We’re pleased to announce today that we’ve released the latest expansion of the AvePoint Privacy Impact Assessment (APIA) system – available exclusively from the International Association of Privacy Professionals (IAPP). The expansion takes into account recent updates to the European Union’s (EU) General Data Protection Reform (GDPR), which impacts members of the European privacy and information security communities as well as organizations throughout the EU.
APIA – which is currently used by more than 1,100 practitioners around the world – allows users to automate the process of evaluating, assessing, and reporting on privacy implications of their enterprise IT systems. By taking the manual labor out of the necessary task of completing regular Privacy Impact Assessments (PIAs), APIA helps organizations comply with privacy regulations, automate PIAs, report on PIAs for stakeholder review, and extend to security and vulnerability assessments.
The update includes templates for two International Organization for Standardization (ISO) security standards related to the GDRP, which are detailed below.
ISO/IEC 27001 Information Security Management
ISO/IEC 27001:2013 is the revised and updated international standard for creating an Information Security Management System (ISMS), defined as that part of an overall organization’s management system that deals with information security issues. The standard is designed to be a framework and an approach for organizations regardless of size, industry, or location. The standard is designed to ensure an organization has an effective, continually improving management regime, and focuses on planning a level of security appropriate to the organization’s legal, regulatory, and contractual requirements and management risk appetite. The standard is most often assessed by an independent third party internationally accredited audit body, and the organization receives a certificate of compliance with the clauses, which is re-assessed and sampled periodically.
This APIA template takes the requirements of ISO 27001 and turns them into a set of questions, allowing organizations, security managers, and auditors to assess themselves or their partners against the requirements for assurance of compliance.
ISO/IEC 27002 Code of Practice for Information Security Controls
ISO/IEC 27002:2013 is an international best practice standard for a set of commonly used information security controls. The standard is organized into 14 security “categories” which are split further into 34 security “objectives” and finally into 112 security “controls.” While none of the controls inside are mandatory nor exhaustive for any organization – and do not reference the control strength to be applied – they are commonly used by organizations as a cross check to see that they have not overlooked any important security areas. It is also referenced by ISO 27001, which requires that an organization undertakes an information security risk assessment, and as part of that process looks to ISO 27002 controls as a basis for risk treatment to produce a statement of applicability that references the controls chosen for selection based on the organization’s risk appetite.
This APIA template is designed to list the controls found in ISO 27002, and turn them into a set of questions to allow security managers to assess any gaps in their control framework. However, it is recommended that organizations first perform a risk assessment to decide on the strength and applicability of these controls, as not all controls may be applicable, and extra controls may be required by an organization’s legal, industry, risk, regulatory, or contractual environment.
To download APIA and the new templates for free today, please visit the IAPP website. Have any questions or want to connect with other APIA users? Be sure to visit the APIA discussion board on the AvePoint Community. You can also read more about the updates directly from IAPP in the recent Daily Dashboard.
Next week, from April 29-May 1, we look forward to taking part in both the IAPP Europe Data Protection Intensive and Infosecurity Europe 2014 events in London. Be sure to stop by to meet with our team at both events to learn how we can help you enable enterprise collaboration with confidence throughout your organization. Additionally, at Infosecurity Europe, AvePoint and the IAPP will co-present two sessions explaining the importance of crafting a comprehensive privacy and security compliance strategy to meet GDPR as well as available technology solutions that can aid in this process:
- 15:45-16:10 on Tuesday, April 29: Privacy and Security by Design: Automating Your Impact Assessments by IAPP Publications Director Sam Pfeifle and AvePoint Senior VP of Risk Management & Compliance Dana Simberkoff
- 15:30-16:30 on Wednesday, April 30: Privacy and Security by Design: Automating Impact Assessments for Your Enterprise Software Systems by Sam Pfeifle and AvePoint Senior Compliance Solutions Specialist Ralph O’Brien
We hope to see you there!