Anyone struggling with the EU GDPR (General Data Protection Regulation) should look no further than ISO 27001. It’s the international standard for information security, and its framework is close enough to the Regulation’s that many experts consider it a perfect launchpad for a GDPR compliance project.
Certifying to the Standard means you’re already halfway to GDPR compliance, plus you’ll experience the general benefits of ISO 27001 certification.
And unlike the GDPR, ISO 27001 provides clear instructions on the steps you need to follow in order to stay secure.
What is ISO 27001?
ISO 27001 outlines three essential aspects or ‘pillars’ of effective information security: people, processes and technology.
This three-pronged approach helps organisations defend themselves from both highly organised attacks and common internal threats, such as accidental breaches and human error.
Its requirements are similar in many places to the GDPR, but whereas the Regulation only occasionally suggests specific practices (such as encryption), ISO 27001 lays out clearly what organisations need to do to remain secure.
How ISO 27001 helps
ISO 27001’s requirements overlap with the those outlined in Article 32 of the GDPR:
- Take measures to pseudonymise and encrypt personal data.
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
Article 32 also mandates that organisations address risks that could lead to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”.
An effective ISMS (information security management system) that conforms to ISO 27001 will meet all these requirements.
Want to know more?
Take a look at GDPR Compliance and ISO 27001 for more information on how the Standard can help you meet the Regulation’s requirements. This free guide explains:
- What a comprehensive data security regime looks like;
- What an ISMS is and how to implement one;
- How ISO 27001 certification can help you meet the GDPR’s technical and organisational requirements; and
- How to meet the GDPR’s data security requirements.
Under the GDPR, organisations are required to report certain types of data breaches to the ICO (Information Commission’s Office) within 72 hours of becoming aware of the breach, where feasible. To help get your organisation #BreachReady, IT Governance are offering up to 20% off selected data protection and incident response solutions.