{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,19]],"date-time":"2026-02-19T15:31:51Z","timestamp":1771515111442,"version":"3.50.1"},"reference-count":24,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,6,8]],"date-time":"2020-06-08T00:00:00Z","timestamp":1591574400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,8]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to identify the controls provisioned in ISO\/IEC 27001:2013 and ISO\/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO\/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This study has followed a two-step approach; first, synergies between ISO\/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO\/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO\/IEC 27001:2013.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The findings of this work include the identification of the common ground between the security controls that ISO\/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO\/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO\/IEC 27001:2013 certified organisation to be compliant with the GDPR.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2020-0004","type":"journal-article","created":{"date-parts":[[2020,6,8]],"date-time":"2020-06-08T07:45:35Z","timestamp":1591602335000},"page":"645-662","source":"Crossref","is-referenced-by-count":15,"title":["From ISO\/IEC27001:2013 and ISO\/IEC27002:2013 to GDPR compliance controls"],"prefix":"10.1108","volume":"28","author":[{"given":"Vasiliki","family":"Diamantopoulou","sequence":"first","affiliation":[]},{"given":"Aggeliki","family":"Tsohou","sequence":"additional","affiliation":[]},{"given":"Maria","family":"Karyda","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020100112345550600_ref001","volume-title":"Introduction to the OCTAVE Approach","year":"2003"},{"key":"key2020100112345550600_ref002","first-page":"5","volume-title":"Privacy by design: The 7 foundational principles","year":"2009"},{"key":"key2020100112345550600_ref003","unstructured":"Cloud Security Alliance (CSA) (2018), \u201cGDPR preparation and challenges survey report explores overall industry preparedness in achieving compliance\u201d, available at: https:\/\/cloudsecurityalliance.org\/press-releases\/2018\/04\/17\/gdpr-preparation-and-challenges-survey-report\/ (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref004","unstructured":"Commission Nationale de l\u2019informatique et des libert\u00e9s (CNIL) (2018), \u201cPrivacy Impact Assessment (PIA) \u2013 knowledge bases\u201d."},{"key":"key2020100112345550600_ref005","article-title":"On the protection of individuals with regard to the processing of personal data and on the free movement of such data","author":"DIRECTIVE 95\/46\/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October","year":"1995"},{"key":"key2020100112345550600_ref006","unstructured":"Ernst and Young (2018), \u201cGlobal forensic data analytics survey\u201d, available at: https:\/\/eyfinancialservicesthoughtgallery.ie\/global-forensic-data-analytics-survey-2018\/ (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref007","unstructured":"European Union Agency for Cybersecurity (ENISA) (2013), \u201cRecommended cryptographic measures \u2013 securing personal data\u201d, available at: https:\/\/www.enisa.europa.eu\/publications\/recommended-cryptographic-measures-securing-personal-data (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref008","first-page":"94","article-title":"The CORAS framework for a model-based risk management process","volume-title":"International Conference on Computer Safety, Reliability, and Security","year":"2002"},{"key":"key2020100112345550600_ref009","unstructured":"Gartner (2017). \u201cGartner says organizations are unprepared for the 2018 European Data Protection Regulation\u201d, available at: https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2017-05-03-gartner-says-organizations-are-unprepared-for-the-2018-european-data-protection-regulation (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref010","unstructured":"IAPP (2018a), \u201c2018 privacy tech vendor report\u201d, available at: https:\/\/iapp.org\/resources\/article\/2019-privacy-tech-vendor-report\/ (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref011","unstructured":"IAPP (2018b), \u201cIAPP-EY annual privacy governance report 2018\u201d, available at: https:\/\/iapp.org\/resources\/article\/iapp-ey-annual-governance-report-2018\/ (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref012","unstructured":"IAPP (2019), \u201cGDPR one year later: looking backward and forward\u201d, available at: https:\/\/iapp.org\/news\/a\/gdpr-one-year-later-looking-backward-and-forward\/ (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref013","article-title":"Information technology \u2013 Security techniques \u2013 Information security management systems \u2013 Requirements","author":"ISO\/IEC 27001:2013","year":"2013"},{"key":"key2020100112345550600_ref014","article-title":"Information technology \u2013 Security techniques \u2013 Code of practice for information security controls","author":"ISO\/IEC 27002:2013","year":"2013"},{"key":"key2020100112345550600_ref015","first-page":"3","article-title":"The General Data Protection Regulation (GDPR) Era: ten steps for compliance of data processors and data controllers","volume-title":"International Conference on Trust and Privacy in Digital Business","year":"2018"},{"key":"key2020100112345550600_ref016","unstructured":"McKinsey&Company (2018), \u201cGDPR compliance after May 2018: a continuing challenge\u201d, available at: https:\/\/www.mckinsey.com\/\u223c\/media\/McKinsey\/Business%20Functions\/Risk\/Our%20Insights\/GDPR%20compliance%20after%20May%202018%20A%20continuing%20challenge\/GDPR-compliance-after-May-2018_A-continuing-challenge.ashx (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref017","first-page":"297","article-title":"Data protection in an increasingly globalized world","volume":"94","year":"2019","journal-title":"Ind. LJ"},{"key":"key2020100112345550600_ref018","article-title":"A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management","year":"2010"},{"key":"key2020100112345550600_ref019","unstructured":"Ponemon Institute (2019). \u201cA global view of GDPR progress\u201d, available at: https:\/\/www.mwe.com\/law-firm\/gdpr\/ (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref020","article-title":"679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation)","author":"REGULATION (EU)","year":"2016"},{"issue":"2","key":"key2020100112345550600_ref021","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1007\/s12525-015-0191-0","article-title":"The challenges of personal data markets and privacy","volume":"25","year":"2015","journal-title":"Electronic markets"},{"key":"key2020100112345550600_ref022","unstructured":"Thomson Reuters (2019), \u201cStudy finds organizations are not ready for GDPR compliance issues\u201d, available at: https:\/\/legal.thomsonreuters.com\/en\/insights\/articles\/study-finds-organizations-not-ready-gdpr-compliance-issues (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref023","unstructured":"Working Party 29 (2017). \u201cGuidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is \u2018likely to result in a high risk\u2019 for the purposes of Regulation 2016\/679\u201d, available at: https:\/\/ec.europa.eu\/newsroom\/article29\/item-detail.cfm?item_id=611236 (accessed 8 January 2020)."},{"key":"key2020100112345550600_ref024","first-page":"12","article-title":"A qualitative risk analysis and management tool \u2013 CRAMM","volume":"11","year":"2002","journal-title":"SANS InfoSec Reading Room White Paper"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2020-0004\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2020-0004\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:37Z","timestamp":1753406557000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/645-662\/112402"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,8]]},"references-count":24,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,6,8]]}},"alternative-id":["10.1108\/ICS-01-2020-0004"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2020-0004","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,6,8]]}}}