Does being certified in ISO 27001 really ensure that you are GDPR compliant?

The ISO 27001 certification scheme can help your organisation to demonstrate that it manages its data security in accordance with current best practice. As we’ll see, this can be especially useful when it comes to complying with a particular area of The General Data Protection Regulation (GDPR).

By Archie Stephens

Frustrated Poet

Let's talk privacy!

The new law requires you to implement measures to ensure a level of personal data security that’s “appropriate”, taking into account the risks presented by the data processing activities you are involved in. ISO 27001 can enable you to show that you are on top of this particular obligation.

That said, it’s important to remember that ISO 27001 covers a very specific area of data security. And while this certification can be valuable from a GDPR perspective, it shouldn’t be viewed as an ‘automatic passport’ to full GDPR compliance. Here, we take a closer look at what ISO 27001 does and doesn’t cover, with GDPR compliance in mind.

Why do organisations seek ISO 27001 certification?

Especially as a business grows, data management tends to get more complicated. The volume and categories of data under your control increases, the movement and accessibility of data can be hard to track – and security becomes a bigger challenge.

Faced with this, the most sensible response is often to implement an information security management system (ISMS). This is basically an internal set of rules, processes, procedures and tools. These all form a single system designed to manage the information risks faced by the business; cyber attacks, accidental loss, and theft via rogue employees (to name just a few).

But let’s say your company devises its own ISMS. Just how robust is it? Do the people responsible for it understand best practice? Your managing director, clients, strategic partners, the data regulator – each or all of these parties might look for assurances that your system for managing risk is up to scratch.

This is where ISO 27001 comes in. It’s the international standard mandating specific requirements for an ISMS. ISO 27001 accreditation provides your business with independently audited proof that you comply with globally-recognised best practice for data security management.

How does ISO 27001 tie in with GDPR?

In a short but very important section of the GDPR (Article 32), the new law sets out what’s required of organisations when it comes to ensuring the security of personal data processing.

It obliges you to implement “appropriate technical and organisational measures” to address the risks you are faced with. It also goes on to outline some of the measures that this will typically consist of:

Pseudonymisation and encryption of personal data – so that even if that data falls into the wrong hands, it cannot be exploited.
Measures aimed at ensuring the “confidentiality, integrity, availability and resilience” of your systems and services.
Data restoration: i.e. tools and procedures designed to make personal data available again after a security incident (systems backup would be part of this).
Regular testing assessment and evaluation of your security measures to ensure they are up to scratch.
ISO 27001 effectively covers these areas. For a start, it mandates that you carry out thorough risk assessments to determine the risks your organisation faces. This is precisely what’s needed to identify the “appropriate” security measures you need to take under GDPR.

It sets standards on when and how to put data encryption to work and what steps to take to ensure the confidentiality and availability of your data. It also lays out what’s expected in terms of “business continuity management”, thereby covering the GDPR requirement to implement measures on data restoration and availability.

Alongside the technical measures businesses should focus on, ISO 27001 also covers wider organisational concerns. In particular, the certification recognises that many data security failings are down to human error. Security awareness development and management support are therefore included in the certification standard.

In short, from stress testing through to staff training, if you meet and maintain the ISO 27001 certification requirements, you effectively have your GDPR data processing security requirements covered.

Here’s why “ISO 27001 Certified” and “GDPR fully compliant” are not the same

To get ISO 27001 under their belt, businesses tend to use outside help. And quite understandably, certification partners are flagging up the arrival of the new data law as a good reason for firms to work towards this useful badge of recognition.

But here’s where the confusion can creep in. The GDPR consists of 99 Articles. As we’ve seen, just one of those covers technical and organisational data security measures. In other words, there’s much more to full GDPR compliance than ensuring your information security management system is up to scratch!

Are you enabling data subjects to exercise their rights? Are you up to speed with your record keeping and reporting requirements? ISO 27001 is useful in what it’s designed to do – but there are many areas of GDPR compliance that fall outside its narrow remit. The Privacy Compliance Hub is a useful way to get to grips with these various areas.

As the GDPR becomes a reality, the challenge for organisations is to ensure that each and every relevant part of the new law is covered. With guidelines, templates and step-by-step processes, The Privacy Compliance Hub can supply everything you need for full compliance with this all-new legal framework. And if you already have ISO 27001, the work you’ve done can be integrated seamlessly into your very own bespoke Hub.
Ready to find out more? Try out our demo today.