In the corporate sector, there is a consensus that ISO 27001 is the gold standard in best-practice schemes. By implementing the ISO 27001 standard, an organisation activates an information security management system (ISMS) that operates within the company’s corporate culture and is fully compliant with Governance, Risk management and Compliance (GRC). The standard is continually updated and improved, allowing the ISMS to stay on top of changes both within and outside of the firm, while also adapting to the ever-changing cyber risk environment.

Businesses that have already attained ISO 27001 certification would have recognised some parallels between that standard and GDPR.

But are they doing enough? Does ISO 27001 assure compliance with GDPR?
 

The difference between ISO 27001 and GDPR

 
ISO 27001 is an internationally recognised information security management standard. The controls set up within an ISMS are designed across a broader spectrum, helping to protect all information and data, including customer and employee personal data, Intellectual Property (IP), sales and operational information and financial information. The General Data Protection Regulation is a set of laws around the use of personal data and applies to everyone who processes data – including names, IDs, medical and biometric data, political opinions and more – of people in the EU.

The most significant distinction between the two standards is that GDPR is a legal mandate. Failure to protect consumer data in accordance with GDPR can result in significant fines from the Information Commissioner’s Office (ICO) and long-term damage to reputation. Data breaches have already resulted in significant penalties for certain prominent corporations, like British Airways, Zoom and GoDaddy.

The second significant distinction between ISO 27001 and GDPR is intent: ISO 27001 was developed long before GDPR went into effect, and hence was not meant primarily to ensure compliance with the legislation. However, GDPR’s scope is more limited: it concentrates just on personal data, whereas ISO 27001 takes a far broader approach to addressing data protection.
 

Mapping the gaps between ISO 27001 and GDPR

 
Some aspects of the GDPR are not covered by ISO 27001, such as the right of a data subject to have his or her data relocated or destroyed, however the standard does fulfil a good majority of the GDPR’s obligations because private data is recognised as an information security asset under ISO 27001. As a result, the two standards have similar perspectives on data security and having ISO 27001 certification is hugely helpful when it comes to complying with GDPR.

However, it’s not enough on its own. In order to be fully compliant with GDPR, CISO’s need to ensure they also consider areas such as consent, the right to be forgotten, the right to object, the right to restrict processing, data portability and the international transfer of data.

This is the reason why we recommend all ISO 27001-certified businesses that are subject to GDPR, complete a gap analysis. This will tell you where you are today and what you need to add or change to fully comply with GDPR.

 

If you need help to assess whether there are gaps in your GDPR compliance, get in touch with us today.