By Cedric C., Cybersecurity Consultant
During the International Cybersecurity Forum (FIC), one conference caught my attention: "ISO 27001 & the GDPR: Identifying Overlap and Streamlining Efforts," by OneTrust. Throughout my career, I had already noticed certain similarities and opportunities between these two topics, which are important for businesses given the many underlying issues. As the conference format did not allow for all the insights I wanted, I wanted to explore the subject in greater depth and formalize my ideas and analyses by writing this article.
Ensuring that an organization's processes remain compliant with the GDPR can be particularly time-consuming and resource-intensive, as can initiating an ISO 27001 compliance process for the implementation of an Information Security Management System. Pooling efforts between security and privacy teams is not only relevant but also recommended in order to optimize resources and compliance initiatives, particularly in terms of processes, methodologies, and tools. The objectives and certain guiding principles are, if not identical, very similar and interrelated. However, it is important to note that ISO 27001 compliance does not guarantee GDPR compliance.
Reminder
GDPR
The GDPR (General Data Protection Regulation), which came into force on May 25, 2018, regulates the processing of personal data of European Union residents. This new European regulation is in line with the French Data Protection Act of 1978 and strengthens citizens' control over the use of their personal data by extending their rights (information, access, consultation, rectification, deletion).
It harmonizes rules across Europe through a single legal framework and requires the companies concerned and their subcontractors, under threat of heavy financial penalties for non-compliance (from €10 million to €20 million or 2% to 4% of global turnover), and requires security to be taken into account and integrated throughout the entire life cycle of personal data, from collection to deletion. It introduces the roles of Data Processor and Data Protection Officer within companies.
The ISO/IEC 27001:2013 standard
ISO 27001 formally specifies an Information Security Management System (ISMS) that corresponds to a set of activities related to managing information security risks. The ISMS is a comprehensive management framework through which the organization identifies, analyzes, and addresses its information-related risks. The ISMS ensures that security measures are refined to keep pace with changes in threats, vulnerabilities, and impacts. The standard covers all types of organizations (commercial enterprises, government agencies, non-profit organizations, etc.), all sizes (from micro-enterprises to large multinationals), and all industries or markets (retail, banking, defense, healthcare, education, government, etc.).
ISO 27001 does not impose specific security measures, as these can vary considerably from one organization to another. Organizations wishing to adopt the approach described in ISO 27001 are free to choose the measures that apply to their scope, drawing inspiration from those listed in Annex A of the standard (and detailed in ISO 27002) and possibly supplementing them with other measures from other standards. The key to selecting the applicable measures is to undertake a comprehensive assessment of the organization's information risks, which is an essential part of the ISMS.
ISO 27001 and GDPR objectives
Let's quickly review the respective objectives related to these two standards, which are part of a continuous improvement process:
- The objective of ISO 27001 is to secure information, i.e., to protect the organization from attacks related to its information assets.
- The objective of the GDPR is to protect privacy, i.e., to protect individuals from infringements related to their personal data.
However, it should be noted that the objective of securing information assets is at the discretion of the organization wishing to protect its assets (ISO 27001 describes the most widely recognized approach for ensuring long-term security through a virtuous cycle known as PDCA), whereas the GDPR is legally binding: any company processing personal data falling within its scope of application is obliged to protect it in a relevant and appropriate manner, taking into account the processing and sensitivity of such data.
The link between the objectives mentioned is quite clear, despite their different purposes: the protection of data, whether personal and entrusted by individuals (customers, prospects, employees, ...) to the organization as part of a necessity inherent to the organization's operations (e.g., HR processing), or to enable an organization to provide a service (personal data for a subscription, a sale, etc.); Or whether it is technical data (business data, financial data, processes, know-how, secret processes, etc.), the purpose of which is generally to enable the organization to provide these services and benefits.
Logically, data protection principles are relevant in both cases, to protect the organization and the privacy of individuals. The logic of pooling efforts, whether human, organizational, or technical, is therefore obvious and particularly desirable.
Similarities and opportunities
Safety criteria and risk assessment: the unchanging D I C!
Let's take a moment to expand on what was mentioned a few lines above. We cannot talk about data protection without addressing the fundamental concepts of information security, namely availability, integrity, and confidentiality. It is therefore natural that both ISO 27001 and the GDPR refer to these essential concepts.
Section 6.1.2 of ISO 27001 gets straight to the point, explaining that "the organization shall define and apply a risk assessment process" to "identify risks to the confidentiality, integrity, and availability of information within the scope of the ISMS" and identify the owners of those risks.
Article 5 of the GDPR, which defines the principles relating to the processing of personal data, already refers (among the many concepts of lawfulness, fairness, transparency, and limited purposes) to data integrity and confidentiality. Article 32, devoted to the security of processing, logically goes further: the controller and any processors must implement measures to " ensure a level of security appropriate to the risk " and " means to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services." Pseudonymization and encryption are also addressed directly, given their recognized effectiveness. In the event of a failure, they must implement "means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident."
