May 19, 2020

As the first data privacy certification available, ISO 27701 can greatly reduce the complexity of managing privacy, risk and proving compliance with regulations like CCPA, GDPR.

Those organizations that already have a 27001 certification or are considering that certification can add on 27701 to change an Information Security Management System (ISMS) into an Information Security & Privacy Management System (ISPMS)

Debbie Zaller, Principal and co-owner at Schellman & Company, shares her in-depth knowledge of ISO 27701 on this episode of The Virtual CISO Podcast.

What we talked about:

  • Unpacking the this new certifiable extension
  • Why “ISO 27701 Certified” and “GDPR fully compliant” are not the same (but VERY close)
  • Why 27701 is the answer to reputable privacy compliance

 

Resources we mentioned: 

 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

John Verry (00:06):

You’re listening to The Virtual CISO Podcast. A Frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive. Welcome to the show.

John Verry (00:25):

Hey there and welcome to another episode of The Virtual CISO Podcast. I’m your host John Verry, and with me as always the Niles to my Frazier, Jeremy Sporn. Hey Jeremy?

Jeremy S. (00:35):

Hey doctor. What’s going on?

John Verry (00:38):

What did you think of my conversation with Debbie Zaller on the topic of ISO 27701.

Jeremy S. (00:45):

So Debbie is great for a few reasons. One, she is very smart. Two, she communicates extremely well about quite complex topic in privacy. Pretty sure you’ve heard of it and then ISO 27701 to address it. Three, she doesn’t think like you. Really a great quality actually.

John Verry (01:05):

I’m going to give you a chance to explain that because I could interpret that as a dis.

Jeremy S. (01:11):

You could and let’s start there, but we’ll move on. The main point is she comes at the entire topic of 27701 building on 27001, CCPA, GDPR. All of those terms from just a unique angle from kind of the area that we do. You know, you asked her a few questions expecting an answer, and you could see in your face, you were surprised by what she started with and where the conversation led.

John Verry (01:36):

Yeah, I think you’re right. I think that comes from… And you know, you and I work on the consultative side of the equation and you interact with consultants most of the time and they come at it from an audit centric approach. So their job is to validate the guidance that we’ve given our clients. So if you think about it, they answer the same questions we do or close questions, but really from 180 degree different perspective when a client asks them.

Jeremy S. (02:01):

Yep. Absolutely. That’s why it was nice to have her on. If you are looking for a comprehensive and effective way to manage both security and privacy concerns, this is the one for you. I saw 27701 can greatly reduce the complexity of managing privacy risk and proving compliance with regulations like CCPA, GDPR. I may be a little biased here, but I think you and Debbie did a pretty good job explaining how this all works. So I’m just a little excited about this one.

John Verry (02:29):

Yeah. I’m a big fan of 27701 and really enjoyed having Debbie on and thought she did a great job. So no further ado. Let’s get to the show. Debbie, how are you today? Thanks for joining us.

Debbie Z. (02:45):

I’m doing well, thank you so much for having me.

John Verry (02:47):

So we always like to start easy. You know, get everyone situated. Tell us a little bit of who you are and what it is that you do.

Debbie Z. (02:54):

Sure. So my name is Debbie Zaller. I’m one of the partners at Schellman and Company. Schellman and Company is a firm that provides IT-based audits, assessments, and certifications. So we have kind of a… More of a security practice, IT audit practice as well as privacy services and I myself, I manage the Midwest region. So all services in the Midwest region as I’m based in Chicago and I also manage the SOC-2, SOC-3 and privacy service line and co-manage PCI services as well.

John Verry (03:26):

Got you. It sounds like you’re busy.

Debbie Z. (03:28):

I’m very busy. Yes. Privacy alone keeps me very busy.

John Verry (03:32):

Yeah. Especially this year, although we’re getting a little reprieve with COVID, but hopefully it’s just a little reprieve. So before we get down to business, we have a tradition to ask what’s your drink of choice?

Debbie Z. (03:44):

Oh, I don’t discriminate. I have-

John Verry (03:49):

An equal opportunity drinker. I like-

Debbie Z. (03:50):

[crosstalk 00:03:49], yes. My husband definitely got me into bourbon, so I do love different kinds of bourbons, but I think there’s a special occasion for bourbon, for beer, for wine, for cocktails. So it depends on the occasion.

John Verry (04:04):

All right. So you may or may not know I’m a huge bourbon drinker. So if I asked you which bourbon?

