David Evans, QCS International’s Information Security consultant, explains what ISO 27001 is in the context of recent legislative changes and those who have been caught out on the wrong side of these!
What is ISO 27001? In short, it’s an information security management system, which if applied correctly could save an organisation a great deal of money. Read on to hear why and how to get started in developing your own system.
If you follow news and social media articles highlighting fines imposed on some high-profile organisations for cyber security breaches, you’ll notice that the Information Commissioner’s Office (ICO) isn’t afraid to use its powers. As awareness increases, businesses managers are exploring ways to manage not only their compliance obligations under the Data Protection Act 2018 (GDPR provisions are included in the Act) but how to manage the risks associated with global cyber threats, operational resilience and personal data.
In the news this week, the ICO has fined DSG Retail (Currys PC World and Dixons Travel) £500,000 after a computer system was compromised as a result of a cyber-attack.
The attacker installed malware on DSG’s system, collecting personal data during the nine-month period before the attack was detected.
The company failed to secure its systems allowing unauthorised access to transaction details including the personal information of approximately 14 million people from its internal servers.
DSG breached the Data Protection Act 1998 (as the legislation was at the time of the breach, since revised as of May 2018) by having poor security arrangements and failing to take adequate steps to protect personal data. System vulnerabilities included inadequate software patching, absence of a local firewall, lack of network segregation and routine security testