ISO 27701Privacy Certification

Webinar Presentation

June 2020

Agenda— Introduction— Privacy Background— ISO 27000 Standards— ISO 27701— Discussion & QA

3 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

olli.knuuti@kpmg.fi+358 40 162 5620

Qualification / EducationM.Sc.CISSP (Certified Information System Security Professional)CISA (Certified Information Systems Auditor)CISM (Certified Information Security Manager)CRISC (Certified in Risk and Information Systems Control)ISMS & BCM Lead Auditor

Fields of ExpertiseHead of official security audits and certifications

Experience / RoleOlli has worked as an information security specialist at KPMG Finland since march, 2010. He is also a chief operating officer of KPMG IT Certification Ltd, an Accredited Information Security Inspection Body, providing both public authorities and private companies reliable and independent information security assessment services as well as ISO 27001 and ISO 22301 certifications.

Olli has been a lead auditor / project manager in numerous information security management engagements for several clients operating in different industries, like manufacturing, telecom, IT, trading, financial, oil and energy. He has participated in over 250 information security projects for the government and international corporations as a responsible professional. Olli has focused on information security governance and physical security, and has a good knowledge of different security standards, laws, regulations and common trends. In addition, he has also taken part in technical security audits.

Some examples of Olli’s professional work includes international cloud security audits as well as working for over 2 years full time in a large compliance program with a Finnish financial organization, focusing to achieve regulation compliance specially in business processes. He has also developed business continuity management framework and critical continuity and disaster recovery plans to meet Financial Supervision Authority requirements.

Before joining KPMG, Olli worked as a researcher at Tampere University of Technology, Telecommunication research center (TRC) from September 2007 to March 2010. His work concentrated in mapping information security threats, developing SOM-based neural networkintrusion detection system, testing and rating current intrusion detection methods, writing publications and working in management team.

Special expertise— Security management— Business continuity management— Official information security audits and certifications— Cloud security— Risk analysis— Security standards and frameworks, such as ISO 27000 -series, PCI DSS, KATAKRI, VAHTI, NIST, CMA etc.

Olli KnuutiSenior Manager, Cyber Security Services at KPMG Oy Ab, COO of KPMG IT Certification Ltd

4 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

antti-jussi.tuumi@kpmg.fi

Qualification / Education— Bachelor of Security (Laurea UAS), major in

Security Management— Certified Information Systems Auditor (CISA)— ISMS Lead Auditor

Experience / RoleAntti-Jussi works as an information security specialist at KPMG Finland, starting from 2014.

At KPMG Antti-Jussi is focused on security compliance audits and administrative information security consultancy. He has a wide experience in cyber security and cloud security as well as developing Information Security Management System and testing of information security. Antti-Jussi has also been involved creating security policies and continuity management in his previous work relationships and at KPMG.

Antti-Jussi has conducted several information security audits and engagements against different kind of information security standards. Antti-Jussi is focusing in ISO 27001:2013 certification and ISAE / SOC 2 Assurance projects. Antti-Jussi has conducted audits and ISMSdevelopment towards several cyber security frameworks, such as ISO 27001, Katakri 2015 and PCI DSS. At KPMG Antti-Jussi has worked with multinational companies as well as on public sector organizations and mostly working as Lead Auditor and Project Manager.

Before joining KPMG, Antti-Jussi worked in multinational company focused on payment cards and payment transactions as a part of operational security unit. He’s main responsibilities were maintaining physical security and physical security systems and maintaining undisturbed premises process.

Special Knowledge— Cyber Security— ISO 27001:2013— Information Security Development— Cloud Security— Risk Management & Risk Assessments— Information Security Management System— Business Continuity Management & Disaster Recovery Planning— ISAE 3402 & 3000 / SOC 2 Assurance

Antti-Jussi TuumiAdvisory Manager at KPMG

5 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

antti.evesti@kpmg.fi

Qualification / EducationDr. (tech.) M.Sc. (tech.)CISSP (2016)ISO 27001 Lead Auditor (2019)

Language skillsFinnish (native), English (fluent)

ExperienceAntti started to work for KPMG at 2017. He works in cybersecurity team and focuses especially on security management issues. In addition, he is a cybersecurity contact point on the Northern Finland area.