Debbie Z. (04:10):

Okay. Yes. [crosstalk 00:04:11], favorites to drink neat is Angel’s Envy.

John Verry (04:16):

Oh, I love Angel’s Envy. Excellent-

Debbie Z. (04:18):

[crosstalk 00:00:04:18], Jefferson’s Ocean as well.

John Verry (04:20):

I have a bottle of Jefferson’s reserve up [crosstalk 00:04:24]. Have you had Widow Jane?

Debbie Z. (04:27):

No.

John Verry (04:28):

Try Widow Jane. It’s Brooklyn great little in that same genre and then of course my go to is just a Knob Creek and if I’m really going to treat myself and I did last night, I had an knob Creek 25th anniversary, which is ridiculous.

Debbie Z. (04:44):

Oh, that sounds good.

John Verry (04:45):

Yeah. It’s pricey but you know, it’s a wonderful bourbon. Now you are also from Chicago and Chicago does something that I love. They combined a Stout, which is my favorite beer-

Debbie Z. (04:56):

Me too.

John Verry (04:57):

… and aged in bourbon barrels and Goose Island is one of the most famous of the what we call bourbon barrel aged Stouts. I’m assuming you’ve had a Goose Island bourbon barrel aged Stout by now.

Debbie Z. (05:06):

Definitely. Yes, it is a very good beer.

John Verry (05:10):

All right.

Debbie Z. (05:11):

Very strong but it is good.

John Verry (05:13):

Yes it is. Yeah. You can only have a one or two of those and after that it gets a little bit shaky.

Debbie Z. (05:19):

Yeah.

John Verry (05:19):

Cool. So let’s get down to business. What we’re hoping you can do is educate us a little bit with regards to privacy and one specific standard that I happen to love ISO 27701. So can you explain what is ISO 27701?

Debbie Z. (05:35):

Yes. So ISO 27701 is a recent standard that just came out August of 2019 and it’s essentially an extension of 27001. So those organizations that already have a 27001 certification or are considering that certification can add on 27701 and it’s focused all around privacy. So you know, a little bit different… If you’re familiar with the ISO standards. Syour ISMS for 27,001, you do need to have a separate privacy management system. Well, it can also be combined with your ISMS, but essentially it’s a little bit greater of an effort bo it’s a little bit different than say 27017 or 27018 that are also extensions of 27001, but those are essentially just an additional control set, whereas 27701 includes an entire privacy management system. So in addition to ecause it does include that management system, but it also includes many privacy controls for a controller and or processor.

John Verry (06:40):

Got you.

Debbie Z. (06:41):

So it’s a great extension to 27,001.

John Verry (06:44):

Yeah. And I think where it’s like different than a 27018 or 27017 is that they provide additional guidance with regards to the annex eight controls. Right?

Debbie Z. (06:55):

Yes.

John Verry (06:55):

Where 27701 is rather unique in that it actually changes the information [inaudible 00:06:59], management system, the clauses itself. Right? Which is why you kind of can refer to it as a privacy management system.

Debbie Z. (07:05):

It does. Yeah. So it adds on to those annex A controls. So while those controls are still there, it does have some additional implementation guidance that need to be in place for processing and personal information. So you’re right. It does add on a little bit more in the annex A controls, but then also specific controller and processor controls.

John Verry (07:23):

Got you. And then the other thing too of course and I think you mentioned this too. The idea that it’s actually a certifiable extension, that is the first one that they had done that with, correct?

Debbie Z. (07:32):

Correct. Yeah. You’re absolutely correct. So yeah, we actually became one of the first certification bodies last week to have an accredited certification against 27,001 with 27701.

John Verry (07:44):

Yeah. Listen, I think it’s a great standard. So you mentioned controller and processor there. What is a controller? What’s a processor?

Debbie Z. (07:53):

Yeah. It can be a bit confusing and it’s one of the things that we spend a lot of time on with our clients in the beginning because essentially a controller is an organization that would collect data directly from an individual. So it’s the organization that determines the purpose and means of processing that personal information whereas, a processor actually processes data on behalf of a controller.

Debbie Z. (08:16):

So the easiest way to think of it as is in the processor role, because if an organization has a contract with the customer to process their information… And that could mean just storage actually too. And if they have that contract in place with the controller, then they know they’re in the processor role and if they don’t, they may be in that controller role actually collecting the information directly from the individuals.

