GDPR and ISO-IEC 27001

INTRODUCTION

At the beginning we would like to point out that www.dsgvo-risiko.de does not carry out any ISO / IEC 27001 certification or training. Nevertheless, we offer our customers the opportunity during the implementation of DSGVO Data Audit & Forensics projects to integrate the leading international regulations in the area of information security management!

Why are we adhering to this set of rules with our services and solutions, even though it is not mandatory for most of our customers?

We see it as a very good guide that allows companies to periodically check themselves for stability in terms of safety management and thus also to meet the increasing technological standards and potential dangers.

However, companies can apply the rules without incurring the high cost of maintaining and maintaining ISO / IEC 27001 certification. The rules do really well the risk-based framework, which has strong similarities with compliance guidelines. It is intended to identify specific threats to information security and thereby minimize the risk to the company. It ensures more safety!

If one considers this set of rules and regulations as the basis for the GDPR, the next two levels of our risk pyramid are industry conformity and the preservation of trade secrets.

We therefore have the opportunity to accompany our customers step by step to the desired level:

1. PREVENTION AND DISADVANTAGE

We want to be impartial and the advantages and disadvantages of the ISO / IEC 27001 assessment certificate. Then we check how much it has to do with the GDPR and use it as a guide or clue for the introduction of data protection.

The benefits 🙂

  1. It is well known and has established itself as an international standard.
  2. The requirements are technically feasible and possible without the purchase of external resources.
  3. Experienced staff can at least be wooed.
  4. Literature is easy to acquire and offers a variety of opportunities to further educate in various courses and seminars.
  5. Providers for consulting, implementation as well as the recurring audit are available.
  6. It has a high marketing effect.

The disadvantages 🙁

  1. High personnel and costs (one-time and ongoing costs).
  2. Partly cumbersome, thereby allowing scope for interpretation.
  3. Test procedures are partly outdated and superficial (mainly manual paper work).
  4. Unless you are an IT service provider, therefore third-party data do not process or are not active in the energy sector, it does not have much impact on your business practices.
  5. Dependence on the test center to maintain the certificate as it otherwise can be uncomfortable.
  6. Although set out as a standard, deviations in the quality and care in the decrease are recognizable. Otherwise it is not possible to explain why cross-border certifications take place, although the possibility would exist locally.

2. WHY DO NOT HAVE IT ALL?

Very pragmatically, we look at the companies without making an assessment and distinguish them into 4 groups, as follows:

Group 1: Companies that have deliberately said YES!

The number of companies undergoing certification is increasing steadily. As the main reason we see that these deliberately came to the conclusion anyway already according to the requirements of ISO / IEC 27001 standard. For these companies the audit for the purpose of certification was a mere formality, which they mastered without hesitation after a successful preparation. These companies specifically market the certificate obtained. In most cases, it seems that the marketing and sales manager has benefited more from the certification than the IT manager involved.

Group 2: Companies that deliberately say NO!

Many companies take the framework of ISO / IEC 27001 as a matter of course, are guided by it and still strive for certification. Their reasons vary widely, from the lack of resources and budgets to the factor that you can not pull out any marketing advantage from. We also include companies that have not renewed a certification in this category. Obviously, management compares costs and benefits.

Group 3: Companies that do not know how close they are!

But we also identify companies that unconsciously work very close to the ISO / IEC 27001 standard. These are above all companies, which rely increasingly on modern service and CLOUD technologies. Many of the CLOUD functions already meet the required standards and the customer buys them with the use of the service.

Group 4: Companies that have different priorities!

Of course, there are companies that do not want or can not consider it because of their growth, geographic distribution or lack of interest. Interesting for us here is the parallelism, because in these companies also the implementation of the GDPR is extremely difficult. Obviously, it does not matter if the standard can be voluntary or is prescribed.

3. Does the DSGVO actually refer to an ISO / IEC 27001 certification?

ISO / IEC 27001 is being brought into context with the GDPR because of Article 32. Or rather, vice versa, since the order of appearance must also be considered. Of course, consultants in the field of ISO / IEC 27001 certification suggest that potential customers use this standard to comply with the GDPR. The DSGVO thus serves as another selling point.
But let’s take a closer look at the relevant Article 32:

  1. Considering the state of the technology, the implementation costs and the nature, scope, circumstances and purposes of the processing and the different likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall take appropriate technical and organizational measures to ensure a level of risk commensurate protection; These measures may include, inter alia:
    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis;
    3. the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident;
    4. a process for periodically reviewing, evaluating and evaluating the effectiveness of technical and organizational measures to ensure the safety of processing.
  2. In assessing the appropriate level of protection, account shall be taken, in particular, of the risks involved in processing, in particular destruction, loss or alteration, whether inadvertent or unlawful, or unauthorized disclosure or access to personal data transmitted, stored or stored other ways have been processed - are connected.
  3. Compliance with the approved codes of conduct referred to in Article 40 or an approved certification procedure referred to in Article 42 may be used as a factor to demonstrate compliance with the requirements referred to in paragraph 1 of this Article.
  4. The controller and the processor shall take steps to ensure that subordinated natural persons who have access to personal data process them only at the direction of the controller, unless they are under the law of the Union or of the Member States for processing Committed.