Previously, Antti worked as a senior scientist for VTT Technical Research Centre of Finland (2006-2016). He researched cybersecurity from situational awareness viewpoint. In other words, he analysed and built models for situational awareness and applied security metrics and risk analysis. Writing results into a publication form and presenting them in international forums to increase VTT’s visibility was a natural part of his job. His doctoral dissertation concentrated on security adaptation, i.e., how future smart spaces and IoT environments monitor and react security changes autonomously. In this research he defined architecture and performed security knowledge modelling.

Antti has facilitated risk analysis workshops and steered a risk identification process together with customers. In addition, he has supervised master thesis and acted as a project manager. In research projects, he has defined use cases together with companies in order to bring research results to practice. In 2015, Antti developed security-related IPR for VTT’s customer, and customer is now patenting the inventions. Furthermore, Antti has broad experience pertaining to public research funding, i.e., Tekes and EU, and capability to exploit various instruments. He has also prepared documents and offering for public tenders.

Special knowledge— Information Security Management System (ISMS)— ISO 27001— Risk management— Data privacy and GDPR— Security metrics— Information security development

Antti EvestiAdvisory Manager, Cyber Security at KPMG

© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 6 │

KPMG IT Certification Ltd.

Approved by AuthoritiesIn October 2014 KPMG IT Certification Ltd. got the official approval from Finnish Transport and Communication agency and the accreditation from FINAS (Finnish Accreditation Service) to act as an information security inspection body according to the legislation and regulation on information security inspection bodies.

The journey to achieve the official approval and accreditation to act as an information security inspection body required a lot of blood, sweat and tears – it took altogether 4 years to get the status.

IndependentWe are not tied to any hardware or software suppliers. As a result, our advice is independent and geared to the specific needs of each client.

Global and LocalWe have over 2 600 cyber security professionals working in KPMG’s global network, so we are able to deliver to consistently high standards, no matter where you are. KPMG member firms can service your local needs from information security strategy and change programs, to technical assessments, forensic investigations, incident response, training, and even ISO 27001 certification.

Award WinningWhether it’s SC Magazine or the MCA Awards, KPMG shines in independent recognition. Forrester also recognizes KPMG as a leader in Information Security Consulting, highlighting our strong focus and ability to take on challenging engagements.

TrustedWe have a long list of certifications and permits to work on engagements for many of the world’s leading organizations.

”Clients need certification to show their own clients that they are doing things

properly and there is ever increasing demand

for that.”

Olli Knuuti,COO of KPMG

IT Certification Ltd.

7 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

KPMG Russia

Ilya ShalenkovDirector

KPMG Russia and the CIS is a team of specialists and experts in projects devoted to bringing organization’s PII processing activities into compliance with international and local requirements in data protection and privacy, including GDPR and 152-FZ. The team has successfully performed more than 20 GDPR-related projects.

Ilya leads KPMG's cyber security and digital forensics services team in Russia and the CIS. He is an expert in the field of information security, IT controls and IT audit.

Ilya is co-founder of the Russian Privacy Professionals Association (RPPA).

CISA – Certified information systems auditor / Information Systems Audit and Control Association (ISACA).

CRISC – Certified in Risk and Information Systems Control / Information Systems Audit and Control Association (ISACA).

BS ISO/IEC 27001:2013 Lead Auditor – Lead auditor of Information Security Management Systems / The British Standards Institution.

Kristina is a specialist in the field of information security, IT controls and IT audit. Prior to joining KPMG team Kristina held a leading position in information security in one Turkish International Bank, implemented several projects for banking organizations on compliance assessment to the requirements of Bank of Russia Regulation No. 382-P, 552-P, to the requirements of the legislation of the Russian Federation on the protection of personal data and Use of cryptography as well as ISO 27001/002-related projects.

Kristina has experience in GDPR applicability assessment and GDPR compliance analysis (finance, mining, transport, hotels), Documentation development (policies, consent's forms, procedures), DPIA.

Kristina is co-founder of the Russian Privacy Professionals Association (RPPA).

Verification Center “Maskom” - Certification of information systems, protection of information from unauthorized access.

AIS - Information Security Using Encryption (Cryptographic) Means.

