As our team has started to work on our own 27001 certifcation, I thought it might be useful to discuss some conmon points between GDPR and ISO27001.
From our own expereince, I think that if people in charge of 27001 (IT?) and people in charge of data protection (DPO?) spoke to each other in a constructive manner their company would benefit..
To assist both, let's look at what each addresses:
ISO27001 has a scope, and unless the scope is aligned to the requirements of the GDPR, it may not be of much use. I once dealt with a company, ISO27001 certified, with 150 staff where each policy was barely a page long, and IT looking for an asset register before the re-certification audit.
PII (Personally Identifiable Information USO27001) is not the same as personal data (GDPR):
A DPO would hugely benefit from IT's asset register to demonstrate that adequate technical measures have been implemented (Art 24, Art 32) to protect personal data.
A register of processing activities can help IT and ultimatley save the company a lot of money.
IT shouldn't blindly sign a data processing agreement.
There is a danger that if IT leads GDPR, some technical aspects will be handled, but who can independtly review them You can't be judge and party..
What is the point of either 27001 or GDPR if management isn't interested? A company last year mentionned all the work done for ISO9001 (a "quality" standard), yet no staff knows where the procedures are.
Working together is key.
FYI, Bizoneo can assist the management of both from a single platform. Bizoneo (GRC) users avail of:
We are adding
- Claude Saulnier
Brand Ambassador - Bizoneo