“ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS).”
The GDPR encourages organisations to use certification schemes like ISO 27001 to ensure best data security practice. ISO 27001 is the best choice since it is the only auditable international standard that defines the requirements of an information security management system (ISMS). ISO 27001 is a comprehensive package that covers the three threats to information security: people, processes and technology. Implementing ISO 27001 will enable you to constantly monitor and improve performance, and continually identify, minimise and eliminate internal and external risks to your organisation’s data.
How does ISO 27001 meet GDPR requirements?
Article 32 states:
‘…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’
1. ‘The pseudonymisation and encryption of personal data.’
“…the standard helps organisations to identify what data to select for encryption.”
ISO 27001 identifies data encryption as a way of reducing security risks. Through a risk assessment, the standard helps organisations to identify what data to select for encryption. At the heart of ISO 27001 is the ‘confidentiality, integrity and availability of data’. Simply encrypting all data goes against these values as it might impede access for those who need it to perform their jobs.
2. ‘The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.’
“ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data…”
ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data by carrying out a thorough risk assessment to identify threats to personal data security. Steps must then be taken to minimise or eliminate those threats.
3. ‘The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.’
ISO 27001 covers business continuity management. The standard provides a set of procedures that will help an organisation to protect vital data processing activities in case of a serious incident.
4. ‘A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’
“ISO 27001 continually provides proof of best practices in line with GDPR compliance.”
ISO 27001 certified organisations receive regular audits from their accredited certification body to ensure that their ISMS continually meets the standard. Therefore, ISO 27001 continually provides proof of best practices in line with GDPR compliance.
What are the other benefits of ISO 27001 certification?
ISO 27001 brings organisational advantages that reach beyond GDPR compliance, including:
- Peace of mind for your clients, employees and stakeholders.
- Allows for secure exchange of information.
- Provides you with a competitive advantage over companies who are not ISO 27001 accredited.
- Helps meet ISO 9001 requirements by identifying and managing data security as an ‘external threat’.
- Helps you comply with other regulations, e.g. the US Sarbanes-Oxley Act (SOX).
What steps does my organisation need to take to implement ISO 27001?
1. Perform a gap analysis
This will reveal the differences between your current information security processes and ISO 27001 requirements. It helps you to identify the actions you need to take, and resources required to close the gap.
2. Write an ISMS Scope
Examine what sort of security threats you face from outside your organisation.
- Where are the threats coming from?
- Who might want to compromise our information?
- What kinds of techniques might they use?
Once you understand this then write an ISMS scope. If you start with a small scope, you can implement an ISMS quickly and then build up your strategy from there.
3. Information security policy
An information security policy is key to ensuring that your management understand your strategy and its benefits.
4. Management approval
The most effective way to convince management of the value of an ISMS based on ISO 27001 is to demonstrate how it will reduce their costs. Costs can be reduced by a better understanding of business processes as this sometimes reveals opportunities for savings. ISO 27001 also brings with it customer confidence, which will increase sales. Security breaches can also incur heavy fines under the GDPR.
5. Conduct a risk assessment
Plan how you are going to assess risks and identify what your most significant risks are.
6. Create a Risk Treatment Plan (RTP)
Once you have identified the risks, you can design a risk treatment plan. A RTP is a way of setting out which risks can be reduced or managed and what actions you will take to do this.
7. Risk measures
Once you have identified your risks and decided what actions to take, look at Annex A of ISO 27001. This lists 114 different security controls. It seems overwhelming, but you don’t need to take all these measures – just select which ones are best for your organisation’s needs.
The importance of performing an internal audit
“An internal auditor has a vital role in reporting to senior management on how the ISMS is performing. “
Now that your controls are in place you need to carry out an internal audit. This means that another person within your organisation, or from outside your organisation, will carry out an independent review of your ISMS.
An internal auditor has a vital role in reporting to senior management on how the ISMS is performing. They need to continually monitor the effectiveness of ISMS so that senior managers can determine whether the ISMS’s objectives are consistent with the organisation’s business objectives.
The audit must be carried out by somebody who has relevant expertise but has not been involved with any of the work you have carried out. Senior managers and HR managers are well placed for the role since they are used to ensuring that policies are kept up-to-date and they understand the requirements of the GDPR. They can be trained as internal auditors by taking an ISO27001 Internal Auditor Training Course.