How ISO 27001 can help you comply with the GDPR
The EU GDPR (General Data Protection Regulation) requires organizations to adopt appropriate technical and organizational measures – including policies, procedures, and processes – to protect the personal data they process.
ISO 27001, the international standard for an ISMS (information security management system), provides an excellent starting point for achieving the technical and operational requirements necessary to reduce the risk of a breach.
ISO 27701meanwhile, specifies the requirements for – and provides guidance for establishing, implementing, maintaining, and continually improving – a PIMS (privacy information management system) based on the requirements, control objectives, and controls in ISO 27001, and extended by a set of privacy-specific requirements, control objectives, and controls.
Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their ISMS to cover privacy management – including data processing.
Implementing both standards will help you meet – and demonstrate your compliance with – the privacy and information security requirements of the GDPR.
Speak to an ISO 27701 expert today
Get in touch with one of our qualified data privacy/information security specialists for free practical advice and guidance on ISO 27701.
Does the GDPR offer guidance for avoiding a data breach?
Article 32 of the GDPR specifically requires organizations to, as appropriate:
- Take measures to pseudonymize and encrypt personal data
- Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident, and/or
- Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing
Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.
An ISMS that conforms to ISO 27001 will meet all the above requirements.
Article 32 of the GDPR is the primary provision requiring technical measures to protect data. Although it gives examples of security measures and controls, the article does not provide detailed guidance regarding what you should do to achieve this.
Instead, the GDPR compels organizations to look at existing best practices and recommendations, such as ISO 27001, to minimize the risk of a data breach.
How ISO 27001 works
ISO 27001 describes best practice for an ISMS, a systematic approach consisting of people, processes, and technology that helps you protect and manage all your organization’s information through risk management.
An ISMS aligned to ISO 27001 brings about many organizational benefits, such as:
- The ability to provide convincing evidence that the necessary measures have been taken to comply with the data security requirements of the GDPR
- The protection of all corporate information and intellectual property – not just personal data
- The ability to reduce, monitor, and review risks as well as keep up with constantly evolving data security threats
- A culture of awareness surrounding information security
Read more about the benefits of an ISMS >>
Why technical measures aren’t enough for GDPR compliance
Organizations often mistakenly believe that adding layer upon layer of state-of-the-art technology will help them prevent a data breach. They couldn’t be more wrong. Why?
- Without a comprehensive information security program that also considers people and processes, your technology will fall short of providing adequate protection.
- Poor company processes and staff-related problems are among the most common points of failure in data security.
- Without leadership commitment (an essential criterion for ISO 27001 compliance), the best-laid information security plans have been proven to fail.
- ISO 27001 compliance means the organization is constantly reviewing and updating its ISMS in line with changes to the threat environment and business developments.
- Without an effective management system, controls are often left in isolation, becoming redundant and dysfunctional.
- Obtaining certification to ISO 27001 helps the organization get an external, expert assessment of the efficacy of its information security plans, thereby making sure that the measures it has implemented are working.
GDPR compliance with ISO 27001
Ignoring or failing to fully comply with the GDPR could be costly for your organization. An ISO 27001-aligned ISMS can help you achieve GDPR compliance in a cost-effective manner. Download our free green paper to learn more about how ISO 27001 can aid your journey to compliance.
What else should you do?
In addition to achieving compliance with ISO 27001, your organization must meet certain additional requirements in the GDPR that are covered by a privacy framework such as ISO 27701. Implementing both standards will enable you to meet the privacy and information security requirements of the GDPR and other data protection laws.
What is ISO 27701?
ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS.
ISO 27701 is based on the requirements and controls of the widely adopted information security management standard ISO 27001, and provides an extension to ISO 27001 through its own set of privacy-specific requirements and controls. It outlines a framework for PII (personally identifiable information) controllers and PII processors to manage data privacy.
Why was ISO 27701 developed?
ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines is a management standard that was published in 2019 in response to the growing need for a global data privacy framework.
ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) developed ISO 27701 as an addition to the popular ISO 27000 family of information security standards to provide much-needed guidance for complying with global privacy standards, such as the CCPA (California Consumer Privacy Act), EU GDPR, and New York SHIELD Act.
Compliance with ISO 27701 shows customers and stakeholders your organization supports compliance with privacy legislation.
Free download: ISO 27701 – Privacy information management systems
Download our free guide on how to implement a PIMS to support your privacy compliance objectives.
Can we get certified to ISO 27701?
Yes, although independently accredited certification is only available as an extension to an ISO 27001 certificate. This is because ISO 27001 is the only certifiable standard in the ISO 27000 family of standards.
Organizations without an ISMS can also implement ISO 27001 and ISO 27701 together as a single implementation project. Because ISO 27701 simply expands on the requirements and guidance provided by ISO 27001 and its code of practice, ISO 27002, there is no need to blend two separate management systems or implementation projects.
What is the difference between ISO 27001 and ISO 27701?
ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.
ISO 27001 and its controls framework, ISO 27002, provide guidance for implementing an ISMS. ISO 27001 sets out the risk-based methodology for managing people, processes, and technology to secure the confidentiality, integrity, and availability of corporate information. Hundreds of organizations have already implemented ISO 27001 due to its comprehensive approach to information security management.
Organizations looking to implement a PIMS must either implement ISO 27001 first, or as a joint project.
Who should implement ISO 27701?
ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it requires organizations to address specific risks, including the risks to personal data and privacy.
How will ISO 27701 certification support CCPA compliance?
Achieving certification to both ISO 27701 and ISO 27001 will enable you to meet the privacy and data security requirements of all major privacy frameworks. You will also be able to demonstrate that you have taken the necessary measures to protect the consumer data you process and uphold data subjects’ rights.
Need help implementing ISO 27701? We have everything you need
We’ve been leading ISO 27001 certification projects since the Standard’s inception and have everything you need to extend your ISMS to cover ISO 27701 and privacy management.
Contact us now for support on achieving compliance with ISO 27701, drawing on the skills of our team of information security and data privacy experts.