The GDPR and UK GDPR require you to implement measures to ensure a level of personal data security that’s “appropriate”, taking into account the risks presented by the data processing activities you are involved in. ISO 27001 can enable you to show that you are on top of this particular obligation.
That said, it’s important to remember that ISO 27001 covers a very specific area of data security. And while this certification can be valuable from a GDPR perspective, it shouldn’t be viewed as an ‘automatic passport’ to full GDPR compliance. Here, we take a closer look at what ISO 27001 does and doesn’t cover, with GDPR compliance in mind.
What is ISO 27001?
As a business grows, data management tends to get more complicated. The volume and categories of data under your control increases, the movement and accessibility of data can be hard to track – and security becomes a bigger challenge.
Faced with this, the most sensible response is often to implement an information security management system (ISMS). This is basically an internal set of rules, processes, procedures and tools. These all form a single system designed to manage the information risks faced by the business; cyber attacks, accidental loss, and theft via rogue employees (to name just a few).
But let’s say your company devises its own ISMS. Just how robust is it? Do the people responsible for it understand best practice? Your managing director, clients, strategic partners, the data regulator – each or all of these parties might look for assurances that your system for managing risk is up to scratch.
This is where ISO 27001 comes in. It’s the international standard mandating specific requirements for an ISMS. ISO 27001 accreditation provides your business with independently audited proof that you comply with globally-recognised best practice for data security management.