For those who have examined GDPR, the references to seals, standards and certification schemes are plain to see. The regulation encourages organisations to comply by using ISO 27001 as a means of highlighting the company’s commitment to best practice in terms of data security.
What is ISO 27001?
It is an international best standard practice for information security. It has a broad base but at its heart, it highlights the three key elements of a comprehensive information security regime: people, processes and technology.
The outcome is that by managing these three key areas, a company can defend itself in the face of increasing attacks on its information security systems. But as with all things, a best practice code ensures that everyone who complies is, as far as possible, singing from the same information security hymn sheet.
What does GDPR say?
In Article 32, GDPR states clearly that “the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to risk”.
It goes on to bullet point four areas:
- The pseudonymising (not using real names) and encryption of personal data
- The ability to ensure that processes and systems continue to be confidential and resilient, maintaining its integrity and availability
- When hacks or challenges happen, that availability and access to personal data is restored in a ‘timely manner’
- That there is a process for regularly testing, assessing and evaluating the measures that a company or organisation takes to ensure the security of processing data
ISO 27001 meets these four key areas:
Encryption of data is recommended under ISO 27001 as it is the measures identified that can significantly reduce risk. By looking at the 114 controls suggested in the ISO 27001 standard, the company is able to be compliant by identifying which areas it is most at risk and taking measures to protect itself and data.
Confidentiality, integrity and availability are important in ISO 27001 also. In fact, it is critical to the successful compliance of a company when it comes to storing and accessing data.
Business continuity in the face of hacks and other information security issues is also an integral part of ISO 27001. By understanding the risks against it, as well as how to create processes that limit downtime, a company or organisation is showing its ability to bounce back when the worst happens. In effect, understanding risk means being ready to take planned evasive action.
Testing and assessing is also part and parcel of this all-encompassing ISO, more so because the testing and assessing are independent of the organisation. This means a fresh set of eyes on the process of the organisation and whether adequate measures have, in fact, been taken to protect data.
And there’s more…
The compliance with ISO 27001 means there is more, some say above and beyond what is held within GDPR. In the face of data and information security breaches happening the businesses large and small, it is no wonder that ISO 27001 is one of the fastest growing standards.
How can we help you?
Click here to download our new eBook, which will give you an overview of the ISO standards and the FAQs that will help you understand ISO better.
If you’re in need of assistance with any aspect of certification, here at Synergos we’d be delighted to help. Whether you have questions about the path to certification or are looking for advice and support to maintain an existing standard call 01484 817 444 or Email firstname.lastname@example.org and we’ll be happy to talk it over with you.