With the need to comply with the LGPD, the search for information and guides on information security is increasing and many companies are discovering ISO 27701 and ISO 27001, and the ISO 27001 standard (Information Security Management System) is a standard for implementing a management system focused on information security, while the ISO 27701 (Private Security Management System) standard is an extension of the 27001 standard, which aims to add new controls to the management system to guarantee total privacy specifically of personal data.
The recommendation is that both be implemented in parallel, but implementing only ISO 27701 without implementing ISO 27001 is not possible, since the main controls related to the formation of a secure management system are in ISO 27001. Let's then discuss the implementation of these information security controls.
There are 114 controls listed in ISO 27001, but not all of them are mandatory, since the company will choose which controls it identifies as applicable and begins to implement them. The main criterion for this selection of controls is the use of risk assessment, defined in clauses 6 and 8 of the main part of ISO 27001.
As an example, we can cite some inserted in Annex A, which presents the controls and their objectives :
· Information security policies, regarding how policies are written and reviewed;
· Security in human resources, related to hiring employees;
· Information security organization, referring to how responsibilities are delegated, in addition to addressing controls for mobile devices and remote work;
· Access control policies, related to the management of access and user responsibilities, in addition to access controls to the systems;
· Asset management, referring to asset inventory controls;
· Physical and environmental security, related to entry controls, equipment security, equipment safety, safe disposal, and others;
· Relationship in the supply chain, related to the monitoring of suppliers, for example;
· Operational security, related to controls related to IT management, backup copies, facility monitoring, capacity management, and control of malicious software, among others;
· Communications security, related to network services, information transfer, network security;
· Information security incidents, related to the control of reporting weaknesses and events that occurred, as well as response and evidence collection procedures;
· Compliance, regarding compliance controls with laws and regulations, protection of personal data and intellectual property;
These were just a few examples of controls that must be implemented to manage information security risks and protect the confidentiality, integrity, and availability of data. The list is extensive and the need for alignment with current laws is essential. The experts' recommendation is that the company draw a planning before starting any implementation process, looking for serious professionals who can assist with this task.
Taticca Allinial Global Brazil has a qualified and experienced multidisciplinary team that offers expert support so that you obtain satisfactory results and certify your company in a timely manner.