{"id":15075,"date":"2018-10-16T20:30:19","date_gmt":"2018-10-16T20:30:19","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=15075"},"modified":"2024-12-21T13:05:49","modified_gmt":"2024-12-21T13:05:49","slug":"does-iso-27001-help-ccpa-compliance","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2018\/10\/16\/does-iso-27001-help-ccpa-compliance\/","title":{"rendered":"Does ISO 27001 help CCPA compliance?"},"content":{"rendered":"<p>In the wake of the increasing concerns over privacy protection, the U.S. state of California passed a new regulation at the end of June of this year to ensure the protection of Californian consumers. Coming into force by January 1, 2020, this law requires new levels of commitment by organizations regarding the handling of information, including severe penalties for noncompliance and security breaches.<\/p>\n<p>This article will show how <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, the leading standard for Information Security Management Systems (ISMS), can be used to ensure compliance with the clauses of this new regulation.<\/p>\n<h2>What is the CCPA?<\/h2>\n<p>The California Consumer Privacy Act (CCPA) is a U.S. regulation, from the state of California, related to the processing of personal data of California residents. This regulation has some resemblance to the European Union General Data Protection Regulation (<a href=\"https:\/\/staging.advisera.com\/eugdpracademy\/what-is-eugdpr\/\" target=\"_blank\" rel=\"noopener noreferrer\">EU GDPR<\/a>), but while it doesn\u2019t have some of the EU GDPR&#8217;s most onerous requirements, in other respects it goes even farther.<\/p>\n<p>Broadly speaking, the CCPA introduces:<\/p>\n<ul>\n<li>consumers\u2019 right to know what personal information is being collected;<\/li>\n<li>consumers\u2019 right to know whether their personal information is sold or disclosed, and to whom;<\/li>\n<li>consumers\u2019 right to say no to the sale of their personal information;<\/li>\n<li>consumers\u2019 right to access their own personal information;<\/li>\n<li>consumers\u2019 right to equal service and price, even if they exercise their privacy rights;<\/li>\n<li>broad definitions of \u201cconsumer\u201d (clause 140(g)) and \u201cpersonal information\u201d (clause 1798.140(o)(1)) and, at the same time, limits to exclusion conditions;<\/li>\n<li>multiple thresholds to define who must comply with it.<\/li>\n<\/ul>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Who must comply with the CCPA?<\/h2>\n<p>If your organization falls under any one of the three thresholds described below, it must comply with the CCPA:<\/p>\n<ul>\n<li>companies with annual gross revenues of $25 million per year;<\/li>\n<li>companies that obtain the personal information of 50,000 or more California residents, households, or devices annually; or<\/li>\n<li>companies receiving 50 percent or more of their annual revenue from selling California residents\u2019 personal information.<\/li>\n<\/ul>\n<p>Fees for failure to comply with the CCPA may vary from $2,500 per unintentional violation up to $7,500 per intentional violation of any provision of this regulation. Regarding data breaches, the fee can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater.<\/p>\n<h2>What is ISO 27001?<\/h2>\n<p>ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 10 clauses in the main part of the standard, and 114 <a href=\"https:\/\/staging.advisera.com\/27001academy\/documentation\/statement-of-applicability\/\" target=\"_blank\" rel=\"noopener noreferrer\">security controls<\/a>\u00a0grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">4 \u2013 Context of the organization<\/li>\n<li style=\"list-style-type: none;\">5 \u2013 Leadership<\/li>\n<li style=\"list-style-type: none;\">6 \u2013 Planning<\/li>\n<li style=\"list-style-type: none;\">7 \u2013 Support<\/li>\n<li style=\"list-style-type: none;\">8 \u2013 Operation<\/li>\n<li style=\"list-style-type: none;\">9 \u2013 Performance evaluation<\/li>\n<li style=\"list-style-type: none;\">10 \u2013 Continual improvement<\/li>\n<\/ul>\n<p>ISO 27001:2013 Annex A covers controls related to organizational structure (both physical and logical), human resources, information technology, supplier management, etc.<\/p>\n<p>For detailed information, read: <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">What is ISO 27001?<\/a>\u00a0and <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-controls\/\" target=\"_blank\" rel=\"noopener noreferrer\">An overview of ISO 27001:2013 Annex A<\/a>.<\/p>\n<h2>How ISO 27001 can fulfill the CCPA<\/h2>\n<p>The requirements of the CCPA can be related to the following ISO 27001 clauses and controls:<\/p>\n<table class=\"table\" border=\"0\" cellspacing=\"2\" cellpadding=\"2\">\n<thead>\n<tr>\n<td style=\"width: 20%;\">CCPA requirement<\/td>\n<td style=\"width: 20%;\">ISO 27001 clause \/ control<\/td>\n<td style=\"width: 30%;\">Rationale for application of ISO 27001 to comply with CCPA<\/td>\n<td style=\"width: 30%;\">For more information<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding-left: 10px;\">1798.140(o)(1) \u2013 Definition of \u201cpersonal information\u201d<\/td>\n<td style=\"padding-left: 10px;\">Controls A.8.1.1 -Inventory of assets, and A.8.2.1 &#8211; Classification of information<\/td>\n<td style=\"padding-left: 10px;\">The identification of all data defined as personal information, as well as information sources, storage locations, usage, and recipients, is needed to establish proper access control and data exchange.