ISO 27001 & GDPR – An Opportunity to Embrace Information Security Good Practice
It’s mid-May 2018 and we are on the verge of a defining moment in the European Information Security epoch with the new EU General Data Protection Regulation (GDPR) coming into effect on the 25th. For anyone that have not checked their diary yet this conveniently falls on a Friday, so at least there is the weekend to make all those last minute compliance adjustments you were planning before the regulator taps on the door…
For those that have been on the epic journey to achieve compliance, albeit in a largely self-assessed, group-think interpretation kind of way, well done! If you have a few more things to do over that last weekend, good luck, the life jackets are in the hull!
Wherever you are on your voyage in either seeking or achieving compliance, you will have no doubt seen some clear alliances between the long debated information security principles/frameworks of old and what GDPR is mandating that organisations who process, store or transmit personal data now need to do.
In particular, article 25 is rather interesting and emotive from an information security perspective as ‘…proving Data Protection by Design & Default’ is likely to provide a challenging theatre for debate in order to finalise the necessary case law precedences. One only has to assemble a small room of Information Security professionals to find out that you will get six answers to one question and that many of those answers will be preceded with ‘well, it depends’. From an industry perspective, it is highly likely that the legal profession will be battling it out for some time (and at extensive cost) in the early exchanges of the legislative implementation of GDPR to allow for interpretation of what this might actually mean in litigation vs. real-world terms. We await the backlash and fallout on this topic for years to come.
Security of Processing
It is however, article 32 – the ‘Security of Processing’ that we should call out for specific attention, as it is a key motivation for doing things in a more structured and disciplined way. Through a layperson’s interpretation, this article requires that ‘thou shalt do an Information Security Management System’. A short sentence in literary terms, but typically a lot of work in practical terms. It even goes so far as to state that those responsible need to ‘…ensure the confidentiality, integrity, availability and resilience of processing systems and services’. This all does sound familiar and rather comforting against the backdrop of the paradigms and legal language used in some other areas of the regulation.
The ISO 27001 framework
Many organisations (if not already doing some form of uplift in the name of data protection), will now be compelled to implement a structured and well thought out approach to the mitigation of information security risk in order to meet with the objectives of article 32. The ISO 27001 framework is an excellent model that can be adopted to specifically address this requirement.
It allows organisations of all sizes and degrees of complexity to think about information security in a way that is proportionate to their needs and can be balanced against their risk appetite. The controls defined in ISO 27001 whilst varied and stated at a high level, are highly inclusive and with the right level of support and guidance, can be met with a low degree of impact/change (assuming that some basic tenets of information assurance and technical hygiene are in place).
There are also a number of other articles in the regulation that point towards the merits of adopting an ISO 27001 framework and (as any completer-finishers amongst you might contemplate) the crowning glory of these efforts would be to have it independently reviewed and endorsed by a certification body, so that any interested parties (e.g. customers, shareholders, employees, partners or indeed regulators – supervisory authorities in GDPR speak) have the appropriate assurances that a good benchmark standard for data security and protection have been achieved.
So, if the regulator does come tapping on the door on the 28th May or any date thereafter, it might be prudent to have that certification to hand, alongside the long list of other artefacts that have been described and no doubt over interpreted across the last 2+years of GDPR coming to fruition.