Organisations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR). Among the things they need to do by then is carry out a risk assessment and put in place administrative and technical data protection controls proportionate to the risk to data subjects.
Risk assessments play a crucial part in establishing an information security management system (ISMS) because they identify relevant risks and help organisations deal with them. ISO 27001, the international standard that describes best practice for an ISMS, provides the framework for risk assessments and is aligned with the GDPR.
People, processes and technology
An ISO 27001-compliant ISMS presents a holistic approach to information security, providing protection on three levels: people, processes and technology.
This three-pronged approach helps organisations protect themselves from technology-based risks and other common vulnerabilities such as poorly informed staff or ineffective procedures.
Supported by top leadership, an ISO 27001-compliant ISMS is incorporated into your organisation’s culture and strategy, and is constantly monitored, updated and reviewed. This process of continual improvement helps organisations make sure that the ISMS adapts to changes – both in the environment and inside the organisation – and regularly identifies and reduces risks.
What does the GDPR say?
Article 32 of the GDPR states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. This includes:
- Pseudoanonymising and encrypting personal data.
- Safeguarding the confidentiality, integrity, availability and resilience of processing systems and services.
- Quickly restoring the availability of and access to personal data after a data breach.
- Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for safeguarding the security of the processing.
How Vigilant Software can help
Like the GDPR, ISO 27001 recommends that organisations encrypt personal data. The Standard outlines 114 controls that can be used to reduce information security risks. Since the controls that an organisation implements are based on the outcome of ISO 27001-compliant risk assessments, the organisation can identify which assets are at risk and require encryption to adequately protect them.
To determine the appropriate administrative and technical controls necessary to comply with the GDPR, organisations must first understand what personal data they process. This means creating a data flow map, which Vigilant Software’s Data Flow Mapping Tool can help with. Available in September, it simplifies the process of creating data flow maps, making them easy to review, revise and update.
The GDPR and ISO 27001 mandate that organisations conduct regular risk assessments. These help identify threats and vulnerabilities that can affect the organisation’s assets and give them the information they need to assure the confidentiality, availability and integrity of that data.
Our risk assessment software, vsRisk™, is fully aligned with ISO 27001 and helps companies deliver simple, fast, accurate and hassle-free risk assessments.