With the need to adapt to the LGPD, the search for information and guides on information security is increasing and many companies are discovering ISO 27701 and ISO 27001, with the ISO 27001 standard (Information Security Management System) being a standard for implementing a management system focused on information security, while the ISO 27701 standard (Private Security Management System) is an extension of the 27001 standard, which aims to add new controls in the management system to ensure total privacy specifically of personal data.
The recommendation is that both are implemented in parallel, but implementing only ISO 27701 without implementing ISO 27001 is not possible, as the main controls related to the formation of a safe management system are in ISO 27001. information security controls.
There are 114 controls listed in ISO 27001, but not all of them are mandatory, as the company will choose which controls it identifies as applicable and implement them The main criterion for this selection of controls is the use of risk assessment, defined in clauses 6 and 8 from the main part of ISO 27001.
As an example, we can cite some inserted in Annex A, which presents the controls and their objectives:
·
Information security policies, regarding how policies are written and reviewed;
·
Safety in human resources, referring to the hiring of employees;
·
Organization of information security, referring to how responsibilities are delegated, in addition to addressing controls for mobile devices and remote work;
·
Access control policies, referring to access management and user responsibilities, in addition to system access controls;
·
Asset management, referring to asset inventory controls;
·
Physical and environmental security, referring to entry controls, equipment security, equipment safety, safe disposal, among others;
·
Relationship in the supply chain, referring to the monitoring of suppliers, for example;
·
Security in operations, referring to controls related to IT management, backups, monitoring of installations, capacity management and control of malicious software, among others;
·
Communications security, relating to network services, information transfer, network security;
·
Information security incidents, referring to the control of reporting weaknesses and events that occurred, as well as response procedures and evidence collection;
·
Compliance, referring to compliance controls with laws and regulations, protection of personal data and intellectual property;
These were just a few examples of controls that must be implemented to manage information security risks and protect the confidentiality, integrity and availability of data. The list is extensive and the need for alignment with current laws is essential. The specialists' recommendation is that the company outlines a planning before starting any implementation process, looking for serious professionals who can help in this task.
Tacticca Allinial Global Brazil It has a qualified and experienced multidisciplinary team, which offers expert monitoring so that you can obtain satisfactory results and certify your company in a timely manner.