How ISO 27001 can help you comply with the GDPR
ISO/IEC 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR).
In fact, a company that has implemented ISO 27001 has already done at least half the job of achieving GDPR compliance by minimising the risk of a breach.
The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold.
Article 32 of the GDPR specifically requires organisations to, as appropriate:
- Take measures to pseudonymise and encrypt personal data;
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.
An effective information security management system (ISMS) that conforms to ISO 27001 will meet all the above requirements.
Does the GDPR offer guidance for avoiding a data breach?
Article 32 of the GDPR is the primary provision requiring technical measures to protect data. Although it gives examples of security measures and controls, the article does not provide detailed guidance regarding what you should do to achieve this.
Instead, the GDPR, compels companies to look at existing best practices and recommendations, such as ISO 27001.
How to improve information security under the GDPR
Although many businesses understand the importance of implementing the right procedures to detect, report and investigate a data breach, not many are aware of how to go about this effectively.
Seven steps that can help you prevent a data breach:
- Find out where your personal information resides.
- Identify all the risks that could cause a breach of your personal data.
- Apply the most appropriate measures (controls) to mitigate those risks.
- Implement the necessary policies and procedures to support the controls.
- Conduct regular tests and audits to make sure the controls are working as intended.
- Review, report and update your plans regularly.
- Implement a comprehensive and robust ISMS.
ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too.
How ISO 27001 can help you comply with the GDPR
- ISO 27001 is an international management standard that provides a proven framework for managing information security, using an integrated set of recommended policies, procedures, documents and technology in the form of an ISMS (information security management system).
- An ISMS is a system that helps to manage, monitor, audit and improve your organisation’s information security practices in one place, consistently and cost-effectively.
- Through its all-encompassing approach, an ISMS aligned to ISO 27001 can help an organisation protect all of its corporate information and intellectual property, not just its personal data.
- An ISMS enables you to continually manage, monitor, audit and improve your organisation’s information security practices in one place, consistently and cost-effectively.
- ISO 27001 compliance means a business has taken steps to regularly identify and manage its data security risks. In so doing, it is able to keep up with constantly evolving data security threats.
- ISO 27001 provides guidance for implementing appropriate measures to mitigate those risks, with recommended technical measures in line with the requirements of the GDPR.
- An ISO 27001-compliant ISMS not only delivers a set of appropriate technical controls, policies and procedures, processes for monitoring, and continual improvement but also promotes a culture and awareness of information security that makes sure data security is entrenched across the business
- Obtaining certification to ISO 27001 provides independent assurance that your ISMS has been tested and audited in accordance with internationally accepted standards for good information security practice.
- Achieving ISO 27001 certification can also provide convincing evidence that you have taken the necessary measures to comply with the data security requirements of the GDPR.
Infographic: Why ISO 27001 enables you to comply with the GDPR
Why technical measures aren’t enough for GDPR compliance
Companies often mistakenly believe that adding layer upon layer of state-of-the-art technology will help them prevent a data breach. They couldn’t be more wrong. Why?
- Without a comprehensive information security programme that also considers people and processes, your technology will fall short of providing adequate protection. Poor company processes and staff-related problems are among the most common points of failure in data security.
- ISO 27001 compliance requires a commitment to information security across the organisation. Without this commitment, the best-laid information security plans have been proven to fail.
- ISO 27001 compliance means the company is constantly reviewing and updating its ISMS in line with changes to the threat environment and business developments. Without an effective management system, controls are often left in isolation, becoming redundant and dysfunctional.
- Obtaining certification to ISO 27001 helps the business to get an external, expert assessment of the efficacy of its information security plans, thereby making sure that the measures it has implemented are working.
What else should you do?
In addition to achieving compliance with ISO 27001, the organisation must meet certain additional requirements in the GDPR that are covered by a privacy framework such as BS 10012:2017 – Specification for a personal information management system (PIMS). IT Governance recommends that companies adopt both of these critical standards as part of a comprehensive compliance regime.
Download the briefing paper
Let’s work together to get things moving
Whatever the nature or size of your problem, we are here to help. Click the button below to request a call and one of our experts will get in touch to help you establish an effective compliance regime as soon as possible.
Speak to an expert
Please contact us for further information or to speak to an expert.