Our Conclusion from the Konnex DSGVO and ISO / IEC 27001

The third point of Article 32 refers to Article 42 as 'may be used as a factor' to confirm the fulfillment of the article as in point 1 (attention to the word: may). In practical terms, an existing certificate facilitates the work of the authorities in a review procedure and associates the risk-conscious handling of personal data when visiting the website, when visiting the company lobby, or on its stationery.

But risk-conscious data handling can also be used by companies without a certificate, as they implement the rules, adjust them regularly, document them properly and are technologically up-to-date. Thereby, they are actually implementing Article 32 and have taken note of the recommendation under point 3.

With an in-house standard in accordance with the regulations of ISO / IEC 27001, they only confirm to the authorities the use of a high safety standard in the second step. Anyway, it is to be assumed that you will not be spared the deeper insight into the happenings of your IT during a DSGVO exam.

The certificate will not prevent the authorities from looking behind the scenes in case of a violation. There is indeed the point 4 in Article 42, which actually distances the DSGVO from ISO / 27001 a lot!

We get it to the point: A certification as described in point 3 of article 32 should not be considered as an obtrusive recommendation by the authority! Obviously, there were advocates who wanted to have this enforced during the EU negotiations. However, the adversaries were able to ensure in Item 4 of Article 42 that an ISO / IEC 27001 certification does not constitute a clean bill of health. For companies, remains now the task to set a high standard in information security management. Whether certified or not it will have no effect on a penalty. If this were not the case, companies would acquire insurance against DSGVO violations together with the ISO / IEC 27001 certificate.

That is not possible!

4. Similarities or intersections of the DSGVO and the ISO / IEC 27001

We both faced to see the intersection between voluntary standards and the General Data Protection Regulation. It is less than expected in our eyes:

5. The GDPR implementation with and without ISO / IEC 27001 Certificate

Whether they have a certificate or not, companies must implement the GDPR throughout. The initial situation of a company can vary. We adjust to it and focus on the common goals of the customer. We describe the usual starting point and the possible objectives of our customers:

The company is ISO / IEC 27001 certified!

Their certification confirms that the customer has excellent basic data about his current situation in the company. Its IT infrastructure is transparently documented by various systems and does not require us to set up a basic foundation. It provides data and documentation, and we focus exclusively on the next level of our risk pyramid. With the GDPR Data Audit & Forensics we ensure the achievement and the receipt of the GDPR conformity.

The company has its own standard in Information Security Management!

This case is the same for us as an existing certification. Here, it has to be clarified whether the customer is seeking an ISO / IEC 27001 certification and would like to have a preliminary audit for the ISO / IEC 27001 certification in the course of the GDPR Data Audit & Forensics project. We compare the results of our GDPR Data Audit with the expectations of an ISO / IEC 27001 and help the company to correctly assess the chances of obtaining a certificate! However, if the customer still does not strive for ISO / IEC 27001 certification, our services are aligned to the GDPR conformity. That means its existing standard is used as a structure for our GDPR Data Audit & Forensics.

The customer has not renewed his certification!

Depending on the time of the loss as well as the data quality and timeliness of its existing documentation, we clarify where and how it is applied. We offer the necessary support in such companies in order to rebuild the basic foundation for a functioning GDPR conformity. This is then based on the rules of the ISO / IEC 27001 standard, but does not necessarily require certification.

The customer is a blank page because he had other priorities!

One until the entry into force of the GDPR legal condition, which, however, must be changed as quickly as possible. We create cartography for the entire company for such companies and also use the ISO / IEC 27001 regulations here so that these companies achieve the necessary transparency and pass a GDPR exam. Our GDPR Data Audit & Forensics Project provides clarity and will greatly reduce the GDPR risk!

We build the bridge between GDPR and the ISO / IEC 27001 standard!

In our Intelligent Risk Assessment and subsequent Intelligent Risk Management, we use our SIG (Standardized Information Gathering) and AUP (Audit Upon Procedure) tools. These include all exam questions from the ISO / IEC 27001 standard and enable us to compare and evaluate the actual state of the customer according to the requirements. The absolute advantage here is that our solution runs automatically and saves a lot of time and money. We hereby offer a very effective way to successfully implement the article 32 despite missing certification.