ISO 27001:2013 and data protection law
What is the scale of the problem?
In 2015 PricewaterhouseCoopers released their 2014 survey on the Global State of Information Security and revealed that the number of reported information security incidents rose, on average, by 66% each year over a 5 year period. The survey also reported that, in 2014, the total number of reported security incidents had increased to 42.8 million across the world.
The UK Information Commissioner’s Office 2015/2016 annual report records that it received 16,388 reports of potential data security breaches during the year.
Meanwhile, in June 2016 alone, typical breaches being reported by databreaches.net included:-
- 360 million MySpace accounts hacked
- 45 million personal records stolen from domain host Verticalscope
- Archived paper copies of patient medical records in East Riding of Yorkshire lost by a private storage company
- 3000 patient medical records “inappropriately accessed” at West Wales General Hospital by a nurse
Clearly, our data is leaking at an alarming rate and organisations that have a duty to protect it could do much more.
EU & UK Law on data protection
The Data Protection Act has been in force since 1998 and lays down some principles for data security:-
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
Moreover, the EU General Data Protection Regulation (GDPR) was ratified in April 2016. This regulation takes data protection to a significantly higher level and organisations that hold personal data on citizens of member states have until 25th of May 2018 to comply with it. The UK Information Commissioner’s Office has stated its opinion that, even if the Regulation isn’t passed into UK law, it will still be relevant for many organisations here. GDPR is designed to produce a Single Digital Market by harmonising the existing 28 sets of national data protection laws into one set of requirements. Fines for breaching GDPR are potentially serious for organisations that lose data and will be to up to 4% of turn-over, or €20 million, whichever is higher.
Who needs to comply?
Quite simply – any organisation that holds data that, on its own or along with other accessible data, can be used to identify an individual in the UK or the EU.
So what is ISO 27001?
ISO 27001 (formally ISO/IEC 27001:2013) is an international standard that provides a specification for an information security management system (ISMS), which is a framework of policies and procedures that includes all of the legal, physical and technical controls involved in an organisation’s information risk management processes.
The ISO 27001 standard uses a top-down approach to the management of data security risks, which can be used with all types of media for data storage. The specification defines a six-part planning process:-
- Define a security policy
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a plan that shows how the controls manage the risks that have been identified.
ISO 27001 includes details for documentation, management responsibility, internal audits, continual improvement, and corrective action. The standard requires cooperation among all sections of an organisation. Although the 27001 standard isn’t prescriptive about information security controls, it provides a checklist of 114 measures that should be considered.
How can ISO 27001 help my organisation?
The PWC research paper analysed the 20 biggest data breaches during 2014-2015 with the aim of identifying what companies did wrong and what should be done to address the weaknesses. Victims generally had suitable technical controls over the information, such as firewalls, antivirus and similar safeguards but these weren’t sufficient because technology, on its own, won’t protect data. An important finding of the survey was that none of major victims were certified to ISO 27001 at the time of the data breaches. They were either not implementing ISO 27001 at all, or were failing to implement it fully. ISO 27001 goes beyond technical controls and takes into account training, awareness and the behaviours of the people in the organisation.
The British Standards Institute (BSI) has published a white paper that shows how ISO 27001 can provide a framework with which to comply with the EU General Data Protection Regulation. What’s more, BSI commissioned a research paper by the business school of Erasmus University that shows:-
- 87% of organisations with ISO 27001 are positive or very positive about its benefits
- 78% of certified organisations reported improved levels of legal compliance
- 56% or organisations reported a reduced number of security breaches
- 47% of organisations reported a reduction on downtime of IT systems
- 43% of organisations reported an increase in sales
How can I get advice?
The HSQE Department Ltd has years of experience helping companies to implement ISO management systems and so can reduce the time and cost needed to achieve certification. We can carry out gap analyses to identify what you need to do to comply with ISO 27001, help you to define a plan to implement any changes, guide the preparation of the Information Security Management System, carry out pre-certification checks on the compliance of your systems and manage the certification visit.