John Verry (08:41):

Got you. And do you ever see instances where someone is both a controller and a processor?

Debbie Z. (08:46):

We do, and most often organizations are a controller and a processor, but here’s where it gets tricky because you have to look at the scope of the ISO certification. Now with 27701 being extension of 27,001, the scope passed a match. Meaning that if you’ve defined your scope for ISO 27,001 as being a specific service or business unit, and then you add on 27701, you can’t extend that scope further beyond what the IMS is and if you do, it does change the ISMS scope as well.

Debbie Z. (09:22):

So those scopes have to match and in most cases the ISO certification is on a business unit or a service. So usually in those cases, the role of the organization is going to be in the processor role. If they’re in the controller role, they may be relating to employee data. It may relate to marketing data, something other than processing data on behalf of your customers in the processor role. So in those cases, if you are both a controller and a processor, you may not be both for the scope of the certification.

John Verry (09:55):

Yeah, I would say that would almost definitely be the case in most organizations, because if you look at most organizations that are processing data on a third party… On their client’s behalf, they tend to scope their ISO 27,001 ISMS to be specific to those processing activities. Okay. That’s a good clarification. Thank you.

Debbie Z. (10:12):

Exactly. When-

John Verry (10:13):

So… Go ahead.

Debbie Z. (10:15):

Oh, sorry. I was just going to mention, one thing I will mention is that organizations that are maybe a processor and start processing data on behalf of a controller, and then decide to use that information for direct marketing or advertising may now create a situation where they’re putting themselves in the controller role.

Debbie Z. (10:31):

Although an ISO standard, one of the requirements does kind of forbid that advertising or marketing of the data without consent from the individual. So I will caution that area, but in some cases it may change the role of an organization to a controller role again, for a different dataset. So it still may not necessarily apply to the ISO certification, but I just want to mention that because we do let clients know that if they are a processor, they may become a controller in certain regards.

John Verry (10:58):

Right, but that would only be if they were marketing on their own behalf. Like, if you’re somebody that let’s say markets healthcare initiatives if you will on behalf of CVS. You know, wellness initiatives. If you were doing that marketing on their behalf, you’re still a processor.

Debbie Z. (11:18):

Correct.

John Verry (11:18):

Right? But if I were then to actually market my own services then I might cross over to becoming a collector.

Debbie Z. (11:24):

Exactly.

John Verry (11:24):

Because I’ve collected that data from a source. Now usually that’s going to be probably not possible because you’re going to probably… And the DPA that you signed, you’re probably explicitly forbidden from doing that anyway.

Debbie Z. (11:35):

Exactly.

John Verry (11:36):

So it’s probably a corner case, but it might actually happen. Right?

Debbie Z. (11:39):

Exactly. Yeah. You have to be careful what’s in your agreements as well as making sure you get that consent.

John Verry (11:45):

Cool. So let’s get a little bit more specific. So we talked about the fact that 27701 is an extension and it changes ISO 27001. So if I’m already ISO 27001 certified and pivot point is if I said to you, Hey Deb, we’re going to implement 27701 here. How does it change my everyday construct and use of ISO 27,001?

Debbie Z. (12:08):

Great question. So again, we kind of go back to scope. So the first thing is to make sure that your scope is going to be the same. So if we’re saying, okay, now the scope is the same for both 27701 and 27001. Now you have to look at the privacy management system. So of course, that is going to change our 27001 management system.

Debbie Z. (12:25):

Whereas you could combine the two, you could have an information security management and a privacy management system all in one, or you could keep them separate, but essentially you do want to make sure that when you go through your typical risk assessment and your monitoring activities and internal audit and things that you would do for the ISMS, you now have to take into effect the privacy management system and make sure that those areas are covered as well. So it is essentially extending some of your activities that you would normally perform for your ISMS into the privacy management system as well.

John Verry (12:58):

Got you. Now you said that we could keep the privacy and Information Security Management System separate. It would seem to me that that would probably be a bit illogical and one of the advantages to 27701 is that with a single construct, with a single management system, I’m able to manage to disparate… Well, what used to be two disparate fields, right? If we rapidly privacy and security have merged, it’s amazing how that’s changed in such a short period of time.

Debbie Z. (13:26):

Right.

John Verry (13:26):

So I would assume that you would find most organizations are going to create one, call it an ISPMS, an Information Security and Privacy Management System.