<\/td>\n<td style=\"padding-left: 10px;\"><a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/05\/12\/information-classification-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">Information classification according to ISO 27001<\/a><br \/>\n<a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/how-to-handle-asset-register-asset-inventory-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\"><br \/>\nHow to handle the Asset register (Asset inventory) according to ISO 27001<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px;\">1798.135(a)(1) \u2013 Requirements for Internet Web pages<\/td>\n<td style=\"padding-left: 10px;\">Control A.14.1.1 &#8211; Information security requirements analysis and specification<\/td>\n<td style=\"padding-left: 10px;\">The organization\u2019s web pages need to consider requirements such as allowing consumers to opt out of the sale of their personal information.<\/td>\n<td style=\"padding-left: 10px;\"><a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/01\/11\/how-to-set-security-requirements-and-test-systems-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to set security requirements and test systems according to ISO 27001<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px;\">1798.130(a) &#8211; Methods for submitting requests for information<\/td>\n<td style=\"padding-left: 10px;\">Clause 7.4 &#8211; Communication<\/td>\n<td style=\"padding-left: 10px;\">Organizations must provide, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.<\/td>\n<td style=\"padding-left: 10px;\"><a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/10\/27\/how-to-create-a-communication-plan-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to create a Communication Plan according to ISO 27001<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px;\">1798.135(a)(2) \u2013 Requirements Update of privacy policies<\/td>\n<td style=\"padding-left: 10px;\">Control A.18.1.1 &#8211; Identification of applicable legislation and contractual requirements<\/td>\n<td style=\"padding-left: 10px;\">New privacy requirements must be included in the organization\u2019s current, relevant policies and systems.<\/td>\n<td style=\"padding-left: 10px;\"><a href=\"https:\/\/staging.advisera.com\/eugdpracademy\/blog\/2018\/04\/17\/what-is-privacy-by-design-and-default-according-to-gdpr\/\" target=\"_blank\" rel=\"noopener noreferrer\">What is privacy by design &amp; default according to GDPR?<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>In short, ISO 27001 can help produce and organize the information needed by organizations to comply with the CCPA and show regulators the effectiveness of the implemented controls.<\/p>\n<h2>Will compliance with the EU GDPR help comply with the CCPA?<\/h2>\n<p>Although the CCPA resembles the GDPR, just expanding your coverage of EU GDPR measures is not enough to ensure compliance with the CCPA. These are some examples:<\/p>\n<ul>\n<li>The CCPA prescribes disclosures, communication channels, and other concrete measures that are not required by the EU GDPR.<\/li>\n<li>The CCPA imposes more rigid restrictions on data sharing for commercial purposes than does the EU GDPR.<\/li>\n<\/ul>\n<h2>ISO 27001: A solid basis for privacy protection<\/h2>\n<p>First published in 2005, and revised in 2013, ISO 27001 is a seasoned standard with successful cases of integration with other laws such as Sarbanes Oxley, U.S. DFARS 7012, and the EU GDPR, with this last one being the most similar to the CCPA.<\/p>\n<p>By adopting ISO 27001 practices to support CCPA compliance, organizations working with California citizens\u2019 data can benefit from a systematic way to ensure and demonstrate the effectiveness of the security controls and procedures related to privacy protection. They can also benefit from review activities to improve security measures when and where necessary.<\/p>\n<p><em><span class=\"notion-enable-hover\" data-token-index=\"0\">To automate your compliance with ISO 27001 security controls,<\/span><\/em> <a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"2\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a> <em><span class=\"notion-enable-hover\" data-token-index=\"4\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: 8bb02ac9-5cb4-4201-bd35-7d41d6fbc99e --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the wake of the increasing concerns over privacy protection, the U.S. state of California passed a new regulation at the end of June of this year to ensure the protection of Californian consumers. Coming into force by January 1, 2020, this law requires new levels of commitment by organizations regarding the handling of information, &#8230;<\/p>\n","protected":false},"author":41,"featured_media":15076,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1457,1709,1710],"class_list":["post-15075","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-privacy","tag-ccpa","tag-legal-compliance"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/15075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=15075"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/15075\/revisions"}],"predecessor-version":[{"id":103215,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/15075\/revisions\/103215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/15076"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=15075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=15075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=15075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}