ISO/IEC 27701 Certification for the Data Protection Management System is available!

The pandemic has shown us the great opportunities of secure and compliant digitization. It opens new markets and customer segments. We can offer new products/services and customer experiences. Thus, it strengthens efficiency and a unique market position. With increased connectivity, virtualization (such as smart working, etc.), digitization of production (Industry 4.0), products and services (such as smart home, smart car, etc.) and big data, the demand for data protection and information security - the confidentiality, availability and integrity of data and services - are rising. Information security and data protection are essential for an ethical, resilient, digital and sustainable economy. However, at the same time, the risks are increasing. By the end of 2020, cybercrime is expected to cause €5.5 trillion more damage than drug commerce.

The ISO/IEC 27701 certification for a proven privacy and information security management system is available. It promotes a sustainable, efficient and effective implementation. The certification makes security and data protection awareness clearly visible and strengthens the trust of stakeholders.

Information Security and Data Protection – a Success factor

Technology and data offer many opportunities. They must be reliable and effectively protected. Data protection and information security are success factors of an accountable company management. Nevertheless, in 2019, security incidents for online and cloud services increased by 91.5% compared to 2018. Espionage/sabotage attacks increased threefold. 66% more data breaches were reported to European supervisory authorities. Fines of more than €410 million were issued. In this spring lockdown period there were more reports of data breaches, sophisticated phishing mails, unwanted encryption, complex cyber-attacks, etc. It affected organizations of all sizes and in all industries, as well as essential services (such as hospitals, telecommunication, social security and many more). Is your company well prepared and protected?

ISO/IEC 27701 –  the Data Protection Management System with Added value

The EU General Data Protection Regulation 2016/679 (GDPR) requires that appropriate technical and organizational measures are implemented by taking into account the risks in a demonstrable, effective and sustainable manner using state-of-the-art technology to protect personal data and to comply with these regulations (including the rights of the data subjects).

ISO/IEC 27701 is structured according to the common directive for management systems. It thus offers optimum support for a sustainable and efficient integration of data protection into an effective management system. It extends ISO/IEC 27001 for information security management to include additional technical and organizational measures (controls) and legal requirements. Although it is an internationally recognized standard, all requirements of the EU Regulation 2016/679 are taken into account as well.

Data Protection and Information Security: two souls in one heart

While data protection refers purely to the protection of personal data, information security takes into account all relevant assets of an organization. The protection of an organization’s assets, e.g. when using video surveillance, can pose a risk for the recorded data subject without suitable measures. ISO/IEC 27701 promotes the necessary integration of information security and data protection. Together they offer added value for the organization.

• Integration into context, policy and management:

  By integrating information security and data protection into the policy, objectives and strategies, information security and data protection become an added value for the organization. A secure and legally compliant digitization opens new markets and customer segments, increases efficiency and reduces costs. Thus, data protection takes a strategic role: away from being only a cost factor to accomplishing legal obligations and becoming a driver for sustained customer trust and success.

  Information security and data protection are becoming an integral part of the corporate culture through an active ownership and example set by management as well as by incorporating data protection and information security into all their decisions.

• Integration into the Processes (Planning and Operation):

  First of all, assets/values (e.g. product information/recipes, research data, confidential/sensitive data or special data categories) with the technologies used and implemented security measures are registered (extended records of processing activities). From this, possible risks, optimizations and emergency plans for security events are determined according to ISO 31000 (risk management). The security measures (controls) provide valuable support. Existing emergency plans of other management systems (e.g. environment, hygiene) and especially Business Continuity Management (ISO 22301) offer many synergies. Integrated into suitable processes, necessary measures are implemented efficiently and effectively. This uses synergies, saves costs and reduces risks. Thus, information security and data protection are taken into account at an early stage in every digitization, innovation and procurement process. Do your relevant suppliers provide an appropriate level of security and data protection effectively, verifiably and sustainably?

• Integration into the Resource management (Support):

  Systematic document management promotes traceability and proof of accountability. Appropriate resources, clearly assigned responsibilities and state-of-the-art competences support information security and data protection. Human error is the most common cause of security incidents. Therefore, continuous awareness as well as sufficient knowledge and competence of the collaborators and partners at all levels of the entire value chain are essential. Training and personal certification facilitate understanding and demonstration.

• Integration into the continual Improvement (Evaluation and Improvement):

  The General Data Protection Regulation also calls for a process of regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures in order to ensure security (Art. 32,1d). The integration of information security and data protection into the evaluation (with monitoring, status reports, audits, etc.) and the continual improvement of the management system strengthens an effective and sustainable implementation.

Use Synergies, save Costs, promote Efficiency and Effectiveness

ISO/IEC 27701 supports the integration of information security and data protection into a management system worldwide. Use synergies, save costs and increase efficiency and effectiveness!

• Promote the demonstrable implementation of the data protection regulations and security requirements,
• Protect the knowledge of the organization,
• Support reliable performance, corporate success and reputation.
• Certification according to ISO/IEC 27701 builds on ISO/IEC 27001. It facilitates the demonstration of an appropriate level of security and data protection worldwide, reduces the need for multiple audits and makes the commitment visible to external parties.
• Trust is strengthened.

You want to know more? Contact us here for more information.

Author

Further information

ISO 27701 (in Cooperation with CIS GmbH)

Blockchain Assessment (in Cooperation with CIS GmbH)

CIS as accredited certification partner for information security, data protection and IT services