Debbie Z. (13:36):

Absolutely. Absolutely. Because now you’re having to maintain two separate documentations, two separate everything and it may be an organization specific activity because there may be some organizations that really want to keep that separation in place but again, I think it makes more sense to combine the two because I mean, otherwise you’re going to be basically managing two different document sets and there’s a lot of overlap between the two.

John Verry (14:00):

Right and one of the nice things about running it in a single instance is that, that risk assessment becomes both a risk assessment and a data privacy impact assessment.

Debbie Z. (14:08):

Correct.

John Verry (14:09):

Right. [crosstalk 00:14:09], and those analogs fall throughout the management system.

Debbie Z. (14:13):

Yes.

John Verry (14:14):

So from your perspective, if you were having a conversation over a Goose Allen bourbon barrel Stout with a potential client, they said, what are the advantages? You know, why should I move to 27701, I’m already ISO certified. ISO 27,001 certified? What would you tell them the advantages are?

Debbie Z. (14:30):

I would say one advantage is that this is one of the few privacy certifications that we have that’s worldwide. Meaning that there really aren’t that many privacy certifications that we have to date. A lot of them are jurisdiction specific. This 27701 allows you as an organization to get a certification that you have a privacy program in place that meets some of the main privacy principles of all privacy laws worldwide.

Debbie Z. (14:59):

So I think the main advantage is that it highlights an organization’s privacy program to a very kind of a strenuous and kind of detailed controls that you normally wouldn’t find anywhere else. You know there’s a lot of jurisdictions that don’t yet have a certification against the privacy laws or regulations and so this is one way to do that before we get those privacy certifications in different jurisdictions.

John Verry (15:24):

Got you. Yeah. I look at it and I think the simplicity of… But as we’ve talked about it, of managing to disparate programs in a single construct is really an advantage and then I think the last one that I think is hugely important is the idea that I’ve got demonstrable proof, because if you think about it most people that have gone to ISO 27001 or SOC-2, or have some good form of third party attestation, they have that because somebody is asking them for it and if they’re already being asked for information security attestation, they’re going to be asked for privacy attestation and realistically at that point, it is… You could argue the only… Certainly the best, and maybe the only, I guess you could use a SOC-2 privacy principle as well, but I mean it’s really a fantastic way to prove to somebody that you’re addressing secure privacy as well as security. Correct?

Debbie Z. (16:14):

Absolutely. Absolutely. I mean, third party validation I think is just great, no matter what you get but certainly like you mentioned the SOC-2 privacy category. I think it’s a good one, but it’s a little bit too broad. Right? It’s a little bit too kind of basic where the ISO 27701 gets into a lot more details and it’s a lot more rigorous, but it also is flexible, right? Because it does relate to whatever your jurisdiction is.

Debbie Z. (16:38):

For example, there’s some requirements in the 27701 for breach notification, but the timing of notification and the details are actually jurisdiction specific. So if an organization operates in the EU, you’d want to make sure that you’re falling in line with GDPR and so you kind of bring those jurisdictions into 27701. So again, it’s flexible enough to operate throughout the whole world, essentially in all different… In all different jurisdictions, but it does allow you to highlight that privacy program that is still rigorous and specific to the main privacy principles that are included in every privacy law.

John Verry (17:14):

Got you. And I would think that AICPA is looking at 27701 and saying, Hey, it’s time to refresh our privacy principle because if you think about it in fairness to AICPA, they had a privacy program before privacy was [inaudible 00:17:29]. You know, and if you look at ISO came out after GDPR was out and after CCPA, which relatively closely mirrors it, had already been published, not yet enforced. So I think they had the advantage of being able to look at what was the current trend and then align the framework with the current trends.

Debbie Z. (17:48):

Yes, absolutely. Absolutely. And you know, the AICPA did go through a change from the GAPP, the Generally Accepted Privacy Principles to what we have today. They may a little bit of a change to it, but I think we need to get back into probably more specifics and maybe they’ll make that change in the future, we’ll see.

John Verry (18:06):

Okay. Got you. So you mentioned GDPR and you mentioned CCPA. So if I am 27701 compliant, does that mean I am CCPA compliant? Does that mean I’m GDPR compliant? Is there some kind of Venn diagram I should be thinking about and our client… You know, the people listening should be thinking about?

