One of the biggest headaches when it comes to the third-party vendor assessment process is the sheer amount of time it takes to gather security information, exchange questionnaires, and constantly communicate back-and-forth among InfoSec, Sales, and customers.
To help you streamline this process, we recommend using standardized assessments and industry-validated frameworks to reduce manual effort without sacrificing security or trust. In fact, the Whistic platform gives users access to a library of standard questionnaires.
We also update our available standards to keep pace with changes in the industry. Here are two important changes to ISO standards and privacy regulation, what is affected by them, and how to use or navigate them with Whistic.
Whistic Releases ISO 27002
ISO 27002 is a widely used and recognized standard focusing on the information security controls that you might choose to implement as part of a broader information security program. Listed in Annex A of ISO 27001, these controls are what you’ll see experts refer to when discussing information security controls.
ISO 27001 outlines each control very briefly, and ISO 27002 provides detail on how to implement these controls. It provides detailed descriptions on how each control works, its objective, and how you can implement it in your organization.
It is important to note that ISO 27001 and ISO 27002 have different goals. If you’re starting with the standard or planning your ISMS implementation framework, then ISO 27001 is ideal. You should then refer to ISO 27002 once you’ve identified the controls you’ll be implementing to learn more about how each one works, how to implement them, and to what extent.
ISO 27002 was updated in 2022 and has two main changes:
- The 14 domains have been reduced to 4 domains — Organizational, People, Physical, and Technological
- The 114 controls were reduced to 93 as a result of consolidation, clarification, and deduplication. But the update includes 11 new controls, as well:
- Physical security monitoring
- Threat intelligence
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Information security for use of cloud services
- Web filtering
- Secure coding
- ICT readiness for business continuity
Updates to ISO standards are infrequent, but if you’re thinking about becoming certified, then using these standards as a self-assessment tool is a great start. To learn more about how Whistic incorporates standards like ISO and others in a comprehensive assessment process, visit whistic.com.
Whistic Releases CPRA
In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA). The CPRA amends and extends the California Consumer Privacy Act of 2018 (CCPA).
To implement the law, the CPRA established the California Privacy Protection Agency and vested it with the full administrative power, authority, and jurisdiction to implement and enforce the CCPA.
The CPRA provides unprecedented rights for California consumers by expanding several consumer rights established by the CCPA as well as adds new consumer rights and protections. The CPRA provides for the following consumer rights:
- The right to delete personal information
- NEW — The right to correct inaccurate information
- The right to know categories and specific pieces of personal information
- The right to opt out of sale or sharing of personal information
- NEW — The right to limit the use and disclosure of sensitive personal information
- The right of non-retaliation
- NEW — The right to opt out of automated decision-making technology
One of the most significant structural changes to privacy administration that the CPRA introduces is the creation of a new agency tasked with regulation and enforcement of the CCPA as amended by the CPRA. The California Privacy Protection Agency is overseen by a five-person board of experts in privacy and technology and will be responsible for administering, implementing, and enforcing the new, amended regulation.
Whistic has taken the legal text and translated it into a questionnaire that can be used to assess compliance both internally and within your supply chain. It is designed to help a business determine if the CCPA/CPRA is applicable and assist with compliance-requirements documentation.
The CPRA became fully operative in January, 2023.