Businesses worldwide that collect data pertaining to EU citizens have until May 2018 to comply with the new General Data Protection Regulation (GDPR), or potentially face stiff fines. Can aligning with ISO 27001 or pursuing/achieving ISO 27001 certification, help you comply with the GDPR?
The short answer is “Yes.”
As the leading international standard and certification for information security, ISO 27001 is an ideal choice of a framework to support GDPR compliance.
The central point of intersection between GDPR and ISO 27001 is around personal data (aka PII). GDPR focuses specifically on the criticality of protecting and appropriately managing personal data. ISO 27001 focuses more broadly on creating an information security management system (ISMS) to prevent data loss or exfiltration and ensure that a firm’s information security posture can be maintained, and incidents identified, logged and reported. This includes guidance on how to handle and protect personal data in a secure, trustworthy manner.
In its Article 32, the GDPR states that organizations “…shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…” It also mandates other security-related points.
Here are eight specific areas where ISO 27001 directly supports GDPR compliance:
- Management of personal data. In terms of requirements, this is the GDPR’s core focus. ISO 27001 supports this by providing guidance on controls to identify personal data and manage how, where and for how long it is stored, who can access it, etc.
- Availability, integrity and confidentiality of data processing systems. This is a major focus of both ISO 27001 and GDPR.
- A documented process for regularly evaluating the effectiveness of security controls. This is also a key ISO 27001 focus. Any company seeking ISO 27001 certification will have its controls, as well as its process documentation, assessed by an independent third-party. Internal review of controls is also part of maintaining ISO 27001 certification.
- Risk assessment. GDPR mandates that businesses conduct risk assessments to ensure they’ve identified major risks to EU citizens’ personal data. Similarly, ISO 27001 requires initial and ongoing risk assessment.
- Data encryption. Identifying what data should be encrypted based on risk exposure is inherently part of risk assessment.
- The ability to restore access to personal data in a timely manner in the event of a “physical or technical incident.” ISO 27001 includes a set of controls to ensure the availability of critical data and associated business processes in the event of an incident.
- Breach Notification. GDPR mandates that firms must notify authorities within 72 hours of when a breach involving personal data is discovered. This includes notification of impacted “data subjects” if the risk to them is sufficient. ISO 27001 likewise mandates “a consistent and effective approach” to handling information security incidents.
- Third-party risk management (TPRM). GDPR stipulates that businesses that delegate processing or storage of personal data make a contractual agreement requiring GDPR compliance for those suppliers. ISO 27001 also mandates protection for data assets that are accessible to suppliers.
With so much alignment between them, ISO 27001 might well be the best on-ramp and roadmap for organizations that need to comply with GDPR. If you already have an ISO 27001 compliant ISMS, adding and addressing any remaining GDPR requirements would be comparatively easy.
But is ISO 27001 certification sufficient for GDPR compliance? If your organization is already ISO 27001 certified, are you already in compliance with GDPR?
Probably not, as the GDPR mandates various requirements in support of the privacy rights of EU citizens that ISO 27001 doesn’t specifically address (e.g., the right to request that one’s data be deleted). But complying with ISO 27001 gets you well on your way to the GDPR finish line.
Like any regulation, GDPR presents both challenges and opportunities for organizations to improve their effectiveness and agility around protecting and processing critical data. The first thing most businesses should do to prepare for GDPR is conduct a gap analysis to identify what needs to be done to comply, and then prioritize those requirements. (Read about out GDPR consulting process.)
To get started on a gap analysis or to find out more about getting ready for GDPR, contact Pivot Point Security.