Unlike ISO 27001, where risk analysis of the certifiable scope is one of the essential elements for starting to implement the ISMS, the GDPR requires a risk analysis (DPIA, or Data Protection Impact Assessment) in the case of sensitive processing and/or where there is a high risk to the rights and freedoms of natural persons (health data, large-scale geolocation, biometric data, etc.). PIA for Privacy Impact Assessment) in the case of sensitive processing and/or where there is a high risk to the rights and freedoms of individuals (health data, large-scale geolocation, biometric data, constant monitoring of employees, vulnerable persons, etc.)[1].
The risk assessment methods currently in use, the tools supporting these methods (whether Excel spreadsheets or specialized software recognized on the market), and the processes governing the practice are fairly easy to share between security and privacy teams, for the most part.
Formal and permanent documentation
GDPR compliance and ISO 27001 certification require companies to shift from an oral culture to a written culture and often involve a genuine change management process with all the administration that this entails. The design and formalization of processes that are optimized over time, framing ways of doing things and often changing informal or even artisanal ways of working, is an absolute necessity for the success of both projects.
As such, no fewer than 20 security processes related to ISO 27002 are taken into account in the certification process (IAM, BCP, backups, supervision, vulnerability and incident management, document management, supervision, etc.) and must therefore be formalized, disseminated, and reviewed at regular intervals. In addition, ISO 27001 requires the organization to document, in particular, its security policy (§5.2), risk assessment (§6.1.2) and risk treatment (§6.1.3) processes—i.e., data and its owner, security objectives (§6.2), and "evidence of monitoring and measurement results " (§9.1).
The GDPR requires each Data Controller to maintain a record of processing activities, which must include "a description of the categories of data subjects and categories of personal data " and "a general description of the technical and organizational measures" (Article 30). Depending on the type of organization and its activities, this record can be significant to establish and, above all, complex to maintain over time.
In both cases, adequate EDM and relevant quality processes are essential for storing and maintaining this documentation over time, which is often a weak and yet underestimated point in organizations.
Data governance
The two topics discussed above demonstrate the clear benefits for companies in adopting a data governance approach. This concept refers to the organization of the implementation of principles, processes, and other procedures within a company that govern data collection and use. Smart data governance will enable the reduction and refinement of data collection, purposes, and retention periods from the design stage of processes, business applications, and other services, but also during the data lifecycle, by defining and optimizing where, when, and even how data is handled, sent, stored, and deleted. These elements are easily linked to the GDPR, through the need to keep the aforementioned Processing Register or the exercise of individuals' rights to access, object to, rectify, and erase their personal data, but not only that.
From a strictly security perspective, good data governance requires streamlining and optimizing data storage resources, technical safeguards in terms of integrity and access restrictions, as well as availability through measures such as backup management. All of these elements are essential for ISO 27001 and GDPR compliance.
Security & Privacy by design (and by default)
In both standards, security must be taken into account and implemented as early as possible in the processes. This is a fundamental point of ISO 27001. Indeed, the introduction to the standard states that "information securitymustbe taken into account in the design of processes, information systems, and measures " (§0.1). Point 14.1.1 of Annex A also mentions that "information security requirements must be integrated into the requirements of new information systems or improvements to existing information systems."
Article 25 of the GDPR states that the controller must implement appropriate technical and organizational measures to protect the rights of data subjects, ensure that only data necessary for a specific purpose are processed, and that they are not made accessible to an indeterminate number of people without the consent of the data subject. Confidentiality, and therefore identity and access management, is thus implicitly referred to here.
This article also addresses the fact that "acertification mechanism approved under Article 42 may serve as evidence of compliance with the requirements set outtherein." The most obvious certification is undoubtedly ISO 27001. As indicated in the title of Article 25, the GDPR means that data protection is mandatory from the outset and by default. Any security breach will be taken into account in the sanctions imposed by the supervisory authority, which brings us directly to the next point.
Security incident notification and management
Article 33 of the GDPR stipulates that in the event of a data breach, the Data Controller must notify the competent supervisory authority within 72 hours of becoming aware of it, when such a breach may pose a risk to the rights and freedoms of individuals. In this case, the Data Controller must also notify the individuals concerned.
By not considering personal data breaches, companies are not required to report security incidents to an authority (except for the legal obligation to notify ANSSI for OIVs) or to their customers. However, as part of an ISMS, it is essential to have a system for managing information security incidents, as discussed in Annex A of the standard (A.16).
In terms of process, the link is therefore obvious, as the notification obligation automatically entails the implementation of an incident management process. It should be noted that this process can also be adapted to handle complaints and disputes raised by individuals in the exercise of their legal rights.