IShalenkov@kpmg.ru

Kristina BorovikovaSenior Manager

kborovikova@kpmg.ru

8 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

KPMG Russia

Alexey SokolovSenior consultant

KPMG Russia and the CIS is a team of specialists and experts in projects devoted to bringing organization’s PII processing activities into compliance with international and local requirements in data protection and privacy, including GDPR and 152-FZ. The team has successfully performed more than 20 GDPR-related projects.

Alexey is an expert in the field of data privacy and cyber security. He has extensive experience in the information security field, European and Russian data privacy legislation. Alexey is focused on:

— Personal data processing and protection compliance analysis (GDPR, 152-FZ).

— Development of internal documents on information security.— Information security user awareness.

His experience in IT includes: — Internal audit KPMG in Russia and CIS.— Local and international standards compliance analyses

(ISO 27001, ISO 27002, information security requirements of the Bank of Russia).

Maxim is a specialist in the field of personal data protection (GDPR), information security, IT technology. Maxim's competencies include conducting an information security audit for compliance with the requirements of international corporate standards and legislation of the Russian Federation, an inventory of current processes and assets, development and implementation of new information security processes, preparation of related documentation, development of a methodology and information security risk assessment, as well as expertise in Threat Intelligence area.

IBM RCIS – sales in the department of information security solutions, technical support for AppScan solution for finding vulnerabilities in applications, expertise of information security tools.

IBS Platformix – presales and technical support of storage systems and servers of vendors EMC, DELL, IBM, HP.

asokolov@kpmg.ru

Maxim ReshinConsultant

mreshin@kpmg.ru

9 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

KPMG RussiaThe team has successfully performed more than 30 GDPR projects and more than 35 152-FZ. projects

GDPR-related experience

GDPR-related awareness trainings for organization’s employees

Development of detailed recommendations to align the PII processing activities of the Group of companies into compliance with GDPR requirements

GDPR compliance analysis for organizations’ websites and applications

GDPR compliance analysis for organizations’ documents and policies

Heavy industry, Energy, Sports, Transport, Finance, PharmacyRussia, Ukraine, Poland, Romania, Cyprus, Netherlands, Bulgaria, Switzerland, United Kingdom, Luxembourg, Czech Republic, Italy

Heavy industry, Energy, Sports, Transport, Finance, PharmacyUkraine, Poland, Romania, Netherlands, Bulgaria, Switzerland, United Kingdom, Luxembourg, Russia, Czech Republic, Italy, Cyprus

Heavy industry, Finance, PharmacyRussia, Ukraine, Great Britain, Bulgaria, Italy

Heavy industryFinland, Cyprus, Ukraine, Switzerland, Poland, Romania, Netherlands, Bulgaria, United Kingdom

Sports, Transport, FinanceRussia

Compliance analysis for PII processing activities towards GDPR requirements (taking into account local requirements in data protection and privacy)

Identifying the processes of companies that fall under the GDPR

Heavy industry, Energy, Sports, Transport, Finance, Retail, PharmacyRussia, Ukraine, Switzerland, Poland, Romania, Netherlands, Bulgaria, United Kingdom, Czech Republic, Italy, Cyprus

Privacy BackgroundPrivacy is not an invention of the 2010s – instead one part of human rights already in the 1950s

11 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

How Privacy Work Has Evolved in Organizations?

— Development project has ended.

— Employees and management has tired to privacy.

— It seems that there has been huge work without clear business advantage.

— Make previous development work to shine.

— Make new business with compliancy.

— Sanctions from violations — Privacy needs continuous

improvement, not just one development project.

— Local legislation— Some organizations comply,

others did not.— Varying controls & processes

— Every organization had a development project.

— Huge amount of work to build processes, controls and documentation

Ad-hoc Work

GDPR Hype

GDPR Hangover

New Rising

ISO 27000 Standard Family

13 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Background— In 1995, British Standard 7799 (BS7799) defined how Information Security Management

System (ISMS) should be implemented and maintained.– The purpose was to offer general description how plan, implement and manage policies, procedures and

technologies, in order to manage information security risks.– The goal was to harmonize utilised controls.

