Does ISO 27001 help CCPA compliance?

In the wake of the increasing concerns over privacy protection, the U.S. state of California passed a new regulation at the end of June of this year to ensure the protection of Californian consumers. Coming into force by January 1, 2020, this law requires new levels of commitment by organizations regarding the handling of information, including severe penalties for noncompliance and security breaches.

This article will show how ISO 27001, the leading standard for Information Security Management Systems (ISMS), can be used to ensure compliance with the clauses of this new regulation.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a U.S. regulation, from the state of California, related to the processing of personal data of California residents. This regulation has some resemblance to the European Union General Data Protection Regulation (EU GDPR), but while it doesn’t have some of the EU GDPR’s most onerous requirements, in other respects it goes even farther.

Broadly speaking, the CCPA introduces:

  • consumers’ right to know what personal information is being collected;
  • consumers’ right to know whether their personal information is sold or disclosed, and to whom;
  • consumers’ right to say no to the sale of their personal information;
  • consumers’ right to access their own personal information;
  • consumers’ right to equal service and price, even if they exercise their privacy rights;
  • broad definitions of “consumer” (clause 140(g)) and “personal information” (clause 1798.140(o)(1)) and, at the same time, limits to exclusion conditions;
  • multiple thresholds to define who must comply with it.

Who must comply with the CCPA?

If your organization falls under any one of the three thresholds described below, it must comply with the CCPA:

  • companies with annual gross revenues of $25 million per year;
  • companies that obtain the personal information of 50,000 or more California residents, households, or devices annually; or
  • companies receiving 50 percent or more of their annual revenue from selling California residents’ personal information.

Fees for failure to comply with the CCPA may vary from $2,500 per unintentional violation up to $7,500 per intentional violation of any provision of this regulation. Regarding data breaches, the fee can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater.

What is ISO 27001?

ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 10 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:

  • 4 – Context of the organization
  • 5 – Leadership
  • 6 – Planning
  • 7 – Support
  • 8 – Operation
  • 9 – Performance evaluation
  • 10 – Continual improvement

ISO 27001:2013 Annex A covers controls related to organizational structure (both physical and logical), human resources, information technology, supplier management, etc.

For detailed information, read: What is ISO 27001? and An overview of ISO 27001:2013 Annex A.

How ISO 27001 can fulfill the CCPA

The requirements of the CCPA can be related to the following ISO 27001 clauses and controls:

CCPA requirement ISO 27001 clause / control Rationale for application of ISO 27001 to comply with CCPA For more information
1798.140(o)(1) – Definition of “personal information” Controls A.8.1.1 -Inventory of assets, and A.8.2.1 – Classification of information The identification of all data defined as personal information, as well as information sources, storage locations, usage, and recipients, is needed to establish proper access control and data exchange. Information classification according to ISO 27001

How to handle the Asset register (Asset inventory) according to ISO 27001
1798.135(a)(1) – Requirements for Internet Web pages Control A.14.1.1 – Information security requirements analysis and specification The organization’s web pages need to consider requirements such as allowing consumers to opt out of the sale of their personal information. How to set security requirements and test systems according to ISO 27001
1798.130(a) – Methods for submitting requests for information Clause 7.4 – Communication Organizations must provide, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address. How to create a Communication Plan according to ISO 27001
1798.135(a)(2) – Requirements Update of privacy policies Control A.18.1.1 – Identification of applicable legislation and contractual requirements New privacy requirements must be included in the organization’s current, relevant policies and systems. What is privacy by design & default according to GDPR?

In short, ISO 27001 can help produce and organize the information needed by organizations to comply with the CCPA and show regulators the effectiveness of the implemented controls.

Will compliance with the EU GDPR help comply with the CCPA?

Although the CCPA resembles the GDPR, just expanding your coverage of EU GDPR measures is not enough to ensure compliance with the CCPA. These are some examples:

  • The CCPA prescribes disclosures, communication channels, and other concrete measures that are not required by the EU GDPR.
  • The CCPA imposes more rigid restrictions on data sharing for commercial purposes than does the EU GDPR.

ISO 27001: A solid basis for privacy protection

First published in 2005, and revised in 2013, ISO 27001 is a seasoned standard with successful cases of integration with other laws such as Sarbanes Oxley, U.S. DFARS 7012, and the EU GDPR, with this last one being the most similar to the CCPA.

By adopting ISO 27001 practices to support CCPA compliance, organizations working with California citizens’ data can benefit from a systematic way to ensure and demonstrate the effectiveness of the security controls and procedures related to privacy protection. They can also benefit from review activities to improve security measures when and where necessary.

To learn how ISO 27001 is used in implementing the European privacy regulation, see this free webinar: How to integrate GDPR with ISO 27001.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.