How ISO 27001 can help
to achieve GDPR compliance
Julia Dutton 2nd
August 2017
Organisations have
until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).
Those who have studied
the Regulation will be aware that there are many references to certification
schemes, seals and marks. The GDPR encourages the use of certification
schemes like ISO 27001 to serve the purpose of demonstrating
that the organisation is actively managing its data security in line with
international best practice.
Managing people, processes and technology
ISO 27001 is the international best practice standard for
information security, and is a certifiable standard that is broad-based and
encompasses the three essential aspects of a comprehensive information security
regime: people, processes and technology. By implementing measures to
protect information using this three-pronged approach, the company is able to
defend itself from not only technology-based risks, but other, more common
threats, such as poorly informed staff or ineffective procedures.
By implementing ISO
27001, your organisation will be deploying an ISMS (information security
management system): a system that is supported by top leadership, incorporated
into your organisation’s culture and strategy, and which is constantly
monitored, updated and reviewed. Using a process of continual
improvement, your organisation will be able to ensure that the ISMS adapts to
changes – both in the environment and inside the organisation – to continually
identify and reduce risks.
What does the GDPR say?
The GDPR states clearly in Article 32
that “the controller and the processor shall implement appropriate technical
and organisational measures to ensure a level of security appropriate to the
risk, including inter alia as appropriate:
1.
the pseudonymisation
and encryption of personal data;
2.
the ability to ensure
the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
3.
the ability to restore
the availability and access to personal data in a timely manner in the event of
a physical or technical incident;
4.
a process for
regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.”
Let’s look at these items separately:
Encryption of data is recommended by ISO 27001 as one of the measures that
can and should be taken to reduce the identified risks. ISO 27001:2013
outlines 114 controls that can be used to reduce information security
risks. Since the controls an organisation implements are based on the
outcomes of an ISO 27001-compliant risk assessment, the organisation will be
able to identify which assets are at risk and require encryption to adequately
protect them.
One of ISO 27001’s
core tenets is the importance of ensuring the ongoing confidentiality,
integrity and availability of information. Not only is
confidentiality important, but the integrity and availability of such data is
critical as well. If the data is available but in a format that is not usable
because of a system disruption, then the integrity of that data has been
compromised; if the data is protected but inaccessible to those who need to use
it as part of their jobs, then the availability of that data has been
compromised.
Risk assessment
ISO 27001 mandates
that organisations conduct a thorough risk assessment by identifying threats
and vulnerabilities that can affect an organisation’s information assets, and
to take steps to assure the confidentiality, availability and integrity (CIA)
of that data. The GDPR specifically requires a risk assessment to ensure
an organisation has identified risks that can impact personal data.
Business continuity
ISO 27001 addresses
the importance of business continuity management, whereby it provides a set of
controls that will assist the organisation to protect the availability of
information in case of an incident and protect critical business processes from
the effects of major disasters to ensure their timely resumption.
Testing and assessments
Lastly, organisations
that opt for certification to ISO 27001 will have their ISMSs independently
assessed and audited by an accredited certification body to ensure that the
management system meets the requirements of the Standard. Companies need to
regularly review their ISMS and conduct the necessary assessments as prescribed
by the Standard in order to ensure it continues protecting the company’s
information. Achieving accredited certification to ISO 27001 delivers an
independent, expert assessment of whether you have implemented adequate
measures to protect your data.
The requirements to
achieve compliance with ISO 27001 of course do not stop there. Being a
broad standard, it covers many other elements, including the importance of
staff awareness training and leadership support. ISO 27001 has already
been adopted by thousands of organisations globally, and, given the current
rate and severity of data breaches, it is also one of the fastest growing
management system standards today.