With GDPR just around the corner, many organisations are asking themselves if they should consider implementing an information security management system such as ISO 27001 in order to help achieve and maintain impending compliance frameworks such as GDPR or a PSD2.
First off, it’s crucial that organisations realise that achieving ISO27001 accreditation does not lead to automatic GDPR or PSD2 compliance. On the contrary, organisations seeking to achieve compliance to these standards need to put in a lot of extra work.
This is because ISO 27001 is an international best practice standard for Information Security, while GDPR is a regulation by which the European Parliament, council and commission intend to strengthen and unify data protection for all individuals within the EU. Finally, Payment Services Directive 2 (PSD2) is a new European-wide regulation requiring European banks to make it easier to share customer transaction and account data.
At face value, ISO27001, GDPR and PSD2 are all very different things i.e. legislation, best practice and industry standards. However, at their core they all have something in common, namely the need to appropriately handle, process and store sensitive data whether its personal, financial, commercial or intellectual property. Implicitly they also have common requirements around the need to be able to demonstrate governance, diligence of consideration and decision making, sustainability of operation and conformance with their respective control requirements – i.e. a strategic and systemic approach to Information Security, personal data and privacy.
Implement a framework to steer compliance strategies
Therefore, although organisations will need to complete additional courses of work to achieve GDPR and PSD2 compliance, it is Ward’s recommendation that they consider the implementation of an overarching Information Security framework such as ISO27001 to steer their compliance strategies. The key to integrating these different compliance frameworks and obligations particularly for GDPR is that your implementation of ISO27001 should identify personal data as an Information Security asset.
Implementing ISO can aid organisations in a number of ways:
- Achieving ISO 27001 compliance for the appropriate scope provides organisations with an independently accredited management system to manage their information security according to best practices. The accreditation also provides proof that you and your partners meet the recognised and appropriate information security standards. Organisations conducting B2B with larger enterprises are currently expending a lot of effort demonstrating diligence of their Information handling processes and procedures to existing and new customers. This burden is set to increase. ISO27001 accreditation to a relevant scope should help provide the reassurance that these customers need.
- Maintaining and operating the ISMS or sub functions of the ISMS according to ISO 27001 will lead to improved security and reduced risk to organisations as a by-product of ensuring on-going compliance.
- Implementation of ISO27001 generally leads to significant improvements in the culture and awareness of Information Security which help move organisations from a reactive approach to a compliant, proactive or optimised level of Information Security, leading to increased security/ reduced risk and typically reduced cost of security.
- ISO 27001 requirements make it necessary for organisations to put a number of over-arching policies, procedures, controls and management systems in place to achieve compliance. Many of these elements are required under other security or compliance frameworks such as GDPR, PSD2, PCI/DSS etc., meaning that organisations that achieve ISO27001 will have taken significant steps towards compliance with these other standards as well. However organisations need to work hard to integrate the specific controls, processes, and procedures of each compliance requirement into the overarching Information Security Management Systems. There are lots of sources mapping the different control requirements of each compliance requirement to each other e.g. GDPR to ISO27001 etc.
- The compliance frameworks such as GDPR refer to the desirability for standards or accreditation. ISO27001 accreditation to a relevant scope in our opinion should help demonstrate to a regulator that an organisation expended significant diligence in their compliance obligations either in a BAU audit or post an incident.
A more efficient approach
Running individual, distinct information security compliance frameworks with no common overarching framework will most likely mean duplication of effort, as well as increased cost and management complexity, to organisations. Integrating individual compliance frameworks into an overarching framework such as ISO 27001 means one system to manage all Information Security requirements, reusing common elements across individual compliance frameworks, a much more efficient approach.
IS027001 accreditation demonstrates that the organisation in question, big or small, implements best-practice Information Security processes, something which is sure to be of interest to customers, auditors, regulators and third parties, especially as GDPR draws closer.
To make the process of becoming ISO accredited easier for you, Ward’s ISO consultant can work closely with your business to steer you through the entire process. We can also customise our services to help you at any point in the implementation cycle:
- Greenfield- We help devise and implement from the beginning.
- Partly Progressed- We can pick up from where you currently are at and take you through to completion stage.
- Full Progressed- We can supply you with an ISO 27001 maintenance service.
To find out more about how Ward Solutions can help you in your ISO and GDPR journey, contact us on +353 87 642 0100 or e-mail: sales@ward.ie