Audit and Assurance

Expand all | Collapse all

EU GDPR Audit: Lessons learned?

  • 1.  EU GDPR Audit: Lessons learned?

    Posted 16 Jul, 2019 13:38
    Hello fellow ISACA members,
    I recently purchased the ISACA EU GDPR Audit Program bundle.   The files provide some good test steps, etc.  Has anyone used this bundle in an audit?  And/Or,  for anyone that's performed an EU GDPR audit, would you mind sharing some lessons learned, key pointers in what you did, what you'd do differently?

    Please and thank you.

    Vernice Stefano
    Assistant Director, IT Audit

  • 2.  RE: EU GDPR Audit: Lessons learned?

    Posted 16 Jul, 2019 14:22
    @Vernice Stefano​,

    I haven't used the bundle or performed a GDPR audit yet (except for individual applications) however, this was discussed before on this forum (before the ISACA bundle was launched).  I believe it is summed up here but you can also find more detail by searching this forum.

    Best Regards,


    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist

  • 3.  RE: EU GDPR Audit: Lessons learned?

    Posted 17 Jul, 2019 07:15
    Thank you @Ian Cooke.
    Long story short I think I figured out where my gap was - I went right to the test steps.  I probably should read Implementing the General Data Protection Regulation.  Because how does one audit something that should be done when one does not know what it is that should be done . . . 

    Vernice Stefano
    Assistant Director, IT Audit

  • 4.  RE: EU GDPR Audit: Lessons learned?

    Posted 27 Aug, 2019 20:14
    Here are important issues on GDPR that you need to note :

    1- GDPR is about human rights to control there PII.
    2- Security is only logical and judgemental and its only a part of GDPR. It does not give direct measures how to implement security but just mentions best practices
    3- You cannot become GDPR compliant through security.
    4- No tool can make you GRPD compliant.

    First step i would say: avoid being a processor so you take yourself out of GDPR equation/
    Second step: PUT PII as the center of risk assessment. (assess and cateogrize)
    Third step: mind the data movement between geo locations (not all animals are equal). moving data from country X to country Y, is a big flag for GDPR.

    @Vernice Stefano  Could you please comment on my reply ? could you share what steps you do for audit ? that would be so helpful to exchange more information.


    Marat Kaisseov

  • 5.  RE: EU GDPR Audit: Lessons learned?

    Posted 29 Aug, 2019 07:37
    Hello Marat,

    I'm in the midst of Fieldwork but can share my high-level scope.  Because GDPR encompasses more than information or cyber security (as you stated), it was/is important for me to keep the scope to those that touch on information security controls; however, you need to know what you have and where/what systems it is stored, processed, etc. before performing risk assessments, etc.  Based on reading and research of EU GDPR and lessons learned 6-months to 1-year post the effective date, the common theme was you need to know what you have before you can perform risk assessments, design/perform effective controls, etc.  So the scope centers around Article 30: record of processing activities (ROPA), i.e., inventory.

    I purchased the EU GDPR  audit program bundle from ISACA ($50) and it has mapped Article 30 (and others) to data protection and privacy (DPP)#5 (Manage controllers and processors).  I also mapped ROPA to NIST Cybersecurity Framework (CSF) subcategory Identify.Asset Management-2: Software platforms and applications within the organizations are inventoried.  ISACA has audit programs for NIST CSF (free).  Either one will work for my purposes.

    Hope that helps.

    Vernice Stefano
    Assistant Director, IT Audit