If you’ve studied the EU General Data Protection Regulation (GDPR), you’ll know that it contains many references to certification schemes, seals and marks. It also encourages organisations to use standards such as ISO 27001 to demonstrate that they are following data security best practice.
What is ISO 27001?
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). It outlines three essential aspects of a comprehensive information security regime: people, processes and technology.
Using this three-pronged approach, organisations are able to defend themselves from both highly organised attacks and common internal threats, such as accidental breaches and negligent staff.
An ISO 27001-compliant ISMS is incorporated into an organisation’s culture and strategies, and is continually monitored, updated and reviewed. This helps an organisation adapt its ISMS to meet changes inside the organisation and in the environment.
What does the GDPR say?
Article 32 of the GDPR states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Encryption is recommended by ISO 27001 as one of the measures that should be taken to mitigate identified risks. ISO 27001 outlines 114 controls that can be used to reduce information security risks. Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and need to be encrypted.
ISO 27001 requires organisations to conduct a risk assessment that identifies the risks they face. The GDPR has a similar requirement, stating that organisations need to identify risks that can affect personal data.
ISO 27001 addresses the importance of business continuity management, providing a set of controls that help organisations protect critical business processes and make sure data is still available in the event of a disruptive incident.
Testing and assessments
Any organisation that certifies to ISO 27001 will have its ISMS independently assessed and audited by an accredited certification body. To pass these assessments, organisations will need to regularly review their ISMS and update it accordingly.
Of course, the compliance requirements for ISO 27001 don’t stop there. It’s a broad standard and covers many elements, including the importance of staff awareness training and leadership support.
The Standard has already been adopted by thousands of organisations globally, and it’s one of the most popular management system standards in the world.