Expert Advice Community

Guest

Implementation of GDPR & ISO 27001

  Quote
Guest
Guest user Created:   Apr 21, 2021 Last commented:   Apr 26, 2021

Implementation of GDPR & ISO 27001

Three questions related to implementation of GDPR&27001:  

1. Which approach should be taken to development of the Information Security Policy taking into consideration that we already have three sources and three templates of this document?

  • 11.3.1_Information_Security_Management_Policy_20000_EN
  • 04.1_Information_Security_Policy_Integrated_EN, which is included in the folder 04_General_Policies part of the GDPR&27001 Toolkit
  • Information Security Policy to be generated via Conformio

2. How to approach the development of the remaining documents within GDPR&27001 Toolkit, because they are integrated with GDPR and those on Conformio are not integrated with GDPR? As you already know, we should develop/achieve an integrated GDPR&27001 package of documents at the end of the day.

3. Given the fact that we don’t have the obligation to assign a Data Protection Officer and create it as a job title, what other role would you recommend – Data Protection Controller’s representative or other approach will be more suitable in order to comply with the requirements?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 21, 2021

1. Which approach should be taken to development of the Information Security Policy taking into consideration that we already have three sources and three templates of this document?

  • 11.3.1_Information_Security_Management_Policy_20000_EN
  • 04.1_Information_Security_Policy_Integrated_EN, which is included in the folder 04_General_Policies part of the GDPR&27001 Toolkit
  • Information Security Policy to be generated via Conformio

Considering the intention of compliance with both GDPR and 27001, the best approach would be to use the ISO 27001 & GDPR Integrated toolkit to implement ISO 27001 and GDPR and do not use Conformio. Currently, the Conformio version is not designed to properly cover ISO 27001 & GDPR integration requirements.

2. How to approach the development of the remaining documents within GDPR&27001 Toolkit, because they are integrated with GDPR and those on Conformio are not integrated with GDPR? As you already know, we should develop/achieve an integrated GDPR&27001 package of documents at the end of the day.

Since ISO 27001 & GDPR integration requirements are not covered in the current version of Conformio, our suggestion is for you to use the ISO 27001 & GDPR Integrated toolkit to implement ISO 27001 and GDPR.

3. Given the fact that we don’t have the obligation to assign a Data Protection Officer and create it as a job title, what other role would you recommend – Data Protection Controller’s representative or other approach will be more suitable in order to comply with the requirements?

If you don’t have a Data Protection Officer and you have no obligation to appoint one, you can assign GDPR compliance aspects to some internals, naming the function as GDPR representative, Data Protection assistant. Of course, it must be someone who has the knowledge to help the Controller to comply with the regulatory aspect of GDPR.

Here you can find more information about the role of the DPO which can be useful also for your internal in charge of compliance:

If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0
Guest
Nadia Bojilova Apr 22, 2021

Thank you for your answers, but the answer to question 1 is not complete. Please clarify the following: If we use the ISO 27001 & GDPR Integrated toolkit to implement ISO 27001 and GDPR, how to deal with the 11.3.1_Information_Security_Management_Policy_20000_EN, whose structure and contents differ from the 04.1_Information_Security_Policy_Integrated_EN. I assume it is not reasonable to have two IS policies - one in 20000 scope and one in 27001 and GDPR scope.

Quote
0 0
Expert
Rhand Leal Apr 26, 2021

First of all, sorry for this situation.

By your question, I’m assuming you are also implementing ISO 20000.

Considering that, in case your ISO 20000 scope includes information that is in the scope of the ISO 27001 and GDPR implementation, the best approach would be to use the Information Security Policy from the ISO 27001 & GDPR Integrated toolkit, including the specific information from the ISO 20000 Information Security Policy in it.

If the ISO 20000 scope is not related to the information that is in the scope of the ISO 27001 and GDPR implementation, then you can use separated policies, because this way you would not define too strict limitations in your ISO 20000 implementation.

This article will provide you a further explanation about the integration of ISO 27001 and ISO 20000:

These materials will also help you regarding ISO 27001 and ISO 20000:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 21, 2021

Apr 26, 2021

Suggested Topics

Mayank Created:   Sep 27, 2021 ISO 27001 & 22301
Replies: 1
0 0

Security Objectives

Guest user Created:   Mar 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition