In December 2019, ENISA released an online platform to help Data Controllers and processors with the security controls applicable to personal data processing.
The platform looks to tie together ISO 27001, ISO 27005, the GDPR requirements and some principles from ISO 27701, to provide a link between high-risk personal data processing and the security controls that should be applied to that activity.
The security controls defined as part of ISO 27701 are an extension of ISO 27001. Whilst a lot of organisations claim to align to ISO 27001, there are relatively few that are actually certified (approximately 32,000 valid certificates globally for ISO 27001). Therefore, ISO 27701 provides a solution for a very small subset of the overall data processing universe. It is pointed squarely at larger organisations as a privacy control framework.
ENISA has clearly seen there is a gap in Data Processing security controls advice to SMEs and that is clearly the niche that ENISA is aiming for with this online platform.
Deep Dive Review
The overall conclusion is that ENISA has provided a fantastic framework that is let down by a set of incoherent security controls. All of the steps and controls within the framework are logical and helpful until we reach the final stage, which is the selection of the relevant security controls to apply.
The framework provides a set of security controls that are to be applied or considered, dependent on the risk rating of the processing you are doing. All of this would make perfect sense if the controls were coherent and effective.
The scope of the Online Platform explains that it should be applicable to all data controllers and processors. The application of security controls needs to be viewed in that context. The security controls should be applicable to both large and small data controllers/processors.
These are the controls proposed for the physical security of personal data processing taken directly from the online tool.
The risk level on the right indicates that the controls marked as green should be applied for low-risk processing, amber for medium risk processing and red for high-risk processing.
These are not SME level controls. They are controls to be applied at scale, to physical data centres and server rooms.
The physical security of personal data processing at all levels should be based on the following principles:
- Ensure that the loss or theft of a physical asset will not compromise personal data or your ability to continue processing.
- Minimise paper records and secure them when they are required to be kept.
From these principles, you would end up with controls that require physical assets to be encrypted, backups to be taken regularly and also encrypted. Backups to be stored separately from the data processing device (so that the device and the backups cannot both be stolen at the same time, leaving you with a data availability issue).
The physical security controls proposed as part of the online platform miss the point completely. It is much more likely that the data processing being carried out by SMEs is happening on a handful of computers/laptops or in the cloud. In that context, these security controls are not appropriate.
These are the controls proposed for resource/asset management applicable for personal data processing.
The Controls D.2 and D.4 look surprisingly similar. D.4 looks like a desperate attempt to have a red control without consideration for the logic of the situation.
I would argue that “on a regular basis” is a higher-level control than “on an annual basis”, but the key fact here is that the D.4 control makes no sense and adds no value.
These are the controls proposed for network/communication security applicable for personal data processing.
Seriously!? O.5 – connection to the internet not allowed? It is not even caveated. This is barbaric.
If followed blindly by an SME, this may lead to patches not being deployed and anti-virus not being updated. Clearly connection to the Internet without appropriate security controls is dangerous, but those security controls that are required to be applied to reduce the risk is exactly what SMEs would be looking for guidance on within this online platform.
These are a few of the examples where data controllers are not being given the guidance on security controls that they need to help them reduce their personal data processing risk.
The online platform provided by ENISA would be a very good tool if it were not for some basic security control deficiencies.
Dear ENISA, please take another look at the security controls and turn this online platform into a truly useful tool for data controllers and processors everywhere.