The GDPR (General Data Protection Regulation) has been in effect for some time now, but organisations are still struggling to meet its requirements.
Fortunately, compliance help is easier than you might expect. ISO 27001, the international information security standard, has a lot in common with the GDPR – and unlike the Regulation, it provides clear instructions on how to meet its requirements.
What does ISO 27001 have in common with the GDPR?
ISO 27001 and the GDPR are by no means interchangeable, but both contain a set of guidelines on how to manage sensitive data.
When it comes to ISO 27001, this is a set of policies, procedures and processes that form an ISMS (information security management system) – a central structure that enables organisations to manage all their security requirements in one place.
Implementing an ISO 27001-compliance ISMS is not only information security best practice but is also integral to demonstrating data protection compliance.
Indeed, many of its practices overlap with key requirements of the GDPR, such as these, outlined in Article 32:
- Take measures to pseudonymise and encrypt personal data;
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Article 32 further also requires that organisations identify and mitigate risks that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
By following ISO 27001, you will be able to implement adequate and effective security measures, based on the outcomes of a formal risk assessment, to comply with the GDPR.
Free PDF download: GDPR compliance and ISO 27001
Using ISO 27001 to comply with the GDPR
So how exactly does ISO 27001 help you meet these requirements? Well, the answer is straightforward.
The Standard’s risk assessment process, which forms the backbone of the implementation project, outlines how organisations can identify the information security dangers it faces, prioritise their biggest threats and select an appropriate course of action.
This process will reveal when it is appropriate to perform data encryption, for example, as well as where organisations must bolster their organisational processes or other technical defences.
Annex A of ISO 27001, which is where its controls are outlines, also contains steps that organisations can take to address cyber resilience, which will help them protect critical business processes.
The Standard also helps organisations maintain effective information security controls, requiring organisations to regularly review the actions they’ve taken.
How we can help you implement an ISMS
Learn how to successfully implement an ISO 27001 ISMS on our fully certified, practitioner-led ISO 27001 Certified ISMS Lead Implementer course.
This course teaches you the nine key steps involved in planning and adopting an ISO 27001-compliant ISMS.
Over the span of three days, you’ll discover everything you need to lead an ISO 27001 implementation project.
You’ll gain the knowledge to set out the ISMS’s scope, implement the necessary information security controls and review the ISMS over time to address any new concerns.
A version of this blog was originally published on 5 March 2019.