IT Security Standards Compliance Roadmap v1.

5
International Data Protection Directive enforcement dates: CCPA 1 January 2020, GDPR 25 May 2018
Project Manager / IT Manager / CTO / Chief Digital Officer / CFO / HoS / Insert name
1-Jan-20 25-May-18 January 2021
ISO/IEC27001 Related
Activity Commencing Template Article Related CCPA Article Related GDPR Article Lead 1 2 3 4
Mandatory for ISO/IEC 27001 Mandatory for GDPR (Highlighted in Green)
(Hightlighed in Green)
1 IT Security Identification & Preparation IT Security Standards Compliance Kit CCPA Compliance Kit GDPR Compliance Kit
Set goals, which IT Security standard according organizational goals and data security
1.1 Gain insights in meaning and impact of IT Security Project Manager, Management
1.2 Gain insights in IT Security vs GDPR/CCPA similarities and differences Project Manager, Management
1.3 Perform IT Security compliance check Project Manager, Management
1.4 Perform gap assessment (Procedure for identification of requirements) Internal IT Security Gap Analysis ISO/IEC27001 §4.2 & A.18.1.1 Project Manager,Project lead
1.5 Gain senior management commitment Project Manager, Project lead
1.6 Initiate project with appropriate resources and budget Project Manager
1.7 Establish document control procedure Documentation Controller ISO/IEC27001 §7.5 Project Manager

2 IT Security Initiation, Roles, Awareness and Training

2.1 Create the Project Charter (ISMS Scope Document) IT Security Project Charter ISO/IEC27001 §4.3 CCPA, Section 1798.140(c) CHAPTERIV - Section 4 Data protection officer Project Lead
2.2 List the applicable Contractual, Legal, Regulatory Requirements Data Security Plan ISO/IEC27001 §4.2 & A.18.1.1 CHAPTERIV - Section 4 Data protection officer Project Lead
2.3 Define IT Security roles and responsibilities Data Security Plan ISO/IEC27001 §5.2 & 5.3 CHAPTERIV - Section 4 Data protection officer Project Lead, Senior Management
2.4 Identify Lead Data Protection Supervisory Authority CHAPTERIV
Article - Section
37, 38, 4 Data protection
39. CHAPTERIV officer
- Section 4 Data Project Lead, Senior Management, legal
2.5 Recruit Information Protection Officer (if required) protection officer Human Resources
2.6 Appoint Information Protection Officer (if required) CHAPTERIV - Section 4 Data protection officer Senior Management
2.7 Conduct IT Security competence and training needs assessment CHAPTERIV - Section 4 Data protection officer Project Lead
2.8 Perform IT Security related training and familiarisation IT Security Training Policy CHAPTERIV - Section 4 Data protection officer Project Lead Information Security
Project Lead,
2.9 Conduct IT Security and information security awareness training CHAPTERIV - Section 4 Data protection officer Manager

3 Planning
3.1 Conduct initial personal information gathering exercise CHAPTER II- Principles Project Lead
3.2 Perform audit of personal information by business area Iso 27001 Internal Audit Checklist Article 24(2) Responsibility of the controller Business Area leads
3.3 Define or Amend Data Security Policy Data Security Plan ISO/IEC27001 §5.2 & 5.3 Article 24(2) Responsibility of the controller Project Lead
3.4 Identify lawful basis for processing personal information in each case Article 6 Lawfulness of processing, Article 30 Business Area leads, Legal
3.5 Conduct legitimate interest assessments where required Article 6 Lawfulness of processing Business Area leads, Legal
3.6 Identify record-keeping requirements and procedures (Data Retention Policy GDPR) Article 30- Records of processing activities Project Lead
3.7 Identify and dispose Irrelevant Personal Information and keep a log Article 6 Lawfulness of processing Business Area leads, Legal

