From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance controls

Vasiliki Diamantopoulou (Department of Information and Communication Systems Engineering, School of Engineering, University of the Aegean, Samos, Greece)
Aggeliki Tsohou (Department of Informatics, Ionian University, Corfu, Greece)
Maria Karyda (Department of Information and Communication Systems Engineering, School of Engineering, University of the Aegean, Chios, Greece)

Information and Computer Security

ISSN: 2056-4961

Publication date: 8 June 2020

Abstract

Purpose

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

Design/methodology/approach

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

Findings

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

Originality/value

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

Keywords

Citation

Diamantopoulou, V., Tsohou, A. and Karyda, M. (2020), "From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance controls", Information and Computer Security, Vol. 28 No. 4, pp. 645-662. https://doi.org/10.1108/ICS-01-2020-0004

Download as .RIS

Publisher

:

Emerald Publishing Limited

Copyright © 2020, Emerald Publishing Limited

To read the full version of this content please select one of the options below

You may be able to access this content by logging in via Shibboleth, Open Athens or with your Emerald account.
To rent this content from Deepdyve, please click the button.
If you think you should have access to this content, click the button to contact our support team.