Implementation of GDPR & ISO 27001
Three questions related to implementation of GDPR&27001:
1. Which approach should be taken to development of the Information Security Policy taking into consideration that we already have three sources and three templates of this document?
- 11.3.1_Information_Security_Management_Policy_20000_EN
- 04.1_Information_Security_Policy_Integrated_EN, which is included in the folder 04_General_Policies part of the GDPR&27001 Toolkit
- Information Security Policy to be generated via Conformio
2. How to approach the development of the remaining documents within GDPR&27001 Toolkit, because they are integrated with GDPR and those on Conformio are not integrated with GDPR? As you already know, we should develop/achieve an integrated GDPR&27001 package of documents at the end of the day.
3. Given the fact that we don’t have the obligation to assign a Data Protection Officer and create it as a job title, what other role would you recommend – Data Protection Controller’s representative or other approach will be more suitable in order to comply with the requirements?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Which approach should be taken to development of the Information Security Policy taking into consideration that we already have three sources and three templates of this document?
- 11.3.1_Information_Security_Management_Policy_20000_EN
- 04.1_Information_Security_Policy_Integrated_EN, which is included in the folder 04_General_Policies part of the GDPR&27001 Toolkit
- Information Security Policy to be generated via Conformio
Considering the intention of compliance with both GDPR and 27001, the best approach would be to use the ISO 27001 & GDPR Integrated toolkit to implement ISO 27001 and GDPR and do not use Conformio. Currently, the Conformio version is not designed to properly cover ISO 27001 & GDPR integration requirements.
2. How to approach the development of the remaining documents within GDPR&27001 Toolkit, because they are integrated with GDPR and those on Conformio are not integrated with GDPR? As you already know, we should develop/achieve an integrated GDPR&27001 package of documents at the end of the day.
Since ISO 27001 & GDPR integration requirements are not covered in the current version of Conformio, our suggestion is for you to use the ISO 27001 & GDPR Integrated toolkit to implement ISO 27001 and GDPR.
3. Given the fact that we don’t have the obligation to assign a Data Protection Officer and create it as a job title, what other role would you recommend – Data Protection Controller’s representative or other approach will be more suitable in order to comply with the requirements?
If you don’t have a Data Protection Officer and you have no obligation to appoint one, you can assign GDPR compliance aspects to some internals, naming the function as GDPR representative, Data Protection assistant. Of course, it must be someone who has the knowledge to help the Controller to comply with the regulatory aspect of GDPR.
Here you can find more information about the role of the DPO which can be useful also for your internal in charge of compliance:
- How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/
- EU GDPR Data Protection Officer Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/
If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//
Thank you for your answers, but the answer to question 1 is not complete. Please clarify the following: If we use the ISO 27001 & GDPR Integrated toolkit to implement ISO 27001 and GDPR, how to deal with the 11.3.1_Information_Security_Management_Policy_20000_EN, whose structure and contents differ from the 04.1_Information_Security_Policy_Integrated_EN. I assume it is not reasonable to have two IS policies - one in 20000 scope and one in 27001 and GDPR scope.
First of all, sorry for this situation.
By your question, I’m assuming you are also implementing ISO 20000.
Considering that, in case your ISO 20000 scope includes information that is in the scope of the ISO 27001 and GDPR implementation, the best approach would be to use the Information Security Policy from the ISO 27001 & GDPR Integrated toolkit, including the specific information from the ISO 20000 Information Security Policy in it.
If the ISO 20000 scope is not related to the information that is in the scope of the ISO 27001 and GDPR implementation, then you can use separated policies, because this way you would not define too strict limitations in your ISO 20000 implementation.
This article will provide you a further explanation about the integration of ISO 27001 and ISO 20000:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
These materials will also help you regarding ISO 27001 and ISO 20000:
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
- ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix
Comment as guest or Sign in
Apr 26, 2021