— Need to extend to global standard was recognised -> ISO 27000 standard family.– 27000 – Overview and vocabulary– 27001 – Information Security Management Systems – Requirements– 27002 – Code of practice for information security controls– 27003 – Information security management system implementation guidance– 27004 – Monitoring, measurement, analysis and evaluation– 27005 – Information security risk management– …– 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting

as PII processors.– …– 27701 – Extension to ISO/IEC 27001 for privacy management – Requirements

14 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

PDCA Model – Mandatory for ISO 27001 Certification

Plan Do

CheckAct

— Scope for ISMS / PIMS— Risk assessment— Leadership commitment

— Risk treatment— Implement controls

— Training and awareness raising

— Implement corrective actions— Learn and improve

— Monitor and review— Assess the effectiveness

of ISMS / PIMS— Effectiveness of controls

— Check residual risks

ISO 27701 CertificationExtension to ISO 27001 and ISO 27002 for privacy information management

16 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Differences Between Data Processor and Controller

Data Controller:— The data controller determines the purposes for which and

the means by which personal data is processed.— If company decides ‘why’ and ‘how’ the personal data should be

processed it is the data controller.— Employees processing personal data within your organization do

so to fulfil your tasks as data controller.— Your organization is a joint controller when together with one or

more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed.

— Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.

Data Processor:— The data processor processes personal data only on behalf of

the controller.— The data processor is usually a third party external to the

company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.

— The duties of the processor towards the controller must be specified in a contract or another legal act. The contract must indicate what happens to the personal data once the contract is terminated.

— A typical activity of processors is offering IT solutions, including cloud storage.

— The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.

17 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

What is ISO/IEC 27701?

ISO/IEC 27701 includes requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS)

The standard is an extension to ISO/IEC 27001 Information Security Management System and ISO/IEC 27002 – implementation of ISO 27701 certification requires ISO 27001 certification

The standard consists of i) normative requirements (subclauses 5.2–5.8), ii) Annex A normative controls for PII Controllers (A.7.2–A.7.5) and iii) Annex B normative controls for PII Processors (B.8.2–B.8.5)

18 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

ISO 27001 - The Mandatory RequirementsISO 27001 Mandatory Requirements:

(Information Security Management System)

ISO 27001 Annex A Controls:

19 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

What Are the ISO 27701 RequirementsISO 27701 brings in additional requirements for Privacy Information Management System (PIMS) for ISMS.

20 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

What Are the ISO 27701 RequirementsISO 27701 defines the requirements for Privacy Information Management System (PIMS) as a mandatory requirements for design, implementation, maintenance and continual improvement.The standard consists of the following areas:— Mandatory Clauses (5.1–5.8)— Control areas (6.1–6.15, 7.1-7.5 and 8.1-8.5)— Additional Requirements

a) PII Controllersb) PII Processors

“Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.”

21 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Benefits of ISO/IEC 27701 Certification

Ensure that your business complies with data privacy regulations (e.g. GDPR or other local legislation)

Certification is a way to demonstrate compliance, in line with the accountability principle

Establish trust between you and your stakeholders; clients, government authorities, and business partners

Enhance data privacy management and reduce related risks, e.g. risk of data breaches

21 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

ISO Certification Process

© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 23 │

How to get ISO 27701 certified?

ISO 27001Information Security

Management System (ISMS)

Privacy extensions— Controller— Processor

ISO 27701Privacy Information

Management System (PIMS)

24 │© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

KPMG Certification Process at a Glance

Our methodology for the requested services consists of four stages as depicted in figure below. — Stage 1 Pre-assessment: (GAP Analysis of the management system focusing on current ISO/IEC Certification standard and

management steering)— Stage 2 Certification Audit: (Perform detailed review of the management systems, including adherence with the management system

and confirm that the management system conforms with the requirements of certification standard)— Stage 3 Ongoing Surveillance: (Yearly review that the Management System is in place, maintained accordingly and effective)As a result, after successful ISO certification audit the customer will receive the formal ISO certification for the following 3 years.

Stage 3 Ongoing Surveillance (following 2 years)

Stage 2 Certification Audit

Stage 1 Pre-assessment

Stage 0Diagnostic Review

cyber@kpmg.ru

CyberNews

© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.