We have recently seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits.  In the past, assessments have typically focused on whether organisations were registered with the Information Commissioner’s Office (ICO), whether they were complying with ‘Privacy and protection of personally identifiable information’ (ISO 27001 Annex A control 18.1.4), and whether they had developed and implemented a legal and regulatory register and a data protection policy.  More recently we have seen an expectation from CBs, understandably, for a more robust approach where:

  • GDPR is referred to in the stated ‘risks and opportunities’ (ISO 27001 Clause 4 and 6.1.1) including planning for the impact of Brexit/no deal Brexit and whether the organisation needs to take action under Article 3 (main establishment/territorial scope)
  • GDPR is taken into account under ‘Planning’ (ISO 27001 Clause 6)
  • Resources (and competencies) are assigned /made available to the data protection officer (DPO) role under ‘Support’ (ISO 27001 Clause 7)
  • A process is defined for dealing with all types of data subject requests (ISO 27001 Annex A Control 18.1.4) and the subject access request (SAR) process in particular
  • An information security breach process includes steps for notifying the ICO, i.e. ‘Reporting information security events’ (ISO 27001 Annex A Section 16)
  • Data transfers to non-EEA countries are addressed within ‘Supplier relationships’ controls (ISO 27001 Annex A Section 15 controls) and contracts. This links back to risks and opportunities (ISO 27001 Clause 4) and ‘Planning’ (ISO 27001 Clause 6) in terms of the impact of Brexit/no deal Brexit and the use of EU standard contractual clauses and whether these are sufficient, particularly to cover onward transfers within the supply chain.  The EU clauses and the GDPR Annex 2 commitments to security measures should also be formalised to safeguard internal, inter-group transfers
  • Security and privacy (i.e. privacy by design and default) are considered under ‘System acquisition, development and maintenance’ controls (ISO 27001 Annex A Section 14 and 6.1.5)
  • Personal data retention periods are specified under ‘Protection of Records’ (ISO 27001 Annex A Control 18.1.3).

Whilst it can be argued that all of the above measures are appropriate and part of adequate and sensible planning, it does represent a significant step change in the expectations of the CBs.