• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
European Union General Data Protection Regulation

Mapping ISO, SOC 2, and MA 201 to GDPR

March 21, 2018 Posted by Nick DeLena IT Security

Are you worried about the European Union’s General Data Protection Regulation? Are you subject to it? Are you uncertain whether you are subject to it? Have you undergone other compliance initiatives like SOC 2 and ISO 27000 certification and wondering whether those apply?

Here’s a primer.

How to know whether you are subject to GDPR

Source: Varankevich, Siarhei; “Territorial scope of the GDPR”, LinkedIn, 17 February 2017

GDPR takes effect on May 25, 2018. It is largely a data privacy exercise for citizens and residents of EU member countries. The primary goal of the legislation is to ensure the privacy and to establish a lifecycle on end-user data. The legislation gives individuals the “right to erasure”; that upon request their data can be deleted by data processors and controllers.

If you know about Service Organization Control (SOC) audits, and ISO 27000-series certification, you are probably noticing we are beginning to head down a different path with GDPR.

The SOC 2 product is designed to be a customizable assessment of a service organization – very often cloud service companies – that is controls and governance-oriented. The SOC 2 has five Trust Service Principles (TSPs), four of which can be optionally scoped-in. The principles are Security (mandatory), Processing Integrity, Availability, Confidentiality, and Privacy. The Privacy TSP gets the closest to the goals of GDPR and examines concepts like Choice and Consent, Collection, Access Controls, Disclosure and Notification, and Data Quality.

ISO 27000-series is an information security management system standard. Organizations which implement the ISO controls can choose to undergo certification by a certifying body. The 27001 standard does not include privacy-specific controls, but rather more broadly looks at data classification systems.

If you are a Massachusetts business or retain the data of residents of Massachusetts, you should be aware of 201 CMR 17.00, the Standards for the Protection of Information of Residents of the Commonwealth, or more colloquially known as the Mass Data Privacy Law. This law, effective in 2010, establishes a requirement for protection of personally identifiable information of Massachusetts residents, including appropriate policies, procedures, and technical controls.

Going back to GDPR – if you are wondering how far undergoing SOC 2 audits, being ISO 27001 certified, and being compliant with 201 CMR 17.00 gets you, we have prepared this mapping document.

 

 

 

 

If you are struggling with your compliance needs, please contact us. We have a deep bench of experienced and credentialed professionals that can help you with your SOC 2, ISO 27000-series, MA 201 CMR 17.00, and GDPR needs.

Tags: complianceCYBERcybersecurityGDPRInformation SecurityISO 27000personally sensitive informationSOCSOC2
Share
0
Avatar photo

About Nick DeLena

Nick leads engagements across the division’s primary practice areas, including audit, security, and advisory services. He’s a 19-year veteran of IT and IT risk management, having audited, consulted, and managed IT teams in a variety of industries. He holds several leading certifications, including CISSP, CISA, CRISC, and Security+, among others, and has an MBA from Brown University.

You also might be interested in

Why SMBs Need Specialized Cybersecurity

Why SMBs Need Specialized Cybersecurity

Nov 25, 2024

In today’s digital landscape, small and medium-sized businesses (SMBs) face[...]

Five Reasons to Undergo a SOC 2 Audit

Five Reasons to Undergo a SOC 2 Audit

Feb 9, 2019

Have you been asked by one of your customers for[...]

AI FOR GOOD

AI for good 

Apr 26, 2024

Highlighting Positive Uses  We are often bombarded with news of[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next