Does ISO 27001 cover your GDPR requirements?

We're ISO 27001 certified. So that's GDPR covered... Right?
ISO 27001 does indeed include some of the requirements of GDPR but is it enough on it's own?

ISO 27001 has fast become the de-facto security standard for businesses in the UK, often cited as a minimum requirement for those organisations handling client data; whilst the General Data Protection Regulation specifically requires businesses to implement controls around personal data, ISO 27001 will only go so far in ensuring compliance.

How does ISO 27001 help?

ISO 27001 is all about the Information Security Management System, or ISMS. If you have one then congratulations! There is a good chance you are at least half-way to compliance with the GDPR by having in place:

  • An Incident Management Procedure

  • An Asset Database

  • Secure Development Policies and Procedures

  • Risk Assessment and Treatment

  • Access Control Management

  • Cryptography

  • Physical/Environmental Security

  • Media Handling Procedures

You also have an existing framework to build upon to meet the GDPR's requirements.

Although an average ISMS may cover many areas of the GDPR, it could leave your organisation exposed to the core philosophy behind the regulation.

In conclusion...

Certifying to ISO 27001 is a great start, and covers much of the GDPR Articles, 25, 32, 33 and 34 in regards to information security. To ensure compliance it is recommended to use certification as a means to integrate a Personal Information Management System, or PIMS, to gain the most benefit.

If you'd like some help with implementing either, PECOMi Consulting offer services in both ISO 27001 implementation and GDPR integration.