We’re now firmly into May territory – which means that the countdown to GDPR is within its final month. If you’re not already aware of it, the GDPR is a new regulation that will change the way businesses handle the personal data of EU residents. It extends more robust rights to people whose data is used by organisations, and makes businesses more accountable for the way they use personal data. Even if we leave the EU, the UK government have already pledged to update our own Data Protection rules to mirror the standard of the GDPR for the UK, and in doing so has proposed a new piece of Data Protection legislation which is already in its final stages of parliamentary approval. So, regardless of the UK’s EU status, you will still be bound by an equivalent standard of data protection, as well as very strong sanctions for non-compliance. One of the things that current UK law, the GDPR, and the proposed forthcoming law, requires of businesses, is to ensure appropriate technical and organisational measures are taken, to secure personal data. However, none of the aforementioned data protection rules offer any insights into what constitutes an ‘appropriate’ control, and there is very little supplementary guidance on this matter either. So instead, we turn to ISO 27001 – the international standard for information security – the standard applies to all data processed by organisations, and it offers prescriptive insight into best-practices for implementing an information security management system (or ISMS) for your business. If the standard is applied in tandem with the privacy requirements, as we do, it can prove to be a powerful tool in selecting security controls with confidence and demonstrating that they are ‘appropriate’ in the context of your clients’ personal data environments.
What Is An ISMS?
All businesses, no matter how big or small, need some way of managing the data they use. But to maximise both the efficiency and the security of the data, it needs to be in a specifically designed and managed system. This is known as an ISMS, and is the system of processes, documents, technology and people that help to protect all of your company’s information (not just personal data) through a centrally managed framework.
But a framework on its own isn’t enough to keep your business safe. Any ISMS needs to be supported by strong leadership from the very top of the business, incorporated into the organisation’s culture and strategy, and be constantly monitored, updated and reviewed. Implementing an ISO 27001 compliant ISMS will protect your business against all kinds of risks that can impact the confidentiality, integrity or availability of your data.
How Will ISO 27001 Help Businesses Be GDPR Compliant?
ISO 27001 is an internationally recognised standard for information security. More to the point, it’s recognised by several different EU Supervisory Authorities for its capacity to provide evidence of a company’s intent to comply with GDPR. This is because an ISMS, adapted to comprehensively encompass EU and UK privacy rules, will ensure a business has considered the foundational elements of effective information management which are; people, processes, and technology. To find out more on ISO standards, and specifically ISO 27001 consulting, you can read our blogs here and here.
How To Create An ISO 27001 Compliant ISMS
There is no ‘out of the box’ ISMS solution for all businesses. Instead, your system needs to be designed around the context of your business, the data you process, and your strategic objectives, which are always unique. However there are some common steps involved in every ISMS implementation project:
- Scope The ISMS: Scoping requires making a decision about what information needs to be ring-fenced completely, and what needs to be protected. This is rarely a simple process and scoping incorrectly could leave your business open to risks.
- Conduct A Gap Analysis: Conducting a gap analysis helps you work out the shortfall between your current processes and the Standard’s requirements. It also highlights any resource or skills gaps you may have.
- Develop Your Information Security Policy: Your policy should reflect the business’s views on information security and be agreed by the board.
- Conduct A Risk Assessment: A risk assessment is at the core of any ISMS. An independent risk assessor will be able to identify and evaluate any risks the business may face. This process also helps to identify whether controls are necessary and cost-effective for your business.
- Select Your Controls: There are a wide range of controls available to handle the unique risks that affect your business. Controls should only be selected and applied once the risk assessment has been completed.
- Create A Statement Of Applicability: The Statement of Applicability (or SoA) sets out a list of all the controls listed in Annex A of ISO/IEC 27001:2013, together with a statement of whether or not the control has been applied and the reason for any controls inclusion or exclusion.
- Set Up A Risk Treatment Plan (RTP): Your RTP describes the steps your business will be taking to deal with each of the risks identified in your assessment.
- Create Your Documentation: Documentation needs to be developed to support each planned control and each step of the ISMS. This creates a single reference point to ensure consistent application and improvement. This is one of the most time consuming yet essential steps to creating your ISMS.
- Roll Out A Staff Awareness Programme: As with any security programme, all staff should receive regular training to improve and increase their awareness of information security, and the purpose of ISMS.
- Conduct Regular Testing: Once you have created the standard, you must conduct regular testing. ISO 27001 requires internal audits of the ISMS, at planned intervals, to determine whether or not the controls work, including a test of your incident response plans.
- Conduct Management Reviews: Top level management should also review the performance of the ISMS.
- Choose Your Certification Body: To be fully ISO 27001 certified you will need to be examined and certified by an official body. You should ensure that the body you choose is properly accredited by a recognised national accreditation body, such as UKAS in the UK.
- Gain Accredited Certification: Your chosen certification body will review your management system documentation and check that you’ve implemented the appropriate controls, followed by an on-site audit to test elements of your ISMS.
- Continually Improve Your ISMS: To stay ISO 27001 compliant, you need to continually maintain and improve your ISMS.
Of course, that is an awful lot to handle on your own. At Bridewell, we help businesses create and implement their ISMS such that they’re able to evidence compliance with their EU and UK privacy requirements, whether it be the current UK DPA, the GDPR, or the forthcoming renewed UK Data Protection rules. Our experts can help you establish the individual elements of your ISMS, or we can work with you to create the whole thing from scratch. The team at Bridewell are experienced and qualified in not only ISO 27001 implementation, but also ISO 9001, ISO 22301, ISO 27018 and more. In addition to this we also offer GDPR consultancy services beyond just security compliance. If you are looking to shore up the security of your data, or require any help interpreting and implementing the complexities of data protection rules, please get in touch with the team for a free, no-obligation consultation.