirements (TSRs)
While Policies and Procedures deal with the documentation side of the InfoSec process, Technical Security Requirements deal with IT infrastructure and execution.
ADHERE, Inc.’s technical Subject Matter Experts (SMEs) can create technical security requirement documents for your IT environment which are the security hardening guides for your software operating systems or network architecture. These documents will be mapped and customized for your level of regulatory compliance.
Phase 3: Support
In the Support phase, ADHERE, Inc. can perform a formal attestation on your organization’s level of security compliance. The attestation provides Senior Management with insight about whether the organization is ready for the formal audit before committing to the corresponding fiscal expenditure that comes with engaging a Big-4 audit firm.
During the attestation period, ADHERE, Inc. reviews and scores your ISMS with the perspective of an auditor. It is important to distinguish that the attestation is NOT an audit; it is a pre-audit review and scoring that illustrates your organization’s IT security maturity level. After the attestation, your organization has the opportunity to either proceed with the audit, or perform additional remediation in preparation for the audit. (See the section on our Attestation Service for more information.)
CISO Team Services
ADHERE, Inc. offers CISO Team Services On-Demand to provide your organization with operational oversight, periodic reassessments, remediation, and preventative action.
ADHERE, Inc. offers continuous improvement and remediation to secure your organization throughout the process. Our #1 goal is for your organization to implement and maintain a mature ISMS that is adherent to industry standards and certifications.