Accedere Inc is a CSA impanelled auditor firm for the STAR Certification as well as the CSA
Attestation. As you may all know that the CSA STAR Level 2 Certification can be achieved via
the ISO/IEC 27001 + CCM controls route and the CSA STAR Level 2 Attestation can be
achieved via the SOC 2 + CCM controls route. Accedere Inc is both an ISO/IEC Accredited
Certification Body as well as a CPA Firm that can Attest to the SOC reports. Accedere had been
providing the CSA STAR Level 2 Attestation for the past 3 years to customers worldwide.
In this blog, we will focus on Data Security and Privacy related ISO/IEC Certifications. With the
cybercrime market targeting 10.5 Trillion USD and increasing data security breaches, the need
for a third-party vendors, certifications are also increasing.
ISO/IEC 27001
The most popular ISO/IEC Certification is the 27001:2013 which has shown an increasing trend
in its adoption by organizations, and we see YOY growth in the ISO 27001 certification
requirements. The ISO/IEC 27001 standard is expected to be revised with major updates
sometime in 2022, although the standard had minor updates in 2018. The ISO 27001 comprises
the leading certifiable standard in the ISO/IEC 27000 family.
To help the privacy implementation, recently ISO published a new standard ISO/IEC
27555:2021 Information security, cybersecurity, and privacy protection — Guidelines on
personally identifiable information deletion. This standard contains guidelines for developing
and establishing policies and procedures for deletion of personally identifiable information (PII)
in organizations by specifying:
• a harmonized terminology for PII deletion;
• an approach for efficiently defining deletion rules;
• a description of required documentation; and,
• a broad definition of roles, responsibilities, & processes.
PII data is lucrative for some of the following reasons:
• Scanned Passports sell for about $ 15 each. US passports for $ 1000-2000.
• Social Security numbers with other information fetch about $ 8 each.
• Credit card data value can range from $ 5 to $ 45 depending on the volume and data with
SSN, Date of Birth, CVV.
• Educational Diplomas may be between $ 100-400.
• Medical records can get about $ 2000.
• PII Data combined analytics can be misused for political, financial gains as in the case of
Cambridge Analytica.
• According to the U.S. General Accounting Office, 87% of the U.S. population can be
uniquely identified using only gender, date of birth, and ZIP code.
ISO/IEC 27018
We also have the ISO/IEC 27018 that provides a code of practice for the protection of personally
identifiable information (PII) in public clouds acting as PII processors in line with the privacy
principles in ISO/IEC 29100 for the public Cloud computing environment.
ISO/IEC 29100
ISO/IEC 29100:2011 provides a privacy framework which:
• specifies a common privacy terminology;
• defines the actors and their roles in processing personally identifiable information (PII);
• describes privacy safeguarding considerations; and
• provides references to known privacy principles for information technology.
ISO/IEC 29100:2011 applies to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are
required for the processing of PII.
ISO 23195
This new standard defines a common terminology to be used in the context of third-party
payment (TPP). It establishes two logical structural models in which the assets to be protected
are clarified and specifies security objectives based on the analysis of the logical structural
models and the interaction of the assets affected by threats, organizational security policies &
assumptions. These security objectives are set out to counter the threats resulting from the
intermediary nature of TPPSPs offering payment services compared with simpler payment
models where the payer and the payee directly interact with their respective account servicing
payment service provider (ASPSP).
Conclusion
With increasing data security and privacy fines, these new ISO/IEC standards can help towards
compliance for data security and privacy mandates like GDPR, CCPA, the new Colorado
Privacy Act, and many other regulations. Organizations can use these ISO/IEC standards to
demonstrate their controls and provide some assurance to their customers that they do follow the
international best practices to keep their customer’s data safe. The new AICPA Privacy
Management Framework (PMF) also helps in adapting to an Enterprise Privacy Standard that
can align with many of such privacy regulations. This new Privacy Management Framework
replaces the old GAPP (Generally Accepted Privacy Principles). The SOC 2 approach uses the
AICPA Trust Services Criteria 2017 for auditors to attest to the privacy controls. The new CCM
4 version by Cloud Security Alliance also has many of the data security and privacy controls as
applied to cloud environments. The CCM 4 also has mappings to the ISO/IEC and SOC 2 along
with other mappings.