The GDPR and ISO 27001 fit like hand and glove. As the only auditable international standard that defines the requirements of an information security management system, the GDPR encourages the use of this standard.
ISO 27001 is a comprehensive package that covers the three threats to information security: people, processes and technology. Implementing the standard enables you to monitor and improve performance, and continually identify, minimise and eliminate risks to your organisation’s data.
Article 32 states:
‘…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
“…the standard helps organisations to identify what data to select for encryption.”
ISO 27001 identifies data encryption as a way of reducing security risks. Through a risk assessment, the standard helps organisations to identify what data to select for encryption. At the heart of ISO 27001 is the ‘confidentiality, integrity and availability of data’. Simply encrypting all data goes against these values as it might impede access for those who need it to perform their jobs.
“ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data…”
ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data by carrying out a thorough risk assessment to identify threats to personal data security. Steps must then be taken to minimise or eliminate those threats.
ISO 27001 covers business continuity management. The standard provides a set of procedures that will help an organisation to protect vital data processing activities in case of a serious incident.
“ISO 27001 continually provides proof of best practices in line with GDPR compliance.”
ISO 27001 certified organisations receive regular audits from their accredited certification body to ensure that their ISMS continually meets the standard. Therefore, ISO 27001 continually provides proof of best practices in line with GDPR compliance.
This will reveal the differences between your current information security processes and ISO 27001 requirements. It helps you to identify the actions you need to take, and resources required to close the gap.
Examine what sort of security threats you face from outside your organisation.
Once you understand this then write an ISMS scope. If you start with a small scope, you can implement an ISMS quickly and then build up your strategy from there.
An information security policy is key to ensuring that your management understand your strategy and its benefits.
The most effective way to convince management of the value of an ISMS based on ISO 27001 is to demonstrate how it will reduce their costs. Costs can be reduced by a better understanding of business processes as this sometimes reveals opportunities for savings. ISO 27001 also brings with it customer confidence, which will increase sales. Security breaches can also incur heavy fines under the GDPR.
Plan how you are going to assess risks and identify what your most significant risks are.
Once you have identified the risks, you can design a risk treatment plan. A RTP is a way of setting out which risks can be reduced or managed and what actions you will take to do this.
Once you have identified your risks and decided what actions to take, look at Annex A of ISO 27001. This lists 114 different security controls. It seems overwhelming, but you don’t need to take all these measures – just select which ones are best for your organisation’s needs.
“An internal auditor has a vital role in reporting to senior management on how the ISMS is performing. ”
Now that your controls are in place you need to carry out an internal audit. This means that another person within your organisation, or from outside your organisation, will carry out an independent review of your ISMS.
An internal auditor has a vital role in reporting to senior management on how the ISMS is performing. They need to continually monitor the effectiveness of ISMS so that senior managers can determine whether the ISMS’s objectives are consistent with the organisation’s business objectives.
The audit must be carried out by somebody who has relevant expertise but has not been involved with any of the work you have carried out. Senior managers and HR managers are well placed for the role since they are used to ensuring that policies are kept up-to-date and they understand the requirements of the GDPR. They can be trained as internal auditors by taking an ISO27001 Internal Auditor Training Course.