On May 25, the period for adapting to the General Data Protection Regulation (RGPD) ended, replacing the European Directive 94/46 / CE, as well as the related current regulations.
One of the main novelties is the introduction of risk management within it, which will probably drive a large number of organizations to the establishment and enhancement of a safety culture close to or comparable in many cases to what is established in the ISO 27001 standard. (establishment, implementation, review and improvement of the Information Security Management System).
This situation raises a scenario where information is an increasingly valued asset and threats concerning information security are increasingly evolving. Within this scenario, a “globalization” of risk management as a transversal tool in certification processes is foreseeable.
Likewise, the RGPD includes in its articles key references such as resilience, the dimensions of confidentiality, integrity and availability. These references can be understood as the main axes of application of the ISO 27001 standard.
The global scenario with regard to the trafficking of personal data has radically changed since 1995, the year of publication of the now repealed Directive. In this way, one of the main objectives of the GDPR is adaptation to said scenario, in which threats to the security of the information, security breaches, theft of data or cryptocurrencies, denial of service attacks, in addition to a long etceteraThey are the order of the day and cannot be ignored.
Another major difference of the RGPD compared to the 1995 Directive is direct application, that is, the old Directive required specific regulations for its transposition, development or application, while the provisions of the RGPD are directly applicable and replace the above in national regulations. However, the law that will replace the current LOPD may specify some aspect allowed by the RGPD.
The roadmap for adapting to the RGPD, prepared by the Spanish Data Protection Agency (AEPD) is based on the following keys:
- Appointment of the Data Protection Officer, or if not applicable, designate the person / s responsible for coordinating the adaptation.
- Elaborate the record of treatment activities.
- conduct a risk analysis.
- Review security measures in light of the results of the risk analysis.
- Establish mechanisms and procedures for security bankruptcy notification
- Based on the results of the risk analysis, carry out a Impact evaluation in Data Protection
The interrelationships between the RGPD and the ISO 27001 standard affect a large number of articles and making a map of correspondences between the articles of the RGPD and the sections of the standard would far exceed the scope of this article. That said, and from a strictly technical point of view, it seems vitally important to focus on article 32 of the RGPD, which specifies the following:
"the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) the pseudonymisation and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore availability and access to personal data quickly in the event of an incident physical or technical; d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of the treatment. "
In view of both the AEPD roadmap and the aforementioned article, a strong correlation can be seen between the main objective of the ISO 27001 standard: the establishment, implementation, review and improvement of the Information Security Management System , and one of the main novelties of the GDPR, the introduction of risk management within compliance.
It is quite likely that the introduction of risk management within the GDPR will lead to a “globalization” of it.
That is, the terms that are commonly used in the field of risk management, awareness about how the impact on information security can affect business continuity should be explained in a more accessible language, at the in view of the possible growth in the number of organizations that have to include risk management in their procedures.
Within article 32 of the RGPD we can find direct correspondence with the sections of the ISO 27001 standard, as well as the controls established in ISO 27002:
- Preparation of the risk analysis: This is one of the main steps in the creation of the ISMS (Section 4.2.1). Also in this section we find reference to the evaluation of the impact in the dimensions of confidentiality, integrity and availability.
- Review of security measures: It covers practically all of what is established in the supervision and review of the ISMS (Section 4.2.3).
- The recording of activities is strongly related to the Control of records (Section 4.3.3).
- Notification of security breaches is included in the Information Security Incident Management controls (Control 13.1).
- Encryption is one of the main tools present in the policy for the use of cryptographic controls (Control 12.3.1).
- Restoring information after a security incident is key to understanding Information Security Incident Management (Control 13) and Business Continuity Management (Control 14). It is highly relevant that the GDPR includes the permanent resilience of systems.
- As a final point, compliance with current regulations on Data Protection is itself a specific control (Control 15.1.4).
These correspondences are only an outline of the strong relationship between the RGPD and the ISO 27001 standard. There are also common points within the Controls of the ISO 27002 standard on Organizational Aspects (Control 6) regarding the access authorization procedure, assignment of responsibilities, confidentiality and contact with authorities and third parties. Also present in security linked to human resources (Control 8) and access control (Control 11) is the management of access to information, a crucial aspect in organizational management.
In conclusion, the near horizon shows a panorama in which organizations are called to become more aware of risk management, as well as to include it within the gear of its own operation. Similarly, it can be understood that complying with the RGPD will entail implementing a large part of the procedures established in the ISO 27001 standard. As a starter, we recommend you read our article «8 steps to successfully implement the ISO 27001 standard«.
Panel is a company certified in the ISO 27001 standard since 2016, with annual renewals. You can check our certificates in the section Quality and methodology.