Cyber security awareness is now more important than ever. Since January 2020, cyber attacks have been on the rise, with the covid-19 pandemic playing a key role. Attackers have enhanced their capabilities with new types of malware at their disposal, including viruses etc.
The growth in malicious attacks brings new focus to the data security obligations organisations have under GDPR. In this blog, we look at practical measures that organisations can take to optimise cyber security, and mitigate the many risks and threats involved.
Principle 6 of the GDPR requires that organisations maintain appropriate security controls around personal data. Furthermore, Article 32 of the GDPR stipulates that a controller and processor “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate”.
How do you implement these measures?
Thankfully, information security is replete with many international standards, which help organisations put in place a coherent and complete suite of ‘to-do’ controls, which support precisely this legal requirement.
One of the most popular is ISO 2701:2013, which is an accredited certified standard that describes how an organisation can put in place an Information Security Management System, a fancy term for a structured program of work that helps a company to identify, mitigate and report on information security risks.
Technical and organisational measures, as stated within the GDPR, is more or less putting the pressure on organisations to demonstrate a level of coordination, risk management and improvement planning across their technology, personnel and third parties, when it comes to protecting the personal data they process. It is a complicated endeavour, given there are many moving parts, and without a standard like ISO 27001, it is impossible to really demonstrate the level of control that the regulators want to see.
Bear in mind, long before the GDPR, regulators were actively using ISO 27001 as a means of measuring security compliance with Data Controllers and Processors. It’s a familiar standard to them and a very capable way of demonstrating maturity of approach if you find yourself on the wrong side of a data breach.
GDPR Data Security Expectations
The bottom line is very simple. The GDPR has set a clear expectation that all organisations must be able to demonstrate objective and measurable capabilities when it comes to evidence of security compliance around personal data. You need a proven way of working in order to achieve this outcome. With ISO 27001:2013, you get the required definitions and structures which allow you put in place an Information Security Management System that gives you those measurables and ultimately significantly reduce your exposure to a dreaded data breach.
So, what is in an Information Security Management System (ISMS for short)? The key structures are policies, a suite of security controls, defined under ISO 27002 (144 in total) which provide general guidance around specific things to do, a risk management framework to identify security risks and deal with them, a governance structure that ensures senior management are actively engaged with your subject matter personnel and the business users. And, finally, a training regime, one of the most important aspects of any information security program.
Over time as the ISMS grows, new risks are identified, old ones get resolved, new methods are created to improve the risk framework, policies get updated, staff increase their awareness and a level of overall visibility and control takes shape. This is known in ISO 27001 as Continuous Improvement, and is a critical part of the overall evolution of information security compliance.
Whether you are an organisation with an established information security team, or one that has no particular expertise or in-house capability, utilising ISO 27001 is vitally important in addressing your legal obligations under the GDPR, and something that you as a Data Protection Officer should push hard for.
Got any questions regarding how an ISO27001 certification helps you protect your cyber security and how Sytorus can help your organisation in attaining an ISO27001 certification? Click on the button below to schedule an appointment with a member of the Team.
