The security of your personal information cannot be overstated. This guide explains what ISO 270001 is, and how it benefits an organisation’s information security in order to comply with GDPR.
What is ISO 27001?
ISO/IEC 27001 (also known as ISO 27001) is the international standard for information security that was originally developed back in 2005. Its best-practice approach helps organisations manage their information security through people, processes, and technology.
The ISO 27001 Standard Certification is recognised worldwide and indicates that your organisation is aligned with best practices regarding information security.
The standard sets out the processes and measures that help an organisation define its Information Security Management System (ISMS) to protect against data breaches.
What is an ISMS?
ISMS is an Information Security Management System that provides a centralised area for the gathering, handling and actioning of sensitive information. As a system of management, ISMS will provide the means to assess security threats and implement preventative measures.
By implementing an ISMS set of standards, companies will be able to:
- Identify the risks that exist for the information
- Set objectives on what needs to be achieved with information security
- Identify the stakeholders and their expectations of the company’s information security
- Determine safeguards to meet expectations and minimise risk
- Continuously measure to ensure performance is as expected
What are the Three Principles of ISO 27001?
The three principles of ISO 27001 aim to guide those who are responsible for data protection with 3 simple doctrines, and it is important to remember each one throughout all stages of the data protection process. In fact, it is best to practice these principles at all stages of data protection, from planning to finalisation.
The 3 principles of ISO27001 are:
Only authorised members have the right to access sensitive data.
Only authorised members have the right to change sensitive information.
Relevant data must be accessible to authorised members at all times.
Through these principles, the ISO 270001 standard aims to offer guidance that must be considered at all levels of data protection work undertaken by yourself or your company.
Who is the ISO Regulatory Body?
The International Organisation for Standardisation, ISO, is a network of national standards bodies from over 163 countries, each represented by one member. The ISO will meet every year at the General Assembly to discuss strategic objectives and effectiveness of ISO.
IS0 27001 and GDPR Compliance
The GDPR (General Data Protection Regulation), love it or hate it, has enforced the use of privacy principles in a pragmatic and demonstrable way. Any organisation that does not adhere to the rules of the GDPR comes under the watchful eye of the regulators. A privacy violation under the terms of the GDPR results in heavy fines, the shame of being disrespectful of customer privacy, and potentially, lost business.
ISO 27001 Framework
The overarching framework of the ISO 27001 defines several areas that map closely to the requirements of the GDPR:
ISO 27001 is about delivering security across all information assets. This, by definition, will include personal data. The GDPR has specific requirements on the protection of personal data that require an organization to implement “appropriate technical and organizational measures” to process personal data securely. These technical measures are discussed in Article 32 of the GDPR and include the appropriate use of:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
ISO 27001 certification will demonstrate the above processes are in place and working. ISO 27001 certification also, importantly, demonstrates that an organization has gone through a process to secure information across its systems to ensure confidentiality, integrity, availability and resilience.
People, processes, and technology
The protection of data is a complex web of interrelated and connected areas. By applying the tenets of ISO 27001, people, process, and technology, you ensure that data is protected across the entire threat landscape: this includes social engineering as well as technical exploits. This maps well with the GDPR requirements for Privacy by Design and Default.
Testing and audits
ISO 27001 requires regular testing of an organization’s ISMS. This is in line with GDPR expectations on continued audit to demonstrate security and privacy fit. The expansion of ISO 27001 to include ISO 27701 also provides advisories on how to deliver a DPIA (Data Privacy Impact Assessment), a requirement of the GDPR.
The security landscape is one of change; both internal and external security risks change over time. ISO 27001 provides a framework to monitor, update, and review the ISMS to ensure adaptation to risk.
Accountability is a key principle of the GDPR, and compliance to requirements must be demonstrable. Key persons are responsible for communicating any compliance issues and privacy violations. ISO 27001 provides a structure that develops a culture of security from the top down. By creating this culture, natural lines of governance are created to help comply with the accountability and governance requirements of the GDPR.
ISO 27001 certification provides an organization with the security and privacy framework needed to help meet GDPR compliance. However, ISO 27001 is a more general and broader scope standard than GDPR, covering all critical company data, including personal data.
GDPR, however, being focused on personal data privacy has several data subject rights that are outside the remit of ISO 27001:
- Erasure: the right to be forgotten lets a data subject request that their personal data be deleted.
- Data portability: Data subjects have the right to request the transfer of their data from one system to another.
- Consent: The data subject has the right to know how their data is processed and have the right to withdraw consent
GDPR hitting companies where it hurts most
The GDPR enforcement tracker collates fines issued since the GDPR came into force. The current cumulative fines, as of June 2021, stand at € 283,810,583. Looking at the two top reasons for the fines provides insight into where the meeting of GDPR compliance is most challenging:
- Insufficient legal basis for data processing (253 fines)
- Insufficient technical and organisational measures to ensure information security (147 fines)
What can an organization infer from these reasons for GDPR fines? Firstly, an organization cannot circumvent the GDPR requirements by making bold claims about having a legal basis to process data, and secondly, you need to make sure your organization uses robust security. Both challenges are easier said than done. So any helping hand to meet GDPR compliance and avoid those hefty fines is welcome. This is where the ISO 27001 standard comes in.
Getting your GDPR act together is a challenge. The regulation is nuanced and complex and applying the principles of the GDPR can be technically challenging. Fortunately, a well-known security standard ISO 27001 comes to the rescue.
Can My Company be Fined for Breach of ISO 270001?
In 2022, tech giant Clearview AI were handed multiple fines totalling over €40 million. These fines came from a range of European countries, who’s investigations found that Clearview AI had unlawfully and irresponsibly handled the data of thousands of private European citizens, gathered through the use of their flagship facial recognition software.
The list of countries that have issued fines include the UK, Germany, Italy and Greece, with the UK’s Information Commissioner (ICO) stating that Clearview AI breached UK data protection laws by:
Failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way.
- Failing to have a lawful reason for collecting people’s information.
- Failing to have a process in place to stop the data being retained indefinitely.
- Failing to meet the higher data protection standards required for biometric data.
- Asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.”
What is the latest revision of ISO 27001?
Since 2005, ISO 27001 has had several revisions, including a 2019 addition, ISO/IEC 27701:2019, that adds privacy guidance. This new addition to ISO 27001 adds guidance on implementing a Privacy Information Management System (PIMS). This guidance includes advice on the implementation of the standard by PII controllers and PII processors, including when performing Privacy Impact Assessments (PIA), and implementing the principles of Privacy by Design, something closely aligned to the GDPR.
If an organization includes certification to include the ISO 27001 expansion, ISO 27701, they will be able to demonstrate compliance with more privacy-specific data processing requirements including:
- Purpose of the data processing;
- Legal basis to process data;
- Consent lifecycle management;
- Privacy impact assessment;
- And, data subject rights such as data access, correction, erasure, and automated decision making.
Let our experts evaluate your compliance position with our GDPR Gap Analysis service
Committing to security – why certify to ISO 27001?
Importantly, the GDPR recognizes that organizations certified to standards such as ISO 27001 and ISO 27701, show a commitment to security and privacy. Also, when a Data Protection Officer (DPO) helps to implement your privacy programme, they will refer to definitions from information security standards such as ISO 27001. Achieving ISO 27001 certification demonstrates that an organization has been through an external assessment of its information security posture and that the security measures implemented are operational and effective. If the worst happens and a GDPR violation occurs, this demonstrable commitment to security will go towards mitigating the impact during regulatory enforcement.
The way forward?
Fortunately, there are very helpful tools available to set you on course for ISO 27001 compliance, such as our ISO 27001 Navigator platform.