Having recently acquired this standard when it was published I set to work analysing how this aligns with the ISO27001 standard.
There are many controls where there are very little or no additional changes required other than including the protection of personal data. With other controls a specific focus on the lawful use and protection of personal data is clearly indicated. There are specific Annexes also available for Controllers and Processors.
Most of the GDPR Articles relevant to controllers and processors are covered.
I have listed a few examples below (not an exhaustive list but just highlights):
Information Classification and Handling - Personal data needs to be included in your information classification scheme and this can impact how it is labelled and handled as part of the entire information life cycle.
Information Backup - this should address the backup and restoration of personal data, access to the personal data and ensuring that this is properly managed in accordance with the rights of the data subject - specifically under Articles 15 - Right of Access by the Data Subject and Article 17 - Right to Erasure.
Event Logging - some log information may contain personal data, this should be assessed and removed if not needed or intended. A procedure should be in place to delete or de-identify this information.
Secure Development Policy - should include a 'Privacy by Design and Default' focus on creating and developing systems that may be involved in processing personal data.
Protection of Test Data - Goes without saying but personal data should not be used for testing purposes!
Each and any of these would merit an article on its own. Already, this is looking like a welcome development to attempt to standardise the approach of managing the protection of personal data and would be useful for organisations who are already certified to ISO27001.
Comments