With the increase in cyber-attacks and information security breaches – 72% of large UK firms identified an information security breach in 2018, a rise from 68% from 2017 – the importance of protecting both corporate information and that of customers and users has never been more apparent. With large scale data breaches being reported more frequently in mainstream media, the public's awareness of the topic is increasing the importance they place in the security of their information.
New laws and regulations such as the General Data Protection Regulation (GDPR) are also piling on the pressure. Aimed at protecting the public, these regulations require organizations to have adequate security measures in place to safeguard personal information and the rights of their customers, both existing and potential.
None of this will be news to information security professionals, but businesses with a more a laissez-faire approach to cybersecurity can no longer afford to see it as an unnecessary expenditure. Organizations need to invest in company-wide measures that result a consistent approach to cybersecurity across all departments, not just infrastructure and development teams.
Though businesses processing or holding personal information should already be following these rules, a good place to start when thinking about company-wide information security is through compliance with the GDPR and DPA. While neither regulation goes into specifics about what processes, tools or architecture should be in place, they are explicit in what is expected from that infrastructure in terms of how it protects personal information and the rights of its owners. It is up to individual businesses to design their architecture and processes around fulfilling these requirements – and being able to prove that this is the case.
The measures put in place to comply with the GDPR and DPA focus purely on protection of personal information, but what about the other areas of information security?
One of the most popular methods for addressing information security concerns throughout a business is the ISO 27001 Information Security Standard. An Information Security Management System (ISMS) will put in place processes that will help preserve the confidentiality, integrity and availability of corporate data and although it does not specifically address personal information, the identification of relevant laws and regulations with which compliance is required is part of the Standard. Under this, any organization processing Personally Identifiable Information (PII) would need to be compliant with the DPA (and/or GDPR).
Implementing an ISO 27001 Certified ISMS that complies with GDPR and DPA requires the following steps:
- Understanding the Organization – Identify and document what information is held and how it is used, as well as any external and internal issues that affect the needs and expectations of customers and suppliers.
- Culture of Security - To be truly effective, information security practices and concerns should be considered at all points in business operations, from planning to implementation and post-production activities. The top management team can facilitate this by instilling a culture of security which involves staff being aware of both their own and the company's responsibilities for information security.
- Continual Improvement - Part of this is ensuring that the right resources and tools are available in the first instance, but businesses should also be measuring and analyzing any changes, risks and opportunities in order to identify ways in which they can both enhance the ISMS and increase levels of Information Security across the organization.
- Incident Reporting - Should an information security incident take place, businesses must be prepared to notify those affected and report the issue to the relevant authorities. Incidents should be treated as learning experiences with data collected and analyzed to prevent similar issues from occurring in future.
- Security Controls - To comply with ISO 27001, businesses will need to define and implement information security controls describing specific behaviors and steps that must be taken in certain situations to ensure the information security is maintained. These controls look at a wide variety of areas from individual staff to suppliers, from the security of systems to a business's premises.
- Adjustments for GDPR Compliance - In general, attention should be paid to any area that mentions data or information, updating these areas with specific references to personal information and how it should be handled. Areas that businesses should consider include:
- The assignment of a Data Protection Officer (when required)
- Detailing whether, how and when Data Protection Impact Assessments should be performed
- Adjusting information storage, transfer and destruction policies to include reference to personal information
- Creating and maintaining a data inventory for personal information.
In conclusion, ISO 27001 is a fantastic resource for businesses who want to secure their corporate data, regardless of whether they have internet accessible systems or work with personal or sensitive data. Although it’s not designed specifically with the challenges of GDPR compliance in mind, it can easily be modified to do so with the appropriate knowledge.
An ISO 27001 ISMS which has been implemented both conscientiously and effectively will normally provide a suitable demonstration of an organization’s determination to comply with the information security requirements of GDPR and the DPA, although it is of course important to remember to address those aspects of those regulations which fall outside of the scope of ISO 27001.