Organisations have struggled with the GDPR (General Data Protection Regulation) since it took effect just under a year ago.
But compliance help is easier than you might expect. ISO 27001, the international standard for implementing and maintaining an ISMS (information security management system), has a lot in common with the GDPR – and unlike the Regulation, it provides clear instructions on how to meet its requirements.
Using ISO 27001 in your GDPR project
The similarities between ISO 27001 and the GDPR are focused around Article 32 of the Regulation, which addresses the security of data processing.
The GDPR sets out four requirements to ensure that “appropriate technical and organisational measures” have been taken:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
These requirements are discussed in ISO 27001.
The Standard provides a list of controls organisations might choose to implement based on the findings of their risk assessment.
This includes data encryption, which is recommended as one of the most effective ways of securing information and protecting its confidentiality, integrity and availability.
There are also several controls that address cyber resilience, helping organisations protect critical business processes and make sure data is still available in the event of a disruptive incident.
Organisations should regularly review their controls in two ways. First, they should perform gap analyses to determine which controls they have selected and whether each one has been implemented. Second, they should audit the ISMS to get a comprehensive assessment of their compliance status.
How secure is your organisation?
Those who want to know how effective their organisation is at identifying and dealing with risks should take our cyber security self-assessment. This short questionnaire asks you about your defence measures and suggests ways for you to become more secure.