An international standard that outlines the requirements for an information security management system (ISMS). It provides a framework for managing sensitive company information so that it remains secure.
The standard is intended to help organizations to protect their information assets, such as financial information, intellectual property, employee details, and information entrusted to them by third parties.
The standard is based on a risk management approach, and it provides a systematic approach for identifying, assessing and treating information security risks. It is a process-based standard, which means it focuses on the management of processes within an organization that contribute to the overall security of the organization’s information.
ISO 27001 is divided into two main sections: the first one is the management section, which includes the requirements for the ISMS and for the management of the system, and the second one is the technical and operational section, which includes the specific requirements for the security controls that need to be implemented to protect the information assets.
The standard requires organizations to implement a set of security controls that are tailored to their specific risks, and to regularly review and update these controls. It also includes requirements for incident management, business continuity management, and compliance with legal and regulatory requirements.
ISO 27001 certification is achieved by undergoing an audit by a certification body, which verifies that the organization’s ISMS conforms to the standard. Once certified, organizations are required to maintain their compliance with the standard through regular internal audits and a surveillance audit every year.
GDPR
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25, 2018, and replaces the 1995 Data Protection Directive. GDPR applies to companies that process personal data of EU citizens, regardless of where the company is located.
GDPR sets out specific rights for individuals with respect to their personal data, including the right to access, the right to rectification, the right to erasure (also known as the right to be forgotten), the right to data portability, the right to object to processing and the right to be informed about data breaches.
Under GDPR, companies are required to appoint a data protection officer (DPO) if they are a public authority, if they carry out large scale systematic monitoring or if they process sensitive data on a large scale.
In terms of data protection, GDPR requires companies to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes implementing measures such as encryption, regular backups and monitoring for data breaches.
Companies are also required to conduct a data protection impact assessment (DPIA) if the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
Violations of GDPR can result in significant fines, up to €20 million or 4% of the company’s global annual revenue, whichever is higher.
GDPR also requires companies to appoint a data protection officer (DPO) if they are a public authority, if they carry out large scale systematic monitoring or if they process sensitive data on a large scale.
In summary, ISO 27001 deals with the overall management of sensitive information within a company, while GDPR focuses specifically on personal data of EU citizens and their protection.