As adequate security becomes a legal mandate, there is a greater understanding that privacy is not truly attainable without security.
ISO 27001 requires a substantial amount of documentation to be created, reviewed, updated and properly controlled over the life of the ISMS. This documentation is vital to the effectiveness and continuous improvement of the ISMS, as well as to achieving and maintaining certification. OneTrust’s document repository can be used to store and organize ISMS documentation in a central location for access by the ISMS team and other need-to-know personnel.
Security awareness training, testing and attestation
OneTrust privacy and security training templates, such as the Privacy and Security Training Quiz and Attestation template, can be used to assist with testing the effectiveness of awareness training, as well as to record employee attestations to acceptable use policies or employee responsibility documents.
Risk assessment and treatment
OneTrust can be used to identify threats and vulnerabilities for information assets, or vendors, as well as to calculate risks, and to craft and track risk treatment plans.
Statement of applicability
Clause 6.1.3 of ISO 27001 calls for the creation of a “statement of applicability” that documents the ISO 27001 Annex A controls that have been deemed applicable to the ISMS, based on a risk assessment, along with justifications for including and excluding certain controls. When combined with risk assessment capabilities in OneTrust, the ISO 27001 Statement of Applicability template can be used to create this documentation with ease.
Use the ISO 27001 Audit Checklist template, a fully customisable questionnaire in OneTrust based on ISO 27001 to assist in conducting internal or external audits of the ISMS, to evaluate the maturity and overall effectiveness of the ISMS, and to track corrective action plans. After completing an audit, OneTrust allows you to easily generate an audit report showing an overview of your answers, comments and evidence attachments. OneTrust is also great for documenting and demonstrating the continual improvement of an ISMS. With assessment versioning and reporting features, you can easily see how your programme has grown year over year.
Asset and vendor inventory
With OneTrust, you can create and maintain inventories of your organisation’s assets and vendors, the risks associated with each, and their owners within the organisation. Additionally, OneTrust automatically generates visualisations and data-flow diagrams as tools for easier analysis and executive communication.
Incidents and breaches
With OneTrust, you can enable self-service reporting of security incidents and weaknesses, maintain incident and breach records, evaluate against breach notification obligations, and analyse overall risk with connections to your underlying inventories of data, processing activities, assets and vendors. OneTrust can be used to put incident management policies and procedures into action.
With the EU General Data Protection Regulation (GDPR) now in force, and other new privacy laws on its heels, the concept of “adequate security” is becoming a legal mandate on a global level, and it is now commonly understood that privacy cannot truly be attained without security. This overlap between privacy and security calls for new ways for these two teams to collaborate, communicate more effectively and use common tools. OneTrust helps with the establishment, maintenance and continual improvement of an information security management system (ISMS), as well as the planning and implementation of industry standards such as ISO 27001, AICPA TSC (SOC 2), CSA STAR, NIST CSF and more. Here is an outline demonstrating how OneTrust helps with information security, relating specifically to ISO 27001.