ISO 27001 and the GDPR

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

The EU General Data Protection Regulation (GDPR) requires organisations to adopt appropriate technical and organisational measures – including policies, procedures and processes – to protect the personal data they process.

ISO 27001, the international standard for an ISMS (information security management system), provides an excellent starting point for achieving the technical and operational requirements necessary to reduce the risk of a breach.

ISO 27701 is a specification for a privacy information management system (PIMS) that builds on the requirements, control objectives, and controls in ISO 27001. It adds privacy-specific requirements, control objectives, and controls.

Organisations that have implemented ISO 27001 will be able to use ISO 27701 to extend their ISMS to cover privacy management – including data processing.

Implementing both standards will help you meet – and demonstrate your compliance with – the privacy and information security requirements of the GDPR.

Article 32 of the GDPR specifically requires organisations to, as appropriate:

• Take measures to pseudonymise and encrypt personal data;
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Restore the availability and access to personal data promptly in the event of a physical or technical incident; and/or
• Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.

An ISMS that conforms to ISO 27001 will meet all the above requirements.

Article 32 of the GDPR is the primary provision requiring technical measures to protect data. Although it gives examples of security measures and controls, the article does not provide detailed guidance regarding what you should do to achieve this.

Instead, the GDPR compels companies to look at existing best practices and recommendations, such as ISO 27001, to minimise the risk of a data breach.

ISO 27001 describes best practices for an ISMS, a systematic approach consisting of people, processes and technology that helps you protect and manage all your organisation’s information through risk management.

An ISMS aligned to ISO 27001 brings about many organisational benefits, such as:

1. The ability to provide convincing evidence that the necessary measures have been taken to comply with the data security requirements of the GDPR;
2. The protection of all corporate information and intellectual property – not just personal data;
3. The ability to reduce, monitor and review risks as well as keep up with constantly evolving data security threats; and
4. A culture of awareness surrounding information security.

Read more about the benefits of an ISMS.

Companies often mistakenly believe that adding layer upon layer of state-of-the-art technology will help them prevent a data breach. They couldn’t be more wrong. Why?

• Without a comprehensive information security programme that considers people and processes, your technology will fail to provide adequate protection.
• Poor company processes and staff-related problems are among the most common points of failure in data security.
• Without leadership commitment (an essential criterion for ISO 27001 compliance), the best-laid information security plans have been proven to fail.
• ISO 27001 compliance means the company is constantly reviewing and updating its ISMS in line with changes to the threat environment and business developments.
• Without an effective management system, controls are often left in isolation, becoming redundant and dysfunctional.
• Obtaining certification to ISO 27001 helps the business to get an external, expert assessment of the efficacy of its information security plans, thereby making sure that the measures it has implemented are working.

Article 32 of the GDPR specifically requires organisations to, as appropriate:

• Take measures to pseudonymise and encrypt personal data;
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Restore the availability and access to personal data promptly in the event of a physical or technical incident; and/or
• Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.

An ISMS that conforms to ISO 27001 will meet all the above requirements.

Article 32 of the GDPR is the primary provision requiring technical measures to protect data. Although it gives examples of security measures and controls, the article does not provide detailed guidance regarding what you should do to achieve this.

Instead, the GDPR compels companies to look at existing best practices and recommendations, such as ISO 27001, to minimise the risk of a data breach.

In addition to achieving compliance with ISO 27001, your organisation must meet certain additional requirements in the GDPR that are covered by a privacy framework such as ISO 27701. Implementing both standards will enable you to meet the privacy and information security requirements of the GDPR and other data protection laws.

Find out how you can implement a PIMS (privacy information management system) with ISO 27001 and ISO 27701 now.