GDPR and ISO 27001 are two significant compliance standards that have a lot in common. Both of them aim to strengthen data security and mitigate the risk of data breaches, and both of them require organizations to ensure the confidentiality, integrity and availability of sensitive data. ISO 27001 is one of the most detailed best–practice standards, and in fact, Article 24 of the GDPR specifies that adherence to codes of conduct and approved certifications, like ISO 27001, can be used as an element of demonstrating compliance. No wonder that I often hear questions like, “Am I fully compliant with GDPR if I am already certified to ISO 27001?”
However, the GPDR has far broader scope and more fundamental understanding of data security and privacy. In this blog post, I am going to answer several frequently asked questions about ISO 27001 and GDPR, so you could better understand the similarities and differences between these standards, and decide how you could use ISO 27001 framework to pass GDPR audits:
- What is GDPR?
- What is ISO 27001?
- What are the similarities between ISO 27001 and GDPR?
- Does compliance with ISO 27001 guarantee GDPR compliance?
What is the GDPR?
The General Data Protection Regulation (GDPR) is a compliance standard that aims to strengthen data protection; it applies to all organizations — inside or outside the EU — that store or process the personal data of EU residents. The standard will come into force on May 25, 2018, and it is already changing the way companies handle data protection. The GDPR broadens the rights of individuals with respect to their personal data, mandates new approaches (e.g., data protection by design and by default) and involves large penalties for violations.
The most critical requirements of GDPR include:
1. Broader scope of data that requires protection
GDPR protects a large set of data, including not only personal information like names, IDs and Social Security numbers, but also medical data, biometric data, political opinions and more (Articles 5–11).
2. Explicit consent required for use of data
Article 6 of the GDPR requires organizations to get explicit consent for the collection and use of individuals’ data. To fulfill this requirement, organizations need to preserve documented evidence that consent was given and prove that all requests for consent are clear and concise.
3. Extended rights of data subjects
Chapter 3 provides a long list of rules to help individuals gain better control over their data. EU residents will have the right to obtain information about whether their personal data is being processed (Article 15), easily transfer their data between service providers (Article 20) and object to the processing of their data (Article 21). One of the most significant GDPR requirements is the “right to be forgotten” (Article 17), which empowers individuals to force companies to erase their data from all systems. The GDPR is arguably the only compliance standard that puts power into the hands of consumers and puts their interests above the interests of organizations, and companies that are preparing for the GDPR already see the difference:
Unfortunately, American laws do not seem to care as much about citizen’s data as that of European laws. Citizens here do not have the option to, effectively, say ‘Give me my data and erase it.’ The GDPR aims to protect citizens, to give them full transparency into which organizations process their sensitive information, how they process it, and what exactly they have. It gives citizens that ‘full scope’ option as well as allowing them to request a purge of their data under certain guidelines. For now, American laws are vastly behind the times when it comes to protecting its citizens as ‘data subjects’.
Kyle Reyes, Infrastructure Systems Administrator, Midland Information Resources
4. Huge fines for non-compliance
Fines for compliance failures are 2–4% of the company’s annual worldwide turnover or €10-20 million, whichever is higher. The most serious violations include accidental destruction, loss, change or transmission of personal data, as well as failure to demonstrate explicit consent for data processing (Articles 83–84).
5. Strict data breach notification rules
According to Article 33, data controllers have to report data breaches to supervisory authorities within 72 hours of discovery. If a company fails to do so, it has to provide valid reasons for the delay. This is significantly less time than required by any U.S. compliance standard (such as HIPAA or SOX).
What is ISO 27001?
ISO 27001 (formally known as ISO/IEC 27001:2013) is an international information security standard that provides requirements for implementing, maintaining and improving an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes the legal, technical and physical controls involved in a company’s IT risk management processes. Factors that affect ISMS implementation include the organization’s objectives, security requirements, size and structure.
Following ISO 27001 best practices helps organizations tackle security risks, protect sensitive data, and identify the scope and limitations of their security programs. The standard applies to a wide range of organizations, like businesses, government groups, academic institutions and nonprofits.
The most critical requirements of ISO 27001 include:
1. Asset management
Organizations are required to achieve and maintain appropriate protection of organizational assets, which means that they need to identify their assets and document rules for the acceptable use of information (Controls A.8). Furthermore, all the information must be classified in terms of its value, legal requirements, sensitivity and criticality to the organization.
2. Operational security
This large set of controls outlines basic operational procedures and responsibilities, such as separation of development, testing and operational environments; change management; and documenting the operating procedures (A.12).
3. Access control
This family of controls (A.9) provides guidelines for controlling the use of data within the organization and preventing unauthorized access to operating systems, networked services, information processing facilities and so on. This involves rules for user access management, management of privileged access rights, user responsibilities, and system and application access control.
4. Information security incident management
The A.16 control family outlines the rules for reporting IT security events and weaknesses, managing IT security incidents, and improving these processes. Organizations have to ensure that security incidents are communicated in a manner that allows for a timely and effective response.
5. Human resource security
The A.7 control family requires organizations to ensure that employees and contractors are aware of and fulfill their information security responsibilities. Organizations need to provide staff members with awareness training and take formal disciplinary action against employees who commit an information security breach.
6. Business continuity
This set of controls (A.17) outlines information security aspects of business continuity management. Organizations need to determine the requirements for continuity of information security management in adverse situations, document and maintain security controls to ensure the required level of continuity, and verify these controls regularly.
