I'm part of a team who is working to achieve ISO 27001 certification for a government datacenter ( this is the scope of the current project).
I am interested to know what would be the common grounds ( mapping) between ISO 27001 and GDPR for this project?
What area we have to focus to ensure that both GDPR and ISO 27001 are compliant. What would be the documentation that would be required by the certification examiners?
Thank you in advance.
Assign topic to the user
I'm part of a team who is working to achieve ISO 27001 certification for a government datacenter ( this is the scope of the current project).
1 - I am interested to know what would be the common grounds (mapping) between ISO 27001 and GDPR for this project?
Answer: There are many points where the ISO 27001 standard can help achieve compliance with GDPR. Here are just a few of the most relevant ones:
- Risk assessment (clause 6.1.2), to support the classification of information (control A.8.2.1)
- Compliance, through control A.18.1.1 (Identification of applicable legislation and contractual requirements) and control A.18.1.4 (Privacy and protection of personally identifiable information)
- Breach notification, through control A.16.1 (Management of information security incidents and improvements)
- Asset management, through controls from section A.8 (Asset management)
- Privacy by Design, through controls from section A.14 (System acquisitions, development, and maintenance)
- Supplier Relationships, through control A.15.1 (Information security in supplier relationships)
For further information, see:
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- Diagram of EU GDPR & ISO 27001 integrated implementation https://info.advisera.com/eugdpracademy/free-download/diagram-of-eu-gdpr-and-iso-27001-integrated-implementation
ISO 27001 standards' family has a specific standard called ISO 27701, which is based on ISO 27001 and defines a Privacy Information Management System, which presents as one of its annexes a map between ISO 27001 and GDPR.
For further information, see:
- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
2 - What area we have to focus to ensure that both GDPR and ISO 27001 are compliant. What would be the documentation that would be required by the certification examiners?
Thank you in advance.
Answer: First is important to note that certification is applicable only to ISO 27001. Certification auditors will look for GDPR related documentation only if this regulation is identified as part of the ISMS scope.
Considering that, for ISO 27001 certification, you need to cover clauses from section 4 to 10 and controls from Annex A identified as applicable as a result of risk assessment and due to legal requirements. For a certification audit, the following article will show you the documents auditors will be looking for:
- Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
Regarding GDPR, the following article will show you the mandatory documents:
- List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
To see how documents compliant with ISO 27001 and GDPR looks like, please take a look at the free demo of our EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/
Comment as guest or Sign in
Aug 31, 2020