The GDPR (General Data Protection Regulation) isn’t only about preventing data breaches (it’s equally focused on strengthening data subjects’ rights), but organisations have understandably honed in on the importance of effective data protection.
Both objectives have clear benefits for organisations, but the ability to tackle risks is more complex and will take more resources to implement and maintain. It also has a more direct relationship to an organisation’s profitability, which, for better or worse, is the primary motivating factor for most managers.
But despite organisations’ focus on this part of the Regulation, many still aren’t sure what effective security looks like or how they should achieve it.
What the GDPR says about reducing risk
Article 32 of the GDPR sets out four requirements to ensure that “appropriate technical and organisational measures” have been taken to protect personal data:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The problem is that few of the terms listed here are defined in the GDPR, which is a bigger issue than you might think. Yes, most information security experts will be able to explain what confidentiality, integrity and availability mean, but other terms, like ‘risk’, are surprisingly vague.
Hopefully, you understand that risk refers to something that could damage your organisation, but just how broadly should you cast your net? Should you include intangible risks, like embarrassing incidents? What about events that have knock-on effects for your organisation?
Depending on how you define risk, you might overlook something that you should have accounted for or be left dealing with an impossibly high number of potential incidents.
Equally importantly, the GDPR doesn’t provide guidance on how organisations should meet their requirements. There’s a good reason for this: information security best practice is constantly evolving, meaning any advice listed in the Regulation could soon be out of date.
That means organisations are forced to implement their own system for meeting the GDPR’s requirements. This doesn’t necessarily mean you have to work from scratch, though. In fact, this is the last thing you should do: it’ll be expensive, you’ll probably make mistakes and you’ll have to demonstrate to your supervisory authority that your system meets the GDPR’s requirements.
So, what should you do instead? We recommend following the approach laid out in ISO 27001.
ISO 27001 and the GDPR
ISO 27001 is the international standard for creating and maintaining an ISMS (information security management system). As with the GDPR, it takes a risk-based approach to information security, and many of ISO 27001’s controls overlap with those listed in Article 32 of the Regulation.
For example, the Standard includes several controls relating to data encryption, which is one of the most effective ways of securing information and protecting its confidentiality, integrity and availability.
There are also several controls that address cyber resilience, helping organisations protect critical business processes and make sure data is still available in the event of a disruptive incident.
Organisations should regularly review their controls in two ways. First, they should perform gap analyses to determine which controls they have selected and whether each one has been implemented. Second, they should audit the ISMS to get a comprehensive assessment of their compliance status.
Creating an ISMS in nine steps
Anyone looking for advice on how to create an ISMS should follow these nine steps:
- Project mandate
The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:
- What are we hoping to achieve?
- How long will it take?
- What will it cost?
- Does it have management support?
- Project initiation
Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.
- ISMS initiation
The next step is to adopt a methodology for implementing the ISMS. ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security.
However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they have in place.
- Management framework
At this stage, the ISMS will need a broader sense of the actual framework. Part of this will involve identifying the scope of the system, which will depend on the context. The scope also needs to take into account mobile devices and teleworkers.
- Baseline security criteria
Organisations should identify their core security needs. These are the requirements and corresponding measures or controls necessary to conduct business.
- Risk management
ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios.
There are pros and cons to each, and some organisations will be much better suited to a particular method. There are five important aspects of an ISO 27001 risk assessment:
- Establishing a risk assessment framework
- Identifying risks
- Analysing risks
- Evaluating risks
- Selecting risk management options
This is the process of building the security controls that will protect your organisation’s information assets.
To ensure these controls are effective, you’ll need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
You’ll also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.
- Measure, monitor and review
For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance. This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.
Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.
The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice.
Want to learn more?
We provide more detail on each of these steps in our green paper: Implementing an ISMS – The nine-step approach.
How else can IT Governance help?
IT Governance is your one-stop shop for information security and regulatory compliance. Our range of books, toolkits, training courses, staff awareness solutions and consultancy services can support you with whatever you’re looking for, and our blog keeps you informed of the latest industry news and advice.