ISO / IEC 38500 question

Do you have any thoughts on the ISO/IEC 38500?

SO/IEC 38500 provides guiding principles for governance specifically directed for Information Technology. It can be used to help integrate business strategy, information technology, and information security initiatives.

For additional information, see:

• Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/
• How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

Would we want to add this after our ISO/IEC 27001 that we are working on?

ISO 27001 does not require the implementation of any other standard, so the decision about the application of ISO/IEC 38500 would depend on the evaluation of potential benefits that can be achieved and the costs of implementing an additional standard.

Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?

ISO 22301 is about business continuity and resilience of systems. It can help you to demonstrate compliance with security measures under Article 32 GDPR (which requires technical and organizational security measures) but it does not cover all GDPR requirements (i.e. the information to be provided to data subjects, or the respect of data subject rights are outside the purposes of ISO 22301 and they are the core of GDPR). GDPR refers to all data processing regardless of the form and it is not only about data security (yet it is crucial), it is also about information, transparency, and lawful processing.

For more information, see:

• How cybersecurity solutions can help with GDPR compliance https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/