4 Execution and Control

4.1 Project Status Report (Measurement Report) Project Status Report ISO/IEC27001 §6.2 & 9.1
4.2 Meeting Minutes (Management Review Minutes) Meeting Minutes ISO/IEC27001 §9.3 Cal. Civ. Code § 1798.120,
4.3 Define personal information retention and protection policy Personal Data Protection Policy (GDPR) 1798.135(a)-(b) Article 24(2)
Articles 12, 13& and
Article
14 V (1,13.1,17,30)
- Information to be Project Lead, Business Area Leads, legal
4.4 Create or amend existing privacy notices provided Business Area leads
4.5 Review and amend consent methods and procedures Article 8
Article 7 -- Conditions
Conditions applicable
for consentto child's Business Area leads
4.6 Address age related consent and controls (children) consent Business Area leads
4.7 Create or amend response to unsuccessful subscribers Cal. Civ. Code § 1798.135(c) Articles 13 and 14 - Information to be provided Business Area leads
4.8 Create or amend response to deletion request of consumers Cal. Civ. Code § 1798.135(c) Articles 13 and 14 - Information to be provided Business Area leads
4.9 Create or amend Data Classification Standard Data Classification Standard ISO/IEC27001 §7.5 Article 32 Project Manager, Management
4.10 Create or amend Data Backup Plan Data Backup Plan Project Manager
4.11 Define or amend Data Security Policy Data Security Plan Project Manager
4.12 Create or amend Security Incident Management Security Incident Management ISO/IEC27001 §9.1.1, 9.1.2, Project Manager
4.13 Create or amend Vulnerability Management Vulnerability Management 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, Project Manager
4.14 Create or amend User Access standard User Access 9.2.6, 9.3.1, 9.4.1, 9.4.3 Article 32 Project Manager
4.15 Create or amend Logging and Monitoring Logging and Monitoring Project Manager
4.16 Create or amend Cloud Computing Security Cloud Computing Security ISO/IEC27001 §8.1.1, 8.1.2, Project Manager
4.17 Create or amend IT Asset Management IT Asset Management 8.1.3, etc
ISO/IEC27001 §14.1.2, 14.1.3, Article 32 Project Manager
4.18 Create or amend Change Management Change Management 14.2.1, 14.2.2, 14.2.5, 14.2.6, Project Manager
4.19 Create or amend IT System Acquisition & Development IT System Acquisition & Development 14.2.7, 14.2.8, 14.2.9, 14.3.1 Article 32 Project Manager
4.20 Create or amend Web Application Security standard Web Application Security Project Manager
4.21 Create or amend Create or amend Physical Security Physical Security Project Manager
4.22 Create or amend End-User Protection End-User Protection Project Manager
4.23 Create or amend Network Security Network Security Project Manager
4.24 Create or amend IT Recovery IT Recovery ISO/IEC27001 §6.1.2, 6.1.3, 8.2 Project Manager
4.25 Create or amend Information Security Risk & Compliance Management (Risk Treatment Table, Report) Information Security Risk & Compliance ManagementISO/IEC27001
& 8.3 §7.1.2, 13.2.4, Project Manager
4.26 Create or amend Employee Confidentiality Statement Human Resources Security 15.1.2
ISO/IEC27001 §7.1.2, 13.2.4, Article 24(2) Responsibility of the controller Project Manager
4.27 Create or amend Human Resources Security Employee Confidentiality Statement 15.1.2 Article 24(2) Responsibility of the controller Project Manager
4.28 Create or amend IT Acceptable Use IT Acceptable Use ISO/IEC27001 §6.1.2, 6.1.3, 8.2 Project Manager
4.29 Create or amend Third Party Risk Management Third Party Risk Management & 8.3
ISO/IEC27001 §10.1.1, 18.1.3, Project Manager
4.30 Secure Algorithm List Secure Algorithm List 18.1.5 Article 32 Project Manager

