The GDPR and UK GDPR require you to implement measures to ensure a level of personal data security that’s “appropriate”, taking into account the risks presented by the data processing activities you are involved in. ISO 27001 can enable you to show that you are on top of this particular obligation.
That said, it’s important to remember that ISO 27001 covers a very specific area of data security. And while this certification can be valuable from a GDPR perspective, it shouldn’t be viewed as an ‘automatic passport’ to full GDPR compliance. Here, we take a closer look at what ISO 27001 does and doesn’t cover, with GDPR compliance in mind.
What is ISO 27001?
As a business grows, data management tends to get more complicated. The volume and categories of data under your control increases, the movement and accessibility of data can be hard to track – and security becomes a bigger challenge.
Faced with this, the most sensible response is often to implement an information security management system (ISMS). This is basically an internal set of rules, processes, procedures and tools. These all form a single system designed to manage the information risks faced by the business; cyber attacks, accidental loss, and theft via rogue employees (to name just a few).
But let’s say your company devises its own ISMS. Just how robust is it? Do the people responsible for it understand best practice? Your managing director, clients, strategic partners, the data regulator – each or all of these parties might look for assurances that your system for managing risk is up to scratch.
This is where ISO 27001 comes in. It’s the international standard mandating specific requirements for an ISMS. ISO 27001 accreditation provides your business with independently audited proof that you comply with globally-recognised best practice for data security management.
ISO 27001 vs GDPR – what are the differences?
In a short but very important section of the GDPR (Article 32), the law sets out what’s required of organisations when it comes to ensuring the security of personal data processing.
It obliges you to implement “appropriate technical and organisational measures” to address the risks you are faced with. It also goes on to outline some of the measures that this will typically consist of:
- Pseudonymisation and encryption of personal data – so that even if that data falls into the wrong hands, it cannot be exploited.
- Measures aimed at ensuring the “confidentiality, integrity, availability and resilience” of your systems and services.
- Data restoration: i.e. tools and procedures designed to make personal data available again after a security incident (systems backup would be part of this).
- Regular testing assessment and evaluation of your security measures to ensure they are up to scratch.
ISO 27001 effectively covers these areas too. For a start, it mandates that you carry out thorough risk assessments to determine the risks your organisation faces. This is precisely what’s needed to identify the “appropriate” security measures you need to take under GDPR.
It sets standards on when and how to put data encryption to work and what steps to take to ensure the confidentiality and availability of your data. It also lays out what’s expected in terms of “business continuity management”, thereby covering the GDPR requirement to implement measures on data restoration and availability.
Alongside the technical measures businesses should focus on, ISO 27001 also covers wider organisational concerns. In particular, the certification recognises that many data security failings are down to human error. Security awareness development and management support are therefore included in the certification standard.
In short, from stress testing through to staff training, if you meet and maintain the ISO 27001 certification requirements, you effectively have your GDPR data processing security requirements covered.