Management and supervision of subcontractors
The importance of taking subcontractors into account and managing them within the GDPR is such that around ten of the twenty articles that make up the chapter are devoted to this topic (Chapter 4 - "Controller and processor").
Articles 28 and 29, in particular, address the relationship between the processor and the controller (verification of "sufficient guarantees regarding the implementation of technical and organizational measures" by the processor, processing carried out only on the instructions and under the authority of the controller). The keeping of a record (30.2), security at a level appropriate to the risk (32), and notification of a data breach (33.2) are among the requirements imposed on the processor and for which the controller is directly responsible for monitoring.
With regard to ISO 27001, in addition to the fact that "the organization must ensure that outsourced processes are defined and controlled" (§8.1), Chapter 15 of Annex A details the integration of security into supplier relationships in order to guarantee the protection of assets accessible to them and to maintain an adequate level of security over time.
Efforts and processes related to generic requirements (security policy, contractual security appendices, etc.) or supplier control (monitoring, verification, auditing) can obviously be shared, whether working on ISO 27001 or GDPR compliance.
Definition of roles and responsibilities
To a lesser extent, as it is less relevant to mention the pooling of resources or processes in this case, governance within the company is an element common to both texts. Both provide for the identification of key positions and the appointment and clear identification of these individuals within the organization:
Within ISO 27001, for example, " Management shall ensure that the responsibilities and authorities of the roles involved in information security are assigned and communicated within the organization" (§5.3). It is therefore advisable for a company to appoint, if it has not already done so, a Chief Information Security Officer (CISO) or even a Chief Security Officer (CSO) and an ISMS manager who will be responsible for ensuring that the ISMS complies with ISO 27001.
Under the GDPR, each instance of personal data processing must be under the responsibility of a Data Controller, defined as "the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing"(Article 4.7). It is also worth noting that the Data Controller is, by default and unless delegated, but without being completely exempt from this responsibility, the head of the company.
The appointment of a Data Protection Officer (DPO) is mandatory if it concerns a public body or if the core activity of the body "involves regular and systematic monitoring of individuals on a large scale, or the large-scale processing of so-called 'sensitive' data or data relating to criminal convictions and offenses" (Article 34).
The roles must be fully defined and formalized, with the relevant hierarchical levels and reporting lines in relation to the organizational structure. However, there are many different models. The size of the company, the number of subsidiaries or entities, and the governance model specific to the company's culture will determine the most appropriate organizational structure for the context (a CISO and a Group DPO leading a community of local CISOs and DPOs, delegation to a pilot entity to determine and experiment on behalf of all entities, etc.).
Standardization
The ISO committee has, of course, taken up these issues of comparison, rationalization, and even optimization of data protection topics: the ISO/IEC 27701:2019 standard, published in August 2019, aims precisely to extend ISO 27001 and ISO 27002 to privacy management by defining requirements and guidelines that enable the implementation of a Privacy Information Management System (PIMS). This standard includes a correspondence between:
- The principles andprivacy frameworkdefined in ISO/IEC 29100;
- ISO/IEC 27018 (protection of personal data in a public cloud);
- ISO/IEC 29151 (code of practice for the protection of personal data);
- The GDPR.
Since PIMS is, in a way, an enhanced ISMS, ISO 27701 certification logically requires prior ISO 27001 certification, making collaboration between ISMS and PIMS teams increasingly obvious and relevant. It should be noted, however, that as with ISO 27001 certification, such certification does not automatically mean full compliance with the GDPR, but it is certainly a more than solid foundation.
Conclusion
As we have seen, there is considerable overlap between the GDPR and ISO 27001. Since both address data protection and therefore information security, it makes sense that entire sections of each standard echo the other. This is a real opportunity for companies because, where GDPR compliance is mandatory and requires significant resources depending on the context, it is beneficial to be able to use, appropriate, and potentially adapt existing processes, methodologies, or tools that were previously reserved for the field of information security and give them a more global utility. This is a definite opportunity to bring together privacy and security teams that are not necessarily used to collaborating with each other. Similarly, the technical and security teams of a company wishing to initiate an ISO 27001 approach can now also look at what is being done from a GDPR compliance perspective and adapt this know-how to facilitate the creation and adoption of the processes necessary for an ISMS. Feedback, successes, and failures from each party should help with the start-up, creation, and sustainability of the elements essential for compliance.
It is important to note that efforts to streamline and pool information security and privacy security have been undertaken at the ISO level, giving global reach to guidelines and requirements that have become essential for European companies since the advent of the GDPR. Any initiative aimed at unifying resources and methods, understanding their similarities and differences, and disseminating the innovative concepts of the GDPR, their scope, and the changes in approach and culture that this implies on a global scale is indeed welcome by both decision-makers and operational actors, given the complexity of the issues and the detailed understanding required for effective implementation.
[1]https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-requise.pdf
