ISO 27001 is a set of information security best practices designed to help organizations ensure all confidential data and critical resources in their network are secure. It brings three major components together—people, processes, and technology—to identify and reduce security risks. This standard also insists enterprises document their information security policies, acceptable use of assets within their organization, their employees’ security roles and responsibilities, as well as their access control policies for confidential data.
ISO 27001 insists that enterprises that collect and process personally identifiable information (PII) develop, adopt, and continuously review their information security management system (ISMS) to help ensure PII security.
Does that description ring a bell for you? If so, it’s because the ISMS as defined by ISO 27001 aligns with the GDPR’s definition of technical and organizational measures that enterprises have to adopt to secure personal data.
Does this mean any enterprise that has adopted ISO 27001 is compliant with the GDPR? Not necessarily; but enterprises that are ISO 27001-compliant can still easily achieve GDPR compliance. Let’s see how.
Similarities between the GDPR and ISO 27001
There are many similarities between the requirements of the GDPR and ISO 27001. If your organization has already adopted ISO 27001, you’re all set to comply with the following GDPR requirements:
- Article 32.1(a)—Pseudonymisation and encryption of personal data.
- Article 32.1(b)—Ability to ensure the confidentiality, integrity, availability, and resilience of personal data processing systems and services.
- Article 32.1(c)—Ability to restore availability and access to personal data in the event of a physical or technical incident.
- Article 32.1(d)—Regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures that are adopted to ensure the security of data processing.
How ISO 27001 helps you comply with the GDPR
Reviewing the similarities between the GDPR and ISO 27001, it’s clear that ISO 27001 compliance can help your organization meet many of the GDPR’s requirements. Here’s a closer look at how ISO 27001’s data encryption and ISMS standards can help you comply with the GDPR.
Data encryption: ISO 27001 outlines that the transmission of confidential data to public networks should be encrypted; in an effort to reduce the risk of data breaches, ISO 27001 also states that external media that doesn’t support encryption should not be used to store PII. Also, section A.12.3 of ISO 27001 states that enterprises should use cryptographic measures to ensure the confidentiality, authenticity, and integrity of data. These controls help satisfy the requirement stated in Article 32.1(a) of the GDPR.
An ISMS and technical measures for auditing PII security: ISO 27001 requires the adoption of ISMS policies and controls that ensure the safety of confidential data. Some of these ISMS controls include:
- Defining access controls to confidential data.
- Monitoring confidential data accesses by privileged users.
- Auditing privileged user activities.
- Reviewing permissions granted for confidential data access.
- Logging information about data access, modification, and more.
- Backing up confidential data to ensure availability in case of a physical or technical incident.
Employing these controls in your organization can ensure the confidentiality, availability, and integrity of your customers’ personal data to help you meet the GDPR requirements stated in Article 32.1(b) and (c).
Adopting ISO 27001 doesn’t stop with deploying an ISMS. ISO 27001 recommends conducting regular reviews and audits to ensure that ISMS controls continue to serve the purpose of reducing security risks and protecting confidential data. This auditing framework meets the GDPR requirement stated in Article 32.1(d).
Want to learn more about how to comply with the GDPR? Check out our exclusive GDPR zone.