When assisting clients with General Data Protection Regulation (GDPR) compliance projects we are often asked why they should consider implementing an information security management system (ISMS) instead of simply implementing a range of technical controls, in order to comply with the much-discussed Article 32 of the GDPR.
An ISMS comprises the technical and organisational measures that need to be in place to make sure there is adequate security of personal data (held in hard copy or electronic form, or processed through the organisation’s systems) – as required by Article 32. An ISMS however goes further than just delivering the necessary technical controls.
Since the GDPR does not provide detailed guidance of what you should do to obtain an effective information security posture, an ISMS aligned to an international standard such as ISO 27001 is generally a good starting point.
4 Reasons why technical measures alone don’t prevent a data breach
There are several reasons that a set of controls doesn’t provide the protection that an organisation needs, while an ISMS, aligned to an international best practice standard does:
1. Risks can be overlooked
Implementing layers of technical controls that aren’t based on a properly conducted risk assessment means that other important risks related to human error, negligence and process failures are often overlooked. Poor company processes and staff-related problems are known, common points of failure in data security. Many high-profile data breaches have resulted from staff negligence, ignorance or incompetence. An ISMS is based on the outcomes of regular and comprehensive, organisation-wide risk assessments.
2. Information is interconnected
Effective data security requires a commitment to information security across the organisation. The interconnectivity of information means that the entire business needs to adopt a culture of information security awareness – from the cleaners right up to the CEO and the board. An ISMS ensures that information security is entrenched in the business.
3. Threats are not static
Information security threats are constantly evolving and cyber attacks can take many forms. The only way to keep ahead of these growing and constantly changing threats is by adopting a programme that lends itself to continual review and improvement. Without an effective ISMS that can be continually updated and assessed, a set of technical controls can quickly become redundant and dysfunctional, and the organisation can lose track of what it had set out to manage.
4. Controls aren’t always implemented correctly
Even highly skilled information security professionals can get things wrong. We see this all the time during our client information security audits. Obtaining certification to a proven information security standard such as ISO 27001 helps the business to get an external, expert assessment of the efficacy of its information security plans, thereby making sure that the measures it has implemented are working.
As ISO 27001 evangelists, we always encourage our clients to consider achieving certification to ISO 27001. This is not only because of the numerous benefits presented by an independently assured ISMS but also because it can provide convincing evidence that an organisation has taken the necessary measures to comply with the data security requirements of the GDPR.
Through its all-encompassing approach, an organisation can protect all of its corporate information, intellectual property and personal data by implementing an ISMS aligned to ISO 27001.