Question - eramba & ISO 27701 PIMS

carl.gottlieb · June 24, 2020, 7:44am

Hi,
Is anyone planning on using Eramba for their ISO 27701 PIMS? Since 27701 is simply a bolt-on for 27001, using the same tool seems completely logical, but there are a few pieces that Eramba is missing, e.g. risk assessments from the perspective of the individual and not the organisation.
To clarify, using Eramba as a PIMS couldn’t be achieved with the addition of another compliance package, so will need some wider changes.
From a competitive landscape perspective, as customers recognise that they will need their ISMS tool to also be their Privacy PIMS tool, there should be much more demand in this area.
Is there anything we Privacy people/customers can do to help move the product along in this direction?
thanks
Carl

eramba · June 24, 2020, 8:09pm

we will buy tomorrow the sstandard from the iso shop and make a compliance package during the week … @sam loves doing that … not

sam · June 25, 2020, 1:25pm

Done.

eramba · June 27, 2020, 5:51pm

hello Carl,

esteban here - i had a read of the standard it does seem a typical iso document with two new annex for controllers and processors and of course a little expansion on the existing 2700(1|2) set - but of course theory and practice (implementing this) will sharper this opinion.

the connection to gdpr is very obvious…gdpr practices are covered by the data flow analysis module … something we regret as functionalities in eramba never ever try to reflect specific regulations as there are thousands of them , we do take common grc practices (risk, compliance, incidnet, awareness, testing ,etc) and make them as flexible as possible

so, there will be nothing new created for this standard unless is not already addressed by the typical grc practices… we need to work with it more to fully understand that.

thank you for bringing this up
esteban

carl.gottlieb · June 29, 2020, 7:40am

Thanks for replying. I’m going to work through to see what the gaps are, but the main one I think is the need for two types of risk assessment now, one from the organisation perspective (as normal) and now one from the individual’s perspective.
I’ll provide feedback as I progress with this.

daniel.c.larsson · July 1, 2020, 2:39pm

Hi, I’m interested in following your progress. I will also use Eramba for ISO27701, but i’m not quite there yet.

anon80539220 · July 8, 2020, 1:41am

Hi Carl, yes we will be doing this. I am waiting to get the standard, so I can import into Eramba, then start doing the assessment

carl.gottlieb · July 8, 2020, 7:25am

One of the interesting questions with this is whether the 27001 and 27002 compliance packages should be modified to include the new 27701 requirements and controls (since many are modifications rather than additions).
So I might end up with these four compliance packages in use:

27001
27002
27001 + 27701 Clause 5
27002 + 27701 Clauses 6,7,8
(and realistically the 27001 and 27002 packages would be redundant if fully committed to the 27701 PIMS version of ISMS)

eramba · July 9, 2020, 6:20am

yes actually is not really a bad idea , we did the compliance package in a rush and i dont think is very useful. i’ll discuss with sam today

carl.gottlieb · July 9, 2020, 10:04am

I’ve asked for clarification on whether Annex F of 27701 is stating that the term ISMS is actually replaced by PIMS, or whether “ISMS” lives on, side by side.

carl.gottlieb · July 9, 2020, 1:43pm

One important thing is I’m pretty certain we’ll need a new type of risk management module to sit alongside the existing three (asset, BIA, 3d party), for assessing privacy risks to individuals.