How ISO 27001 can help you comply with the GDPR
The EU General Data Protection Regulation (GDPR) states that organizations must adopt appropriate policies, procedures and processes to protect the personal data they hold. Applying ISO/IEC 27001 is a superb starting point for achieving the technical and operational requirements necessary to reduce the risk of a breach.
How does ISO 27001 certification assist with GDPR compliance?
The similarities between ISO 27001’s framework and the GDPR’s requirements means that organisations who certify to the Standard are already halfway to GDPR compliance. For more information on ISO 27001 certification and how the standard can assist with GDPR compliance, please contact one of our experts.
Does the GDPR offer guidance for avoiding a data breach?
Article 32 of the GDPR specifically requires organizations to, as appropriate:
- Take measures to pseudonymize and encrypt personal data
- Ensure the ngoing confidentiality, integrity, availability and resilience of processing systems and services
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing
Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” to be identified and mitigated.
An effective information security management system (ISMS) that conforms to ISO 27001 will meet all the above requirements.
Article 32 of the GDPR is the primary provision requiring technical measures to protect data. Although it gives examples of security measures and controls, the article does not provide detailed guidance regarding what you should do to achieve this.
Instead, the GDPR, compels companies to look at existing best practices and recommendations, such as ISO 27001, to minimize the risk of a data breach.
How ISO 27001 works
ISO 27001 is an international management standard that provides a proven framework for managing information security, using an integrated set of recommended policies, procedures, documents and technology in the form of an ISMS (information security management system).
An ISMS is a system that helps to manage, monitor, audit, and improve your organization’s information security practices in one place, consistently and cost-effectively.
An ISMS aligned to ISO 27001 brings about many organisational benefits, such as:
- The ability to provide convincing evidence that the necessary measures have been taken to comply with the data security requirements of the GDPR;
- The protection of all corporate information and intellectual property – not just personal data;
- The ability to reduce, monitor and review risks as well as keep up with constantly evolving data security threat; and
- A culture of awareness surrounding information security.
Why technical measures aren’t enough for GDPR compliance
Companies often mistakenly believe that adding layer upon layer of state-of-the-art technology will help them prevent a data breach. They couldn’t be more wrong. Why?
- Without a comprehensive information security program that also considers people and processes, your technology will fall short of providing adequate protection.
- Poor company processes and staff-related problems are among the most common points of failure in data security.
- ISO 27001 compliance requires a commitment to information security across the organization.
- Without this commitment, the best-laid information security plans have been proven to fail.
- ISO 27001 compliance means the company is constantly reviewing and updating its ISMS in line with changes to the threat environment and business developments.
- Without an effective management system, controls are often left in isolation, becoming redundant and dysfunctional.
- Obtaining certification to ISO 27001 helps the business to get an external, expert assessment of the efficacy of its information security plans, thereby making sure that the measures it has implemented are working.
Find out more about ISO 27001 and the GDPR
Ignoring or failing to fully comply with the GDPR could be costly for your organization. An ISO 27001-aligned ISMS can help you achieve GDPR compliance in a cost effective manner. Browse our free resources to learn more about how ISO 27001 can aid your journey to compliance.
What else should you do?
In addition to achieving compliance with ISO 27001, the organization must meet certain additional requirements in the GDPR that are covered by a privacy framework such as BS 10012:2017 – Specification for a personal information management system (PIMS).
IT Governance USA recommends that companies adopt both of these critical standards as part of a comprehensive compliance regime.
Let’s work together to get things moving
Whatever the nature or size of your problem, we are here to help. Click the button below to request a call and one of our experts will get in touch to help you establish an effective compliance regime as soon as possible.