30 January 2019

How to create a robust PII Control Framework across multiple standards

Spending endless hours on data collection, analysis and remediation only to repeat the whole process again for another compliance framework. Sound familiar?

Some organisations dedicate huge resources when it comes to becoming certified in ISO 27001. In reality, this standard has a lot in common with GDPR. Both of them require organisations to ensure the confidentiality, integrity and availability of personally identifiable information (PII) and sensitive data.

Don’t double up!

Whilst there are differences between the two frameworks (such as the broader scope of GDPR regarding data security privacy), there is a huge overlap. GDPR is concerned with the security of PII, but it doesn’t provide assurance for that security. Therefore, only ISO controls can demonstrate assurance of security for PII data and processes. Duplication of efforts can be avoided by creating a robust, long-term PII control framework with a GRC (governance, risk and compliance) platform.

The link between these two frameworks means that a GDPR project will collect or pull data from an ISO 27001/2 project. Rather than storing information in a variation of Excel spreadsheets, a GRC platform like SYNERGi enables you to centralise the relevant controls for both standards. From there, you can run streamlined audits and tests to demonstrate assurance across multiple controls and standards.

As well as the link between GDPR and ISO 27001, audits can also identify a significant number of third parties in your supply chain. To adhere to GDPR and ISO 27001/2, you will need to demonstrate efficient supply chain management.

Visualising the overlap

To demonstrate the overlap between ISO and GDPR, and how it can be supported by the modules in the SYNERGi GRC platform, we’ve put together a handy diagram.

This process can be supported by the Vendor Management module within SYNERGi. The following features in this module can assist with managing supply chain risk to comply with GDPR and ISO 27001/2:

  • A central repository of all suppliers
  • Extensive data capture of those suppliers
  • Easy verification of suppliers adherence (or otherwise) to ISO 27001 through pre-set or bespoke questionnaires
  • Ability to create, track, manage and report of remediation actions where required from suppliers
  • Links in with the Risk Management SYNERGi module, allowing supply chain risk to be identified and managed alongside your existing informational risk


Further expansion into compliance

If you’ve got GDPR and ISO under control, there is an additional opportunity to support Organisational InfoSec maturity. This can be achieved by adding the ’14 Cloud Principles’ library to the Compliance Management module within SYNERGi. The supplier questionnaires can then be used for cloud supplier verification.

Learn more

To learn more about supporting your PII control framework in a platform like SYNERGi, download our Vendor Management Datasheet.

If you would like a demo of the SYNERGi GRC platform, or are interested in having a free trial to truly understand what the platform is capable of, simply contact us and we’ll be in touch.