Beyond GDPR to ISO 27001. Hopefully, by the time you read this, the number of unsolicited mails worrying you about GDPR compliance will have slowed to a trickle of only 20 a day. Of course, you had all your compliance issues addressed, ready for The GDPR Police early morning raid on the 26th. Are we a touch cynical? Yes indeed. We’ve been in the quality and standards business for a few years now, and can’t remember such a feeding frenzy since the millennium bug non-event.
If you’ve done the work for GDPR, then you’ve already touched on some of the very broad principles of ISO 27001. Why not press on from controls relating to data privacy to a recognised international certification in data security?
How far are you along the road towards ISO 27001? Here are some basic, broad observations:-
1/ You already take data protection seriously.
Your business realises that a significant data breach will generate huge negative publicity, achieve instant “brand awareness” of the toxic kind, potentially land you in court, and get you a hefty fine. This is a very good place to start. Fear is the key. As well as privacy, GDPR will have already have brought the whole issue of disaster recovery into focus. Article 32 says “Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. This whole issue of risk is the heart of ISO 27001. You are aware of potential catastrophes and are ready to address the risk. Good.
2/ You understand that, as a consequence, you need a bespoke system.
GDPR compliance activity should have given you a framework. policies, procedures and processes. But if you’ve adopted standard documents and responses then in the longer term, the implementation and use may reveal the short comings of actually developing it to fit your business. The backbone of ISO 27001 is a similar set of guidelines, namely the Information Security Management System or ISMS. However, to be fully effective and financially viable such systems need to fit your everyday business practices.
3/ Through GDPR, you may have already had outside input. The safety of a different perspective.
It’s our observation that much corporate life seems tribal – there are chiefs, followers, honoured rituals and lots of traditions, a few of which might actually be beneficial. My point is that it frequently takes the brutal insight of an outsider to suggest to the tribe that there are problems in their corporate village. Hopefully, you’ve employed such a “critical friend” already in your quest for GDPR compliance. He or she will have challenged the statement that “We’re fine with GDPR – Steve from IT is looking at it with Molly and they’ve sorted it out”. Similarly, your ISO consultant will ask the hard questions about data security. If you’ve already coped and overcome such painful scrutiny, the processes of ISO 27001 compliance won’t come as a shock.
4/ You understand that you need an in-house champion. Plus, you’ve (hopefully) got some buy-in.
To comply with GDPR you will have likely needed to assign responsibility to someone to protect your data and to report any issues to relevant people. ‘Data protection is the responsibility of everybody’ may be a typical response, but when it comes to documentation, it is always that one person who manages it all. Having someone in charge, (whilst still maintaining a culture of data protection across all staff), is a great thing. Furthermore, it is an important step to make sure your management policy doesn’t become some awkward corporate entity, stood in the corner of the room staring at you from the shadows (yes like that family relative we all wish was “normal”). Likewise, with ISO 27001, the responsibility for security has to be shouldered by someone specific. Furthermore, as with other newer ISO standards, engagement of higher management is not optional, but written into the system. Hopefully, your GDPR processes have this built into them. If not, ask for a refund from the consultant…
5/ You realise that you need to do some work to establish a system.
GDPR compliance has made you realise the wide nature of data privacy issues. To make the guidelines work in your everyday business setting, you’ll need cooperation across the whole business. You realise that compliance is not just a certificate on a boardroom wall. It can’t be found via Google and a PDF download check-list. For any quality management system to work, it must to fit the business like a tailored suit. If GDPR compliance has instilled this understanding, then ISO 27001 certification should not be a challenge.
6/ You understand that this is a journey not a destination.
If you grasp that your GDPR system will be as static as your business, (that is, highly dynamic!), then you’ll have captured yet another aspect of ISO 27001, namely that the heart of the standard, the Information Security Management System, will need review and monitoring via a regular internal audit to ensure continued compliance.
7/ You see compliance as more than just a certificate but a business tool.
Did you see GDPR compliance as a pain, or necessary hard work in order to reassure your customers, both current and future? I can guess the answer. However, if there was even the slightest feeling of “this will make our customers feel safer around us” at any point, you’ll have touched on a key, largely unrecognised aspect of ISO 27001. In business-speak, it’s a key differentiator. Put bluntly, if you don’t have it, some potential customers won’t even bother you with a tentative enquiry. It will open up opportunities. It marks you out as taking what you do very seriously, having the professional standards to understand the essential nature of data security.
So, if you’ve completed GDPR compliance work, how far is ISO 27001 away? If any of the above points ring a bell, we’d suggest “not far”. Beyond GDPR to ISO 27001. Talk to us.