News & Commentary on ISO Management System Standards

    GDPR, ISO 27701 and ISO 27001: a natural combination

    Photo of a data center with the words GDPR and General Data Protection Regulation superimposed unto it

    Many organizations spent much time and money in 2018 on compliance with General Data Protection Regulation - GDPR, and not only those based in the EU.  But what actions now to ensure ongoing compliance?

    It’s not enough to have policies and procedures to demonstrate that you comply with requirements.  If there is a data breach or similar event, you will be challenged to demonstrate how your organization has maintained compliance on a continuing basis.

    How to Use ISO 27001 Audits to Manage GDPR Compliance

    ISO 27001, the information security management system (ISMS), provides a natural home for your efforts to maintain GDPR compliance.  GDPR and ISO 27001 are mutually compatible - you can, for example:

    • Create Compliance Checklists for use in Internal Audits to create objective evidence, which you can use in a Court of Law, if necessary, to demonstrate ongoing efforts to confirm and maintain compliance with regulations.
    • Include internal audits of personnel at their workstations, likely your greatest vulnerability, in the Internal Audit Programme and again provide objective evidence of a sincere effort to comply with regulations.
    • Your Data Protection Policies and Procedures can be incorporated into your ISMS.
    • Update Information Security Risk Assessments in light of incidents, breaches, or changes to processes.
    • Conduct Periodic reviews of operations, including any operational changes, new or changed information assets (e.g., new server), and processes (e.g., new product or service) against GDPR can be included.

    If you’re not familiar with ISO 27001, get a copy and examine Annex A, which lists potential informational security vulnerabilities and controls.  You’ll be surprised how often issues relating to GDPR are mentioned. You'll also find other articles we've published about ISO 27001 useful.

    Choose from eight ISO 27001 Courses

    What value does ISO 27701 add to your company's information security?

    The Standard ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines,  provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

    Note that ISO 27701 is an extension to ISO 27001, and, as such, it is not possible to be certified to ISO 27701 alone.  Being about protecting personal data, it is invaluable to ensuring compliance with GDPR requirements and managing it all under the 'umbrella' of an ISO 27001 information security management system.

    What if the California Privacy Rights Act (CPRA) or other international personal data protection legislation applies?

    Countries and states outside the EU, like California, have or are evolving their own personal data protection legislation.  In these cases, ISO 27701 again facilitates establishing, implementing, maintaining, and continually improving an ISMS by embedding personal data protection requirements, e.g., CPRA California (amendment to CCPA California) within a single ISO 27001 information security management system.

    EU GDPR Implementer and DPO Course

    Why a Multi-layered Approach to Information Security is Important

    You will want to consider ISO 27001 implementation anyway in light of successful ransomware attacks, which appear to be on the increase. Taking an ISO 27001 Course will help.

    An example from 2019 shows how catastrophic such an event can be. Norsk Hydro ASA (often referred to as just Hydro) is a Norwegian aluminum and renewable energy company with 35,000 personnel globally and headquartered in Oslo.

    The company bravely refused to pay the ransom and lost access to all their data worldwide - personal data, financial, customer, supplier, and all business data. 

    They had to revert to paper with the help of retired staff to continue to supply their customers.  After 6 months, they reported that the recovery was going well (note, not completed) and had cost more than US$50,000,000.

    Our recommendation: Implement and maintain an ISMS, incorporating ISO 27701 Guidance (to ensure compliance with the data protection directive requirements), get certified, and, after all that, sleep a little easier at night.

    New call-to-action

    Note: This post was first published in June 2019, revised and updated in November 2022.

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts