How ISO 27001 helps you protect your information
The most critical obligation of the GDPR (General Data Protection Regulation) is the frequently repeated requirement that organisations implement “appropriate technical and organisational measures” to ensure robust security of the information processed (Articles 5 and 32). Furthermore, despite some limited examples of appropriate security controls, the GDPR does not provide sufficient guidance on how to achieve an “appropriate level of security”.
ISO 27001 is the best starting point for all organisations in this respect. ISO 27001 is the international standard for information security management, and provides both best-practice requirements and guidance for implementing an effective ISMS (information security management system).
What is an ISMS?
Simply put, an ISMS is a system of documents, processes, technology and people that helps to safeguard all of your organisation’s information (which includes all information assets – not just personal data) through a centrally managed framework.
For an ISMS to be effective, it must be supported by top leadership, integrated into your business strategy and organisational culture, and be continually monitored, reviewed and updated. Moreover, an ISMS can be repeatedly adapted to respond to changes (in the organisation, applicable legislation, technology, etc.) using a process of continual improvement. This ensures that the ISMS remains effective at identifying and mitigating risks to the information assets it aims to protect.
An ISO 27001 ISMS is therefore pivotal to appropriately ensuring the security of your organisation’s information against all manners of risks to its confidentiality, integrity or availability. View the benefits of implementing an ISMS here.
How ISO 27001 will help you achieve compliance with the GDPR
ISO 27001 certification has been recognised by several European supervisory authorities for its capacity to provide evidence of intent and effort to comply with the GDPR.
The three most essential aspects of a comprehensive and effective information security regime are technology, people and processes.
An ISO 27001-compliant ISMS includes all three elements. This means it enables you to protect your data not only from technology-based risks (such as ransomware software) but also from the most typical threats to your security – namely poorly-trained staff or inadequate procedures.
ISO 27001 Controls
ISO 27001's Annex A provides 114 reference security controls based on best practice and supported by comprehensive guidance in ISO 27001, the companion publication. These controls include (among others): cryptography, policies, incident response management and supplier relationships. This range of controls ensures your business is covered for all likely or significant eventualities and allows you to adapt your ISMS according to the needs of your business.
Effective risk management should be at the heart of an ISMS. Likewise, the GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can affect personal data.
Certification to ISO 27001
For an ISMS to remain effective, it must be regularly reviewed, tested, maintained and updated. Several European supervisory authorities have made it clear that organisations that fail to implement and maintain essential security practices will face more punitive action in the event of a data breach.
An ISO 27001 certification provides:
- An expert external assessment of your organisation’s cyber resilience; and
- Evidence that you have implemented “appropriate technical and organisational measures” to protect your data from security risks.
Let's get started with your ISO 27001 project
IT Governance has the widest range of affordable solutions that are easy to use and ready to deploy.
Free ISO 27001 resources
ISO 27001 products and solutions
Speak to an expert
Please contact our team for advice and guidance on our ISO 27001 products and services.