|Mapping of Criteria: ISO 27002 to the AICPA and CICA GAPP’s Security for Privacy Principle
The ISO/IEC 27002:2005 Standard (ISO 27002), Information technology – Security techniques – Code of practice for information security management, can be used by any organization to establish or improve upon its information security management program. Organizations typically use ISO 27002 to identify information security management practices that help them address their information security requirements. It is not necessary for organizations to implement all of the ISO 27002 practices; rather, organizations implement those practices that are relevant to their risks, policy objectives, and legal, statutory, regulatory, and contractual requirements.
The AICPA and CICA Generally Accepted Privacy Principles (GAPP), August 2009, eighth principle, Security for Privacy, requires that an entity “protect personal information against unauthorized access (both physical and logical).” It further states in criterion 8.2.1, Information Security Program, that the security program should address, but not be limited to, twelve specific areas insofar as they relate to the security of personal information. The twelve specific areas are drawn from ISO 27002. Note, however, that it is not necessary to meet all of the criteria of ISO 27002 to satisfy the AICPA and CICA GAPP criterion 8.2.1.
If an organization is currently ISO 27002 certified, they are likely in compliance with the AICPA and CICA GAPP Security for Privacy principle criteria.
To elaborate on the relationship between ISO 27002 and GAPP, the AICPA and CICA Privacy Task Force cross-referenced or “mapped” the detailed criteria from ISO 27002, to GAPP’s Security for Privacy principle criteria. The purpose and objectives of this mapping initiative are as follows:
Provide users of ISO 27002 (organizations whose information security management practices meet the requirements of the standard) with an understanding of how the information security management criteria relate to privacy requirements of the AICPA and CICA GAPP.
Provide users of GAPP with an understanding of how GAPP privacy criteria relate to the information security management requirements of ISO 27002.
The detailed mapping is one-directional. The starting point for the detailed mapping is ISO 27002 with cross-references to the AICPA and CICA GAPP. The detailed mapping is therefore most suited for the first purpose and objective above. However, the detailed mapping may also be used to search on a specific GAPP criterion and determine whether, and specifically where it is considered relevant to ISO 27002. This would allow a GAPP user to quickly locate information security management practice ideas within ISO 27002 to “operationalize” the cross-referenced GAPP criterion.
In developing this cross-reference map, we make the following observations regarding the differences between ISO 27002 and the AICPA and CICA GAPP:
- GAPP contains high-level privacy principles and criteria for personal information, including ‘security for privacy’ requirements; whereas, ISO 27002 contains detailed security practices for all types of information assets. There are many good security practices mentioned in ISO 27002 which would complement GAPP.
- Users of GAPP are encouraged to comply with all the criteria. However, if GAPP is being used as criteria for a privacy attest engagement, all GAPP criteria must be met. Users of ISO 27002 are advised to pick and choose among the security practices mentioned according to their security requirements.
- While both documents specify certain IT general controls and application controls, ISO 27002 requires a broader selection of such controls than GAPP. For example, GAPP does not address control of internal processing topics such as job schedulers, job run-to-run balancing and reconciling controls, and logging and review of job completion codes; whereas, ISO 27002, criterion 12.2.2, Control of internal processing, addresses these IT general controls.
- ISO 27002 is more specific to technologies or categories of technologies than GAPP. For example, ISO 27002 addresses instant messaging (IM) in criterion 10.8.4; however, GAPP does not mention this category of technology.
- The requirements in GAPP are focused on risks and internal controls related to the privacy of personal information and less on efficiency of operations; whereas, ISO 27002 includes practices related to efficiency of operations.
See the detailed mapping document for more information.
The source documents used for this mapping initiative included:
- ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management.
- Generally Accepted Privacy Principles, August 2009. GAPP are essential to the proper protection and management of personal information. They are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices. The 10 privacy principles in GAPP are management; notice; choice and consent; collection; use, retention, and disposal; access; disclosure to third parties; security for privacy; quality; and monitoring and enforcement.
© ISO. All rights reserved. This material is reproduced from ISO/IEC 27002:2005 with permission of ANSI on behalf of ISO. No part of this material may be copied or reproduced in any form, electronic retrieval system or otherwise or made available on the internet, a public network, by satellite or otherwise without the prior written consent of the ANSI. Copies of ISO/IEC 27002:2005 can be purchased from American National Standards Institute (ANSI).
© American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants. All rights reserved. Copies of GAPP can be downloaded from the AICPA and the CICA Web sites, at www.aicpa.org/privacy and www.cica.ca/privacy, respectively.