Debbie Z. (18:22):

Definitely. We get that question often. Well, everyone kind of wants us to be the smoking gun, right? It’s not necessarily that one size fits all. It’s not necessarily meant to be a GDPR specific certification or a CCPA certification. It does get you close. Again, there’s a lot of overlap. It includes some of the main privacy principles that you’ll see within CCPA and GDPR, but CCPA and GDPR actually have some more specific areas and some details that are not within ISO 27701.

Debbie Z. (18:53):

So if you’re looking at a diagram medium, you’d probably see ISO 27701 in the middle, kind of overlapping a little bit with GDPR and CCPA. Maybe a little bit more in the GDPR sector, but then you’re going to see some outliers, right? So an organization is going to want to make sure that they’re still doing things, meeting GDPR that are not included in ISO 27701.

John Verry (19:14):

Right.

Debbie Z. (19:15):

But certainly it doesn’t mean that you should have different privacy programs, right? If you develop your privacy program to meet 27701, one of the things that we would do is make sure that you’re also meeting those specific jurisdiction requirements in GDPR, and also adding on where you need to, to meet those areas as well.

John Verry (19:34):

Right. And just the same way with let’s say ISO 27001, it’s an extensible framework in that if you need to conform with HIPAA, or if you need to conform with PCIDSS, you’ll just update the construct of your management system to account for that same concept here. You know, do I have to worry about GDPR? Do we need to worry about CCPA? Do I need to worry about APAC? What is it FDPR and GDPL or something. You know, that’s a Brazil and Mexico, [crosstalk 00:19:59]. I can never remember all the letters, but, okay, cool.

Debbie Z. (20:04):

Yup.

John Verry (20:05):

So this Venn diagram that we talked about. This idea that you can cover every privacy standard with 27701 with a little bit of jiggering like ISO. Let’s talk about why? So there are some fundamental privacy policies, you know the concepts of data mapping, the concepts of consent, the concepts of risk assessment or privacy impact assessment. The concept of DSRs talk a little bit about what’s included in 27701 and how that maps to those fundamental constructs that privacy regulations typically have.

Debbie Z. (20:39):

Yeah, absolutely. So the basics in the controller and the processor specific areas of 27701 cover things like collection of information use, notice, purpose and means, right? Making sure you have a legal basis for collecting that information. It also talks about sharing of information. You know, those third parties. So in all of the privacy laws, we talk about what are those third parties that are also in place that you may share information with, or you may transfer to different jurisdictions. So it includes some of those basic areas… Also transparency.

Debbie Z. (21:13):

Transparency is required in most privacy laws. So that’s also covered with an ISO. There’s a few different specific areas in ISO that they highlight certain requirements in those areas but again, the wording is very flexible to relate back to your jurisdiction. So you may have again, GDPR and CCPA that you are required to be compliant with and the ISO standards or the ISO requirements essentially say, okay, here’s kind of generally make sure you have a legal basis for collecting the information and there may be specifics within the jurisdiction that kind of outline what’s required.

John Verry (21:49):

And just real quick. In terms of for anyone listening, that’s got to deal unfortunately with both GDPR and CCPA, any major outliers that are the got you’s that when you think about your clients that are trying to deal with both in terms of they’re very similar but there’s let’s say, I don’t know, 5 or 10% that are a little bit different? You know, what’s in that 5 or 10%? What should people be thinking about?

Debbie Z. (22:10):

Ooh, that’s a good question. There are a few… Again, so there’s a couple of different requirements in ISO for direct marketing and you can’t do any kind of marketing or advertising without specific consent. Consent is another area where it might be a little bit different in GDPR.

John Verry (22:27):

I think I’d say… You know, I know sometimes it’s very use case specific, right? You know, different organizations depending on their doing and like you said, processor versus collector, and there’s a number of issues that make that a challenging question to answer really.

Debbie Z. (22:40):

Yeah. Definitely. It has certainly a role. Certainly that’s going to depend very much so, but I mentioned before a breach notifications for example, ISO doesn’t require a specific timeline for those notifications. Whereas in GDPR does mention specific outline of requirement of timeline. Also for requests, you mentioned Data Subject Requests, right? Data Subject Requests are still outlined within GDPR and responding to those… Or within ISO and responding to those requests but in GDPR it does say that it has to be within undue delay or within one month, whereas that timeframe is not necessarily outlined with an ISO. [crosstalk 00:23:15], ISO is a little bit more flexible.

