ISO 27001, created in 2013, is a framework for an information security management system (ISMS), which effectively helps an organisation with their data management, data protection, security procedures and preventive action for data breaches. By implementing ISO 27001 and becoming ISO 27001 certified, an organisation will have a secure starting point which will certainly help them become compliant with the European General Data Protection Regulations (GDPR). ISO 27001 covers the majority of GDPR requirements, therefore implementing ISO 27001 will contribute towards an organisation achieving GDPR compliance.
Which GDPR requirements does ISO 27001 cover?
GDPR encourages organisations to become ISO 27001 certified because its information security management system covers several GDPR requirements. ISO 27001 promotes information security awareness in an organisation, encouraging all staff members to be aware of the actions which need to be taken to protect personal data.
Article 32 of the GDPR states that data controllers and data processors should implement appropriate technical and organisational measures, and this can be achieved through implementing ISO 27001. The technical and organisational measures set out by the ISO 27001 comply with GDPR in several ways:
-Personal Data. The GDPR is established to protect personal data, and ISO 27001 sets out guidance for organisations to follow in order to manage personal data properly.
-To protect certain data, data encryption and pseudonymisation of data is needed. ISO 27001 decides which data needs to be encrypted, and which does not.
-ISO 27001 will ensure an organisation’s system which is used to process data, is made available to specific individuals involved in the data processing, yet also remains confidential.
-An evaluation process is needed to analyse how effective the security controls are in an organisation, ISO 27001 will use an independent third party to assess these security controls.
-GDPR requires an organisation to use risk assessments, and ISO 27001 can provide for this.
-In the incident of a technical problem, ISO 27001 provides controls which will restore access to personal data and ensure there is availability and access to critical data, ensuring that no data is lost form the organisation.
-GDPR states that if an organisation is in co-operation with a third party which processes their data, then both the data controller and data processor need to be GDPR compliant. ISO 27001 provides third party risk management.
-GDPR requires an organisation to notify data protection authorities within 72 hours of a suspected breach, as well as the data subjects who have been implicated. ISO 27001 explicitly covers this breach notification process.
If an organisation is ISO 27001 certified, does it mean they are completely GDPR compliant?
If an organisation is ISO 27001 certified, it does not mean that they are completely GDPR compliant, as ISO 27001 does not cover every GDPR requirement. For example, it doesn’t cover the fundamental rights of data subjects, nor does it cover data portability processes, nor does it cover the right of a data subject to have their personal data destroyed when an organisation no longer needs it. It is beneficial to become ISO 27001 certified as it creates a very strong starting point for an organisation, you can then conduct an EU GDPR GAP analysis, to decide what other measures need to be taken in order to become GDPR compliant.
How does ISO 27001 differ to others?
In relation to ISO 27002, ISO 27001 differs as you can become certified by ISO 27001. This is because ISO 27001 is a management standard, which defines how to conduct a system, such as an information security management system (ISMS). So, the specific steps and assessments needed to carry out an ISMS is stated in ISO 27001.
However, ISO 27002 is far more detailed, and is not a management standard, therefore an organisation cannot become ISO 27002 certified. The series of ISO 27000 all have a particular focus, so if an organisation wants to know about how to implement controls, then they should use ISO 27002.
In relation to Cyber Essentials, the UK government’s programme used to protect organisations from data threats, ISO 27001 differs. Cyber Essentials sets out controls to protect a company’s IT system and demonstrates that these precautionary steps have been set out. The difference here, is that ISO 27001 refers to all personal data stored, from paper forms to digital media within an organisation, whereas Cyber Essentials only handles personal data stored on IT systems.
To ensure your organisation is GDPR compliant, using ISO 27001 as a starting point is wise, as it covers so many of the GDPR requirements and offers essential guidance. Therefore, ISO 27001 ultimately helps an organisation avoid a data breach and its consequences.