How ISO 27001 can assist with your GDPR compliance GDPR Summit May 30 th 2018 Sharon O Reilly IT Governance Ltd www.itgovernance.eu
Introduction: Speaker Background GRC/GDPR Consultant Ireland IT Governance Certified Data Protection Practitioner and Practitioner Course Trainer Certified Trainer: Data Protection, Information Security, Management Systems Certified ISO 27001 Lead Auditor and Lead Implementer 16Years experience as a consultant to Irish Industry Specialising in ISO 27001, Data Protection,PCI DSS consultancy Have consulted to organisations across multiple sectors Experienced auditor and compliance systems implementer and contract manager Engaged by clients to audit key suppliers and act as lead for external certification and client audits BSc and MSc Analytical Science 10 Years experience in the pharmaceutical regulatory and compliance areas 2
Overview Overview The GDPR is with us as of Friday 25 th May but it is widely acknowledged that there is much still to be done to achieve compliance. The purpose of this presentation is to explain clearly and simply how ISO 27001 can help you in your quest to achieve and maintain GDPR compliance. 3
Overview GDPR: EU General Data Protection Regulation. This Regulation needs to be considered alongside the new Irish Data Protection Act which was signed into law on Thursday 24 th May 2018. ISO 27001:2013: Information Security Management Systems Standard (current version issued in 2013) and is the international gold standard in the information security management sphere. 4
Overview But what has ISO 27001 got to do with GDPR compliance???? Quite a lot actually.. 5
GOOD NEWS!! Many organisations have been struggling with their GDPR compliance programmes why is there no standard we can use??? There is..iso 27001 is all about creating robust and practical information security management systems and creating a culture of security. While this does not cover all aspects of GDPR compliance it does cover many key areas. 6
Overview GDPR compliance is a legal necessity. Information Security Management is a business essential. Put them together and you have a very valuable framework which will allow you to manage GDPR compliance going forward and maintain best practise in information security. 7
Overview GDPR Robust ISO and 27001 sustainable data governance framework 8
ISO 27001 and GDPR KEY REQUIREMENTS GDPR ISO 27001 Risk-based approach Systematic approach to information security Data Processing Principles 4-6 Accountability Security of Processing Continual Improvement 9
RISK-BASED APPROACH The GDPR requires organisations to adopt appropriate policies, procedures and processes to protect the personal data they hold. This involves taking a risk-based approach to data protection and building a workplace culture of data privacy and security. 10
SYSTEMATIC APPROACH TO INFORMATION SECURITY ISO 27001 provides exactly that a systematic approach to information security management with mandatory systems or processes which manage/control the controls. It is a management systems standard. 11
Accountability GDPR PRINCIPLES OF PROCESSING 1 2 3 4 5 6 Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and, where necessary, kept up to date (ISO 27001) Retained only for as long as necessary (ISO 27001) Processed in an appropriate manner to maintain security (ISO 27001) 12
ACCOUNTABILITY The (GDPR) introduces a new principle- that of accountability. The GDPR requires that your organisation can demonstrate compliance with all the principles. So, your organisation needs to build such a culture and to be able to demonstrate accountability 13
ACCOUNTABILITY An ISMS (Information Security Management System) produces records to demonstrate that it is working correctly = Accountability 14
SECURITY OF PROCESSING Article 32 of the GDPR says that technical and organisational measures must be taken to ensure a level of security appropriate to the risk. ISO 27001 mandates risk management to identify such measures and Annex A identifies specific control measures. 15
CONTINUAL IMPROVEMENT The GDPR refers to regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Article 32). 16
CONTINUAL IMPROVEMENT An ISO 27001-aligned ISMS provides measures to continually improve the suitability, adequacy and effectiveness of the ISMS. Applying this approach to continual improvement also supports compliance with the GDPR. 17
More good news..added extras Using ISO 27001 as a framework for managing GDPR compliance not only makes GDPR compliance simpler both at the implementation phase and on a continuous and sustainable basis but also gives us many more extra benefits. 18
More good news..added extras - Protection of all information not just personal data - Assurance to the outside world we take security seriously - Reduced reputational risks bad headline avoidance 19
Conclusion Thank You For more information or to get in touch feel free to visit our website at www.itgovernance.eu 20