Data subject management

Cal. Civ. Code § 1798.120, Article 6(1), 7(1), 9(2), CHAPTER Ill - Rights of the
5.1 Create and implement Data subject request procedures 1798.135(a)-(b) data subject Project Lead
5.2 Create and implement Data subject consent withdrawal form Cal. Civ. Code § 1798.120, Article 7(3) , CHAPTER Ill - Rights of the data Data Subject Request Administrator
1798.135(a)-(b)
Cal. Civ. Code § 1798.120, subject
5.3 Create and implement Parental consent withdrawal form Article 8, CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
1798.135(a)-(b)
Cal. Civ. Code § 1798.120,
5.4 Start recording data subject requests CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
1798.135(a)-(b)
Cal. Civ. Code § 1798.120,
5.5 Create and implement User Deletion Request Policy CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
1798.135(a)-(b)
Cal. Civ. Code § 1798.120, Article 7(3), 15, 16, 17, 18, 20, 21, 22, CHAPTER
5.6 Create and implement Data Subject Access Request Form Data Subject Request Administrator
1798.135(a)-(b) Ill - Rights of the data subject
Controllers and processor
6.1 Update contracts with processors to be IT Security compliant ISO/IEC27001 §7.1.2, 15.1.2, CHAPTER IV- Section 1 - General obligations legal
Article 28, 32, CHAPTER IV- Section 1 - General
6.2 Distribute supplier questionnaires regarding personal information protection (GDPR) Supplier Data Processing Agreement 15.1.3 obligations legal
6.3 Provide information to controllers for whom we act as a processor CHAPTER IV- Section 1 - General obligations legal,IT Management
6.4 Update contracts with controllers to be IT Security compliant CHAPTER IV- Section 1 - General obligations legal
6.5 Address employee confidentiality requirements (Employee Personal Data Protection Policy GDPR) Article 24(2) & CHAPTER IV- Section 1 - General Human Resources
ISO/IEC27001 §6.2.1 6.2.2, obligations
6.6 Create and implement Bring Your Own Device Policy Bring Your Own Device BYOD 13.2.1 Article 32, CHAPTER IV- Section 1 - General Human Resources
obligations
Data protection impact assessment
7.1 Define data protection impact assessment process CHAPTER IV - Section 3- Data protection impact Project Lead
assessment
CHAPTER IV - Section 3- Data protection impact
7.2 Conduct data protection impact assessment training assessment Project Lead
7.3 Perform initial data protection impact assessment CHAPTER IV - Section 3- Data protection impact Business Area leads
assessment
International transfers
8.1 Identify international transfers of personal information CHAPTER V - Transfers of personal data to thind Project Lead, Business Area Leads, legal
countries
CHAPTER V - Transfers of personal data to thind legal
8.2 Assess legality of existing international transfers
countries
Article 46 (5), CHAPTER V - Transfers of personal
8.3 Put in place agreements for international transfers of personal information (where required) data to thind countries legal

Personal information breach management

9.1 Create information security incident management procedure N/A (other California laws CHAPTER IV-Section 2 - Security of personaldata Project Lead, Information Security
apply)
N/A (other California laws Manager
9.2 Create information security incident management register Security Incident Report CHAPTER IV-Section 2 - Security of personaldata Project Lead
apply)
N/A (other California laws
9.3 Create personal information breach notification procedure (Data Subjects) CHAPTER IV-Section 2 - Security of personaldata Project Lead
apply)
N/A (other California laws Project lead, Information Security
9.4 Create personal information breach notification procedure (Supervisory Authority) CHAPTER IV-Section 2 - Security of personaldata
apply)
N/A (other California laws Manager
Project lead, Information Security
9.5 Conduct information security incident management training CHAPTER IV-Section 2 - Security of personaldata
apply)
N/A (other California laws Manager
Project Lead, Information Security
9.6 Test incident management and breach notification procedures CHAPTER IV-Section 2 - Security of personaldata
apply)
N/A (other California laws Manager
Project Lead, Information Security
9.7 Create business continuity plan or disaster plan in case of crisis IT Security Disaster Plan apply) CHAPTER IV-Section 2 - Security of personaldata Manager
9.8 Inform the data subjects that were exposed to data breach N/A (other California laws CHAPTER IV-Section 2 - Security of personaldata Project Lead, Information Security
apply) Manager

5 Project closure
10.1 Repeat gap assessment to identify remaining non-compliant areas Project Manager,Project lead
10.2 Respond to complaints of data privacy breaches, etc Project Manager,Project lead
10.3 Address any remaining non-compliant areas Project Manager, Projectlead,
Project Manager,Project lead Business
10.4 Perform post project review Area leads, legal,IT Management,Senior
Management
ry 2021 February March April
Post
activity
5 6 7 8 9 10 11 12 13 14 15 16 17 Date XXX Date XXX