John Verry (23:18):

Yeah. And then there’s also the weirdness with the California Consumer Privacy Act, which is the absolute identification of the individual. How do you authenticate that the individual requesting to be forgotten is the person? And then there’s the proverbial catch 22 is how do I keep a record that I’ve serviced a request without keeping personal information?

Debbie Z. (23:41):

That’s a huge question we get often and then consent. I mean, consent alone has personal information in it. So how do we make sure we have consent if we have to remove that information?

John Verry (23:50):

Yeah. I know it gets a little bit nutty. It’s going to be a fun or not fun depending on how you look at it next a couple of years as this all gets adjudicated out and clarified over and it’ll only be done through courts of law, like it usually happens in.

Debbie Z. (24:07):

Absolutely. And it’s going to even more interesting when GDPR has those certifications out there that the EU member states are currently collecting that type of accreditation and certification body information, so.

John Verry (24:17):

Got you. And those certifications are coming relatively soon or? But they’ve said that for a while. I mean, do we know when that’s-

Debbie Z. (24:23):

[crosstalk 00:24:23], but the individual member states are actually now accepting applications from organizations for their certification scheme.

John Verry (24:31):

Got you.

Debbie Z. (24:31):

So it is coming out. How that’s going to be consistently applied is really the question. You know, if an organization is getting a certification scheme approved in the UK for example, what does that mean for the rest of the EU after Brexit? Is it going to be the same certification scheme in all the member states because multinational organizations, how are they going to be able to abide by several different certification schemes in several different countries? So I mean, that’s still going to be the question that I think we have to wait and see how it’s going to play out but I think by the end of the year, we’ll start seeing some GDPR certifications.

John Verry (25:04):

Yeah. It’s interesting that they’re doing… You know, separate countries are doing separate schemes. When you think about the concept of, they agreed that the standard would be fully EU and if you think about it in the US and it’s… You know, we’ve got the California law, and it’s interesting to me that the technology companies are all lobbying Congress for a national law. Not that they really want to deal with privacy, but they don’t want to deal with 50 state laws like they had to do with the breach notifications. Yeah.

Debbie Z. (25:31):

Yeah, absolutely. I think organizations kind of need that one federal privacy law, but it’s a very difficult concept, right? Because you don’t want to weaken the state laws. You also don’t want to come into contact or kind of oversight over HIPAA and GLBA for example. You know, the hospitals and all the covered entities and business associates kind of want to continue to follow HIPAA. They don’t necessarily want that to be included within the state privacy laws. So I think there’s a lot that the federal government has to play with in this area and kind of make sure that it’s the right fit for everybody, but I think we need that one privacy law just for multi-state organizations. I mean, it’s very difficult to have the outliers defined in your privacy notice for [inaudible 00:26:14].

John Verry (26:17):

Yeah. And that’s one of the things that I think where ISO 27701 is extremely promising is that we can have one international standard that can be easily adapted to any privacy law globally, because we know that there are over 200 countries, I know from the COVID map that… Well over 200 countries that have the virus. So we know that… So in theory if we look forward 10 years, we could have 200 different standards. So something like ISO 27701 is really the only answer to managing a [inaudible 00:26:47], standards.

Debbie Z. (26:49):

Absolutely is. I mean, countries you’d never would have thought have to main… You know, major privacy laws. You know, countries in Africa are developing privacy laws. You know it’s very, very comprehensive, specific privacy laws that are again, kind of similar to GDPR, but there’s a lot of differences. So I mean, I think the ISO is really a great… Like you said, the multinational standard for organizations to highlight their privacy program.

John Verry (27:12):

Yeah and you said that so much more elegantly than… I’m chagrined.

Debbie Z. (27:19):

I like that word.

John Verry (27:21):

That’s your $10 word for the day.

Debbie Z. (27:25):

It is.

John Verry (27:25):

Okay. So let’s talk about cost and I know we’re going to be talking ballparks, but if you look at… If you’re a 500 person SAS with operations and let’s say easy to Amazon space, you probably looking… You know, from a high quality registrar like Schellman. You’re probably looking at 30,000 as a rough approximation of what your first year ISO 27,001 audit costs would be in let’s say 15 and 15 in the next two years. You know, using that rough construct, how much will it cost if I’m getting certified to add 27701 to the certification cost ballpark?

Debbie Z. (28:01):

Again, it kind of goes back to scope, right? So as you mentioned SAS, 500 person organization that does utilize a third party. You know, you’re talking… The processor controls are about 18. Controller are about 31. So it’s about half the cost. So if you think about your role as a processor, it’s not going to be as much as if you were a controller.

