GDPR versus ISO 27001
The GDPR requires you to manage personal data correctly. However, an organisation handles a lot more sensitive information, something ISO 27001 also takes into account.
- The GDPR (General Data Protection Regulation) is a regulation in EU law focused on the correct use of personal data with the consent of the individual. It is a law and therefore an obligation.
- ISO 27001 is an international standard for a management system that provides a framework to ensure the availability, integrity and confidentiality of any information that is essential to your organisation. It is a standard and certification and therefore not mandatory.
What kind of information does ISO 27001 cover?
ISO 27001 addresses any information, both digital and paper based, that needs to be protected from misuse, theft, loss, lack of security, carelessness, etc.
This includes, but is not limited to:
- Information concerning your core business such as documentation, project information, customer data, financial data, unique expertise, etc.
- Essential software
- Information concerning external organisations or individuals
- Personnel data.
Control and trust
A management system such as ISO 27001 helps to control your information management and security and guarantees completeness as well as a systematic approach. You decide whether or not to implement this kind of management system within your organisation. However, a standard based certificate, awarded by an accredited certification body, will instil confidence amongst your stakeholders about your approach to information management.
What are the benefits of ISO 27001?
Hacking, phishing, uncontrolled software, haphazard access control, unprotected printers, etc. Threats are everywhere. ISO 27001 systematically charts and quantifies any potential risks, resulting in an assessment of your organisation’s security system.
Information security policy
ISO 27001 indicates what you should include in your policy guidelines or policies to ensure that your employees know how to deal with information, e.g. access control to buildings or server rooms, structure and update frequency of passwords, use of mobile devices and the Internet, new software, staff recruitment and departure measures, etc.
ISO 27001 will enable you to set up a system to manage your data security. This system must be maintained and a representative has to be appointed for each action that needs to be taken.
- Definition and monitoring of data access authorisations
- Infrastructure, hardware and software management
- Determination of a method and frequency, and appointment of a representative who must provide information to, and raise awareness amongst, your employees concerning data security
- Implementation of changes in a controlled manner to avoid creating new risks
- Management of data security related incidents.
ISO 27001 ensures that your way of working is constantly questioned and that you systematically exploit any opportunity for improvement. This is achieved with:
- An annual risk assessment update
- Continuous monitoring of policies and objectives
- Regular internal audits
- An annual review of the management system by the management
Check it out!
How vulnerable is your organisation when it comes to data security? It is well worth taking a moment to consider this. Why not have an ISO 27001 screening? This will immediately highlight potential issues. We would be happy to assist you with this process, so please don't hesitate to contact us.