@article{Pawanawichien_Thossansin_Pomsathit_2022, place={Bangkok, Thailand}, title={The Utilization of ISO/IEC 27001:2013 as a Framework for Security Improvement in Accordance with GDPR for SMEs}, volume={8}, url={https://li02.tci-thaijo.org/index.php/ssstj/article/view/215}, abstractNote={<p>General Data Protection Regulation (GDPR) – a regulation from European Union (EU) aims for the security of ‘Personally Identifiable Information’ (PII) of EU residents. It gives an individual a power to have control over the processing of their personal data by organizations. As it is, the regulation does refer to the information security controls needed to ensure the security of PII. In this paper, we propose an information security assessment on management of PII for Small and Medium-sized Enterprises (SMEs)by incorporating ‘ISO/IEC 27001:2013 Annex A. Reference control objective and controls.’into the management of PII in accordance with GDPR for PII security improvement. We have determined that following the quantitative research method is appropriate as this research is aimed to determine the existence of information security controls applicable to the management of PII within the organization. A set of questions was created for interview with sampled organizations to determine the existence of information security controls according to ‘ ISO/ IEC 27001: 2013 Annex A. Reference control objective and controls.’.Content analysis where pre-existing records and evidence will be requested and reviewed will also be applied to ensure that the information security controls is actually implemented.<br>It was found that in most organizations, however, there exists a good coverage of the information security controls according to ‘ISO/IEC 27001:2013 Annex A. Reference control objective and controls.’, buthave difficulty providing evidence justifying the adequacy of the information security control implemented. This is mainly due to the lack of management systems to justify the adequacy of various security controls implemented in the first place.<br>‘ISO/IEC 27001:2013’ may be used as a framework for PII security control assessment to justify the adequacy or improve upon various security controls implemented for PII</p>}, number={2}, journal={Suan Sunandha Science and Technology Journal}, author={Pawanawichien, Pongporn and Thossansin, Thossaporn and Pomsathit, Auttapon}, year={2022}, month={Nov.}, pages={11–17} }