|
The Utilization of ISO/IEC 27001:2013 as a Framework for Security Improvement in Accordance with GDPR for SMEs |
|---|---|
| รหัสดีโอไอ | |
| Creator | Pongporn Pawanawichien |
| Title | The Utilization of ISO/IEC 27001:2013 as a Framework for Security Improvement in Accordance with GDPR for SMEs |
| Contributor | Thossaporn Thossansin, Auttapon Pomsathit |
| Publisher | Faculty of Science and Technology, Suan Sunandha Rajabhat University |
| Publication Year | 2564 |
| Journal Title | Suan Sunandha Science and Technology Journal |
| Journal Vol. | 8 |
| Journal No. | 2 |
| Page no. | 11 to 17 |
| Keyword | ISO/IEC 27001:2013, GDPR, Data privacy, SMEs and Personally Identifiable Information |
| URL Website | www.ssstj.sci.ssru.ac.th |
| Website title | Suan Sunandha Science and Technology Journal (SSSTJ) |
| ISSN | 2351-0889 |
| Abstract | General Data Protection Regulation (GDPR) a regulation from European Union (EU) aims for the security of'Personally Identifiable Information' (PII) of EU residents. It gives an individual a power to have control over theprocessing of their personal data by organizations. As it is, the regulation does refer to the information securitycontrols needed to ensure the security of PII. In this paper, we propose an information security assessment onmanagement of PII for Small and Medium-sized Enterprises (SMEs) by incorporating 'ISO/IEC 27001:2013 AnnexA. Reference control objective and controls.' into the management of PII in accordance with GDPR for PII securityimprovement. We have determined that following the quantitative research method is appropriate as this researchis aimed to determine the existence of information security controls applicable to the management of PII withinthe organization. A set of questions was created for interview with sampled organizations to determine theexistence of information security controls according to ' ISO/ IEC 27001: 2013 Annex A. Reference controlobjective and controls.'. Content analysis where pre-existing records and evidence will be requested and reviewedwill also be applied to ensure that the information security controls is actually implemented.It was found that in most organizations, however, there exists a good coverage of the information securitycontrols according to 'ISO/IEC 27001:2013 Annex A. Reference control objective and controls.', buthave difficultyproviding evidence justifying the adequacy of the information security control implemented. This is mainly dueto the lack of management systems to justify the adequacy of various security controls implemented in the firstplace.'ISO/IEC 27001:2013' may be used as a framework for PII security control assessment to justify the adequacyor improve upon various security controls implemented for PII |
