If you’ve done the work for GDPR, then you’ve already touched on some of the very broad principles of ISO 27001. Why not press on from controls relating to data privacy to a recognised international certification in data security?
How far are you along the road towards ISO 27001?
Here are some basic, broad observations:
You already take data protection seriously.
Your business realises that a significant data breach will generate huge negative publicity, achieve instant “brand awareness” of the toxic kind, potentially land you in court, and get you a hefty fine. This is a very good place to start. Fear is the key. As well as privacy, GDPR will have already have brought the whole issue of disaster recovery into focus. Article 32 says “Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. This whole issue of risk is the heart of ISO 27001. You are aware of potential catastrophes and are ready to address the risk. Good.
You understand that, as a consequence, you need a bespoke system.
GDPR compliance activity should have given you a framework. policies, procedures and processes. But if you’ve adopted standard documents and responses then in the longer term, the implementation and use may reveal the short comings of actually developing it to fit your business. The backbone of ISO 27001 is a similar set of guidelines, namely the Information Security Management System or ISMS. However, to be fully effective and financially viable such systems need to fit your everyday business practices.
Through GDPR, you may have already had outside input. The safety of a different perspective.
You understand that you need an in-house champion. Plus, you’ve (hopefully) got some buy-in.
To comply with GDPR you will have likely needed to assign responsibility to someone to protect your data and to report any issues to relevant people. ‘Data protection is the responsibility of everybody’ may be a typical response, but when it comes to documentation, it is always that one person who manages it all. Having someone in charge, (whilst still maintaining a culture of data protection across all staff), is a great thing. Furthermore, it is an important step to make sure your management policy doesn’t become some awkward corporate entity, stood in the corner of the room staring at you from the shadows (yes like that family relative we all wish was “normal”). Likewise, with ISO 27001, the responsibility for security has to be shouldered by someone specific. Furthermore, as with other newer ISO standards, engagement of higher management is not optional, but written into the system. Hopefully, your GDPR processes have this built into them. If not, ask for a refund from the consultant…
You realise that you need to do some work to establish a system.
GDPR compliance has made you realise the wide nature of data privacy issues. To make the guidelines work in your everyday business setting, you’ll need cooperation across the whole business. You realise that compliance is not just a certificate on a boardroom wall. It can’t be found via Google and a PDF download check-list. For any quality management system to work, it must to fit the business like a tailored suit. If GDPR compliance has instilled this understanding, then ISO 27001 certification should not be a challenge.
You understand that this is a journey not a destination.
If you grasp that your GDPR system will be as static as your business, (that is, highly dynamic!), then you’ll have captured yet another aspect of ISO 27001, namely that the heart of the standard, the Information Security Management System, will need review and monitoring via a regular internal audit to ensure continued compliance.
You see compliance as more than just a certificate but a business tool.
Did you see GDPR compliance as a pain, or necessary hard work in order to reassure your customers, both current and future? I can guess the answer. However, if there was even the slightest feeling of “this will make our customers feel safer around us” at any point, you’ll have touched on a key, largely unrecognised aspect of ISO 27001. In business-speak, it’s a key differentiator. Put bluntly, if you don’t have it, some potential customers won’t even bother you with a tentative enquiry. It will open up opportunities. It marks you out as taking what you do very seriously, having the professional standards to understand the essential nature of data security.