John Verry (28:21):

Okay.

Debbie Z. (28:22):

And it also depends on how you want to add it in. So you can do a scope expansion in the middle of your certification year. So you don’t necessarily have to wait until your next surveillance review or re-certification. You can actually do a scope expansion in the middle of the year and then the other option obviously is to wait until your surveillance or the certification but if you’re looking at your total initial certification or re-certification, the cost to add on a processor is probably going to be somewhere between 10 to 20,000 at the most.

John Verry (28:51):

Got you. Gotcha. Oh, that’s not bad at all.

Debbie Z. (28:54):

Yeah. [crosstalk 00:28:54]. You know, a scope expansion maybe less, because you’re really just looking at 27701 and how that combines with the management system.

John Verry (29:02):

Right. But your net cost would end up being more because in your next surveillance cycle you’d poke again at the privacy stuff, which you know while it costs you a little bit more, the nice thing is that it’s probably going to be an immature privacy program anyway and having that secondary look at it, it’s probably a pretty good idea.

Debbie Z. (29:18):

You know, the other option for that there was a readiness assessment. So you don’t necessarily need to go straight to the scope expansion. You could do a readiness assessment and I kind of advise on that because there are some controls in there that organizations may not necessarily have thought of before, especially if they don’t really have that mature enough privacy program. So readiness assessment may be a good idea and then the other idea is that there are some organizations that are kind of jumping on the scope expansion. So you may want to look at doing that if you’re trying to get out in the market and kind of ahead of some of your competitors. So that would be one of the reasons you might want to extend the extra cost.

John Verry (29:55):

Right. Yeah. The one thing which we’re telling clients is that if we’re helping them prepare to become certified, that if you can do 27001 and 27701 at the same time, your net cost is going to be a little bit lower because you can touch things once. So as an example, the scoping conversations that you would have become scoping and data mapping conversations. That initial risk assessment becomes an initial risk assessment and data privacy impact assessment.

Debbie Z. (30:21):

Absolutely.

John Verry (30:21):

So you are kind of knocking off one bird, two stone… Two birds, one stone and chagrined again and so you got the two birds, one stone and then the other thing is that as you’re building out your information security policy, information security documentation, that risk assessment becomes a information security and privacy risk assessment. So you’re building the documentation once. If we do it over a two year cycle, what happens is you’ve got to revisit, have those conversations again, and then you’ve got to update all the documentation, write your statement applicable and everything through the whole… It cascades with the whole management system.

Debbie Z. (31:00):

It does.

John Verry (31:01):

[crosstalk 00:31:01], if you can do it at once, I think it’s the right way to do, although it gets… You know, honestly it gets not inexpensive to do that and it’s not cheap to become provably secure and privacy compliant.

Debbie Z. (31:16):

True. It is a bit of an undertaking for organizations but like you said, doing it at one time it will save you some cost and effort for sure.

John Verry (31:24):

So from my perspective, you did a great job of covering a lot of ground in a short period of time. Is there anything else that you thought we should cover?

Debbie Z. (31:32):

I don’t think so. I think we’ve covered a lot of the main questions that we get on ISO 27701. I would just say that if you have any additional questions, feel free to reach out to us. I’d be happy to answer any additional questions. We’ve also done a lot of webinars on this topic as well, that may have answered some different questions that are archived. So you could go take a look.

John Verry (31:51):

Yep. I actually was at your webinar. I thought it was quite good.

Debbie Z. (31:54):

Thank you.

John Verry (31:57):

So let’s have a little fun and I warned you I was going to ask this question, so you better be prepared.

Debbie Z. (31:59):

Yes.

John Verry (32:01):

So I’ll allow you to… You know, I always ask amazing or horrible CISO. What fictional character or a real person you think would make an amazing or horrible CISO and why? I’ll let you use Data Privacy Officer, if you prefer.

Debbie Z. (32:13):

I think either. I would think that Batman would be a pretty cool. Maybe a little scary but kind of cool as well. I mean, certainly he would have some really cool tools to be able to identify and prevent any major issues and then go after the bad guys. I mean, how cool would that be?

John Verry (32:32):

So now you have me thinking, one of my favorite TV shows of all time is Community by Dan Harmon. Joel McHale was in it and a Childish Gambino, John Oliver. It was a great show. Anyway, it just came on to Netflix and I’m seeing a lot of… There’s a very famous scene in there where Abed becomes Batman. So [crosstalk 00:32:49], look online for Community Batman and you’ll disagree that he would be a good [crosstalk 00:32:56].

Debbie Z. (32:55):

All right, I’ll take a look.

John Verry (32:59):

All right. So last question. Based on the everyday conversations that you’re having and knowing that the podcasts listened to both information security and privacy and business leaders. Any ideas for some interesting topics for another episode?

Debbie Z. (33:12):

You know another one of my favorite topics is… You mentioned it briefly the APAC. So APAC came out with a privacy framework that is again a great privacy framework. That includes the basic privacy principles, as well as the data transfer mechanism. So it kind of combines that GDPR and privacy shield concept all into one and it’s something that not a lot of people really know about. Certainly some people in the APEC region understand and know about it, but others don’t and I think there’s some benefits to US organizations for sure that may be processing information in that region.

John Verry (33:44):

Interesting. You know, and I will admit to being ignorant of the specifics of APAC. I mean, I know it’s out there and I hear it. Question for you, who would that impact? That would impact somebody that was doing work with the personal information of citizens of the APAC region?

Debbie Z. (34:02):

Exactly. So it’s basically personal information that would be processed or transmitted within that region. So while the APAC region includes some 20 plus 26 countries or economies, I should say. This particular privacy framework is currently onboard with nine of those economies. So if you are processing for example, in Korea, Japan, the Philippines, US, Canada, Australia. All of those economies have bought into the privacy framework. They have government enforcement, they have accountability agents. Most of them have accountability agents, which are the certification bodies. So any organization that is transmitting, processing, anything in those regions, of any personal information in those regions would be a great candidate for those privacy framework.

John Verry (34:50):

That’s interesting. Yeah. Maybe we can have you back on at some point as I start to hear a little bit more about that. Haven’t seen all that many people yet ask for it, [crosstalk 00:34:57], it’s just because it’s relatively new.

Debbie Z. (35:01):

Exactly. Not a lot of people know about it. It’s been around for a few years, but it’s still relatively new in the privacy world and not many people know about it. So we’re just trying to get the word out there. Just so people understand that there is something else out there in the APAC region.

Jeremy S. (35:14):

Yeah. Thanks. That’s actually a good idea. So before I said farewell, how can folks get in contact with you individually, with Schellman, if they’ve got some questions with regards to privacy or any other type of attestation or assurance?

Debbie Z. (35:29):

Sure, absolutely. So on our website schellman.com, we’ve got our suite of services at the top. You can see all the different types of services we have. One of them is privacy assessment. So if they click in there, you can see all the different privacy assessments we do and then you can also get in contact with me there or you can just send me an email at [email protected]. I like to keep it old school. So pretty easy email.

John Verry (35:52):

No Twitter handle, huh?

Debbie Z. (35:53):

No Twitter handle for me. No social media really.

John Verry (35:57):

Well, man I couldn’t have thrown a lob pitch up there any higher. Like why don’t… So one more try Deb.

Debbie Z. (36:05):

Yes.

John Verry (36:06):

Why don’t you have a social media handle?

Debbie Z. (36:09):

You know I left the company. Cut a deal-

John Verry (36:12):

No, no. Right answer is privacy. It’s a privacy issue.

Debbie Z. (36:17):

Exactly. I personally do not have a Facebook account. I don’t do any Twitter. I’ve never done Instagram for that reason. Right. I mean, privacy is just it should be private.

John Verry (36:26):

All right. So I’m going to give you the option. Do you want me to have the video people cut all the way back to that point where I asked you that question, and then you say, “Of course I’m a privacy professional,” and then we end it there. No I’m not going to do that because now-

Debbie Z. (36:40):

[crosstalk 00:36:38], if we edit out of this one. Yes.

John Verry (36:42):

So Debbie, tell me how you feel.

Debbie Z. (36:46):

So I think that-

John Verry (36:47):

[crosstalk 00:36:47]. Oh wait, you were saying I gave you another layup. That was supposed to be chagrined.

Debbie Z. (36:53):

See, I got to use that word more often.

John Verry (36:57):

Debbie, thank you so much for being on.

Debbie Z. (36:59):

Thank you very much. I really appreciate this.

John Verry (37:02):

You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time let’s be careful out there.