The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It will supersede all EU member states’ current national data protection laws and bring a standardised approach to data protection throughout the EU. The Regulation also comes with a new suite of enforcement powers for supervisory authorities throughout Europe (ICO in the UK) to penalise companies that are found to be non-compliant. The potential fines will substantially increase and may be as much as 4% of annual global turnover or €20 million, whichever is the greater.
Several supervisory authorities have highlighted ISO 27001 as a model of security best practice that will provide good evidence of intent and effort to comply with the security aspects of the GDPR.
What is ISO 27001?
ISO/IEC 27001:2013 is the international standard that describes best practice for an Information Security Management System (ISMS). Achieving certification to ISO 27001 demonstrates that your organisation is following information security best practice, and provides an independent, expert assessment of whether the security of your data is adequately managed. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013.
How Does ISO 27001 Help with Your GDPR Compliance Project?
Having an ISMS certified by an accredited (e.g. UKAS) certification body is concrete evidence that an organisation is in a good place with regard to GDPR compliance. Third-party validation of ISO 27001 compliance is highly regarded and more credible than self-certification schemes.
ISO 27001 not only addresses the need to comply with legislation through a systematic set of policies and processes, it also offers a reference set of controls (ISO 27001 Annex A). Whilst they may not be exhaustive, these controls can be readily leveraged to provide appropriate “technical and organisational measures”, as required by the GDPR. They can also be added to where circumstances dictate.
The CIS Approach to ISO 27001 Implementation
Our approach to most ISO 27001 engagements is to initially carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented.
For some organisations, this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and implementation of suitable controls and policy documentation templates that will be required to meet the standard.
If you need help with GDPR compliance or ISO 27001 implementation, please feel free to contact CIS via our website.