GIS CONSULTING

If you want to perform a quick maturity test (not full gap analysis) for your organisation, please click the button below that will take you through a number of questions and based on your answers you will see how you are doing for the different topics (GDPR/ISO).

Questionnaire

GDPR

Do you tell your customers and employees that you take privacy (data protection) seriously?

Have you taken actions to demonstrate this? Are you ready for a super quick health-check to help you – honestly – answer the above?

Do you send files including personal data outside of your company in Excel by email with or without encryption?

For further details, scroll down and click on the topic!

ISO 27001

Do you have the right set of controls designed in your IT operations?

Are the controls implemented as designed and effectively addressing the risks your organization faces on a daily basis?

Do you tell your customers and employees that you have good information security in place?

For further details, scroll down and click on the topic!

Security Awareness

Are you confident that your employees, contractors and external service providers have a good understanding of your Information Security requirements?

Do you sleep well not being worried about when something unexpected will hit your organisation because the security awareness is below the expected level (like: virus infection, ransomware, data leakage, or data breach costing you dearly)?

For further details, scroll down and click on the topic!

GDPR - read more

Who else knows your password to log in your company device and/or applications, just in case you are off for any reason?

Do you know what to do if your organisation gets hacked?

Does everyone in your company know what to do if someone from another organisation asks for data to be shared?

Are you sure your website is in good enough shape to pass a remote investigation from the data protection authority?

When have you reviewed your privacy- and cookie notices for the last time?

Do you know what data your organisation uses, where is this data, who has access to it? Are you sure your practices would be seen as appropriate?

Do you know that ALL of the following is personal data under GDPR: name, phone number, IP address, browsing history, MAC address, credit score, badge number, call recording, CCTV images, mother tongue, employee evaluation records, salary, number plate, fingerprint, meal preference and seat number on a flight?

What data protection considerations have you taken into account when you decided to send customized marketing communication to your customers based on their previous purchases?

These are easy yet complex questions, that an organisation in scope for GDPR must be able to quickly respond to.

Many organisations have decided to self-manage data protection (regulated with the EU GDPR: General Data Protection Regulation) related matters and maybe appointed someone in the Legal or Security department to deal with the related topics. But is this person knowledgeable about data protection rules AND security controls? Do they have sufficient knowledge from a legal and technical perspectives?

If you are 100% confident that your organisation is doing fine and you comply with the regulation, we are very happy for you, because you are one of the very few.

If you however lack answers, because one or more areas in the regulation still seem somewhat muddy, we provide easy-to-use modules that are ready for human understanding and interpretation.

Why would you consider using our modules when there is so much material already available in this subject?
GDPR embraces a very complex subject matter, building on a many-to-many link. In a number of instances, the links go beyond the data protection regulation and refer to security subjects and/or other legalities. Our modules build on each other, but also offer you the flexibility to dive into a particular topic in case you believe you have sufficient knowledge on others. We explain common problems through examples and give you best practice tips.

In the data protection domain at this point in time we have the following chapters (in order of recommendation to proceed):
chapter title
– Lawful processing
– Records of Processing Activities (RoPA)
– Privacy Notice
– Data Subjects Rights Request (DSRR)
– Breach Management
– All about cookies
– Data protection by design
– Data-in-move
– Biometrics Data

ISO 2700X - read more

ISO27001 is a comprehensive Information Security Management System shortly referred to as ISMS.

You might wonder what is the difference between 27001 and 27002. The 27002 standard is a more elaborate definition of the controls to implement as noted in the Annex A of 27001 – Control Objectives and Controls.

This, being an ISO framework, is certifiable (against the 27001 standard). This certification can demonstrate to your shareholders and regulatory bodies that your organisation takes Information Security seriously. The framework builds on continuous improvements, so called Plan-Do-Check-Act (PDCA).

An ISMS, if desgined and implemented correctly, is risk based, so that means your company should complete risk assessments across the operations and implemement controls proportionate to your organisational needs from security perspective.

It covers the following 14 domains:

  1. Information Security Policies
  2. Organisation of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control (Logical Access)
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development, and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Aspects of Business Continuity Management
  14. Compliance
Security Awareness - read more

Security Awareness is the cornerstone of information security. If people do not know what is allowed and what is not, or what to watch out for, they will not know how to prevent security incidents from happening, which, in worst case, can lead to serious downtime (i.e. revenue loss) and even data breaches. Data breaches are covered in more details under the GDPR section.