Mapping ISO 27001 to the GDPR: What are the similarities?
There are many areas where ISO 27001 and the GDPR overlap. Most of them are related to information security: ISO 27001 specifies similar rules for data protection as those outlined in GDPR articles 5, 24, 25, 28, 30 and 32. Here are just a few points that match in both standards:
Data confidentiality, availability and integrity
Article 5 of the GPDR specifies general principles for data processing, such as protection against “unauthorized or unlawful processing, accidental loss, destruction or damage.” More detailed guidelines are given in Article 32, which specifies that organizations are required to implement, operate and maintain appropriate technical and organizational measures to ensure data security, such as encryption, resilience of processing systems and services, the ability to restore the availability of personal data in a timely manner, and more.
Similarly, multiple controls in ISO 27001 are aimed at helping organizations ensure data confidentiality, availability and integrity. Starting from Clause 4, ISO 27001 requires organizations to identify internal and external issues that might impact their security programs. Clause 6 requires them to determine their IT security objectives and create a security program that will help them achieve those goals. Clause 8 sets standards for the continued maintenance of the security program and requires organizations to document their security program to demonstrate regulatory compliance.
Both ISO 27001 and the GDPR require a risk-based approach to data security. Article 35 of the GDPR requires companies to perform data protection impact assessments to assess and identify risks to individuals’ data. These assessments are mandatory before undertaking high-risk processing, such as systematic monitoring of extremely sensitive data.
ISO 27001 also advises organizations to conduct a thorough risk assessment to identify threats and vulnerabilities that might affect their assets (Clause 6.1.2), and to select appropriate information security measures based on the results of that risk assessment (Clause 6.1.3).
Clause 8 of ISO 27001 requires organizations to identify which processing actions are outsourced and ensure that they are able to keep those actions under control. Clause A.15 provides specific guidance on supplier relationships and requires organizations to monitor and review supplier service delivery.
Similar issues are covered in Article 28 of the GDPR, which requires data controllers to secure contractual terms and assurances from processors, creating a “data processing agreement.”
According to Articles 33–34 of the GDPR, companies have to notify authorities within 72 hours after discovery of a breach of personal data. Data subjects also have to be notified without undue delay, but only if the data poses a “high risk to data subjects’ rights and freedom.”
Clause A.16 of ISO 27001, which addresses information security incident management controls, does not specify an exact timeframe for data breach notification, but it does say that organizations have to report security incidents promptly and communicate these events in a manner that enables “timely corrective action to be taken.”
Data protection by design and by default
Article 25 of the GDPR says that companies need to implement technical and organizational measures during the design stage of all projects so they can ensure data privacy right from the start (“data protection by design”). Moreover, organizations should protect data privacy by default and ensure that only information that is necessary for each specific purpose of the processing is used (“data protection by default”).
In ISO 27001, similar requirements are outlined in Clauses 4 and 6. Clause 4 requires organizations to understand the scope and context of data that they collect and process, while Clause 6 recommends they perform regular security risk assessments to ensure the effectiveness of their security management program.
Article 30 of the GDPR requires organizations to maintain records of their processing activities, including the categories of data, the purpose of processing, and a general description of the relevant technical and organizational security measures.
Similarly, ISO 27001 says that organizations must document their security processes, as well as the results of their security risk assessments and risk treatment (Clause 8). According to Control A.8, information assets must be inventoried and classified, asset owners must be assigned and procedures for acceptable data use must be defined.
Does compliance with ISO 27001 guarantee GDPR compliance?
As you can see, certification with ISO 27001 can simplify the process of achieving GDPR compliance. However, there are several differences between these standards. GDPR is a global standard that provides a strategic vision of how organizations need to ensure data privacy. ISO 27001 is a set of best practices with a narrow focus on information security; it provides practical advice on how to protect information and reduce cyber threats. Unlike the GDPR, it does not directly cover the following issues associated with data privacy, which are outlined in Chapter 3 of the GDPR (Data Subject Rights):
- Consent — Data controllers have to prove that data subjects have agreed to the processing their personal data (Articles 7 and 8). The request for consent must be given in an easily accessible form, with the purpose for data processing attached. Data subjects also have the right to withdraw their consent at any time.
- Data portability — Individuals have the right to obtain and reuse their personal data for their own purposes across different services, as well as transmit that data to another controller without hindrance to usability (Article 20).
- The right to be forgotten — Individuals have the right to have their personal data erased or stop further dissemination of it without delay (Article 17).
- The right to restriction of processing — Individuals have the right to limit the way an organization uses their personal data if the data has been unlawfully processed or the individual contests the accuracy of the data (Article 18).
- Right to object — Data subjects have the right to object to data processing for direct marketing, performance of legal tasks, or research purposes and statistics (Article 21).
- International transfers of personal data — Organizations have to ensure that international data transfers are carried out in accordance with rules approved by the European Commission (Article 46).
In a nutshell
As we can see, the GDPR focuses on data privacy and the protection of personal information; it requires organizations to put more effort into obtaining explicit consent for data collection and ensuring that all data is processed lawfully. However, it lacks technical details on how to maintain an appropriate level of data security or mitigate internal and external threats. In this regard, ISO 27001 comes in handy: It provides practical on how to develop clear, comprehensive policies to minimize security risks that might lead to security incidents.
Although conforming to ISO 27001 does not guarantee GDPR compliance, it is a valuable step. Organizations should consider pursuing ISO 27001 certification to ensure their security measures are strong enough to protect sensitive data.