Data Protection, GDPR and ISO27001

As our team has started to work on our own 27001 certifcation, I thought it might be useful to discuss some conmon points between GDPR and ISO27001.

From our own expereince, I think that if people in charge of 27001 (IT?) and people in charge of data protection (DPO?) spoke to each other in a constructive manner their company would benefit..

To assist both, let's look at what each addresses:

  • ISO27001 is a security related standard that -if handled properly- can help cover some of the GDPR requirement such as Art 5.1.f, Art 24 and Art 32. However 5.1.f is only one of 6 personal data processing principles (the 7th principle being accountability eg demonstration of compliance to each personal data processing principle) in the GDPR for lawful processing.
     
  • The GDPR protects rights and freedoms (Art 1.2) and is law (General Data Protection Regulation). ISO27001 is a standard. Companies have to volunteer and pay to be certified. ISO27001 is not a legal requirement, unless, of course, a specific piece of legislation explicitly requires ISO27001 certification.

ISO27001 has a scope, and unless the scope is aligned to the requirements of the GDPR, it may not be of much use. I once dealt with a company, ISO27001 certified, with 150 staff where each policy was barely a page long, and IT looking for an asset register before the re-certification audit.

PII (Personally Identifiable Information USO27001) is not the same as personal data (GDPR):

  • PII is identified,
  • personal data is identified or identifiable.
  • Identifiable makes a huge difference.

A DPO would hugely benefit from IT's asset register to demonstrate that adequate technical measures have been implemented (Art 24, Art 32) to protect personal data.

A register of processing activities can help IT and ultimatley save the company a lot of money.

IT shouldn't blindly sign a data processing agreement.

There is a danger that if  IT leads GDPR, some technical aspects will be handled, but who can independtly review them You can't be judge and party..

What is the point of either 27001 or GDPR if management isn't interested? A company last year mentionned all the work done for ISO9001 (a "quality" standard), yet no staff knows where the procedures are.

Working together is key.

FYI, Bizoneo can assist the management of both from a single platform. Bizoneo (GRC) users avail of:

  • an asset register
  • a risk register
  • a breach and incident handling
  • a document management system with version control
  • a policy training module that can generate company branded training certificates
  • an audit module

We are adding

  • an ISO27001 assessment
  • a step by step template.in the project management module
  • a set of standard polcy templates required for ISO27001

I hope this helps. Join me on to comment

- Claude Saulnier
Brand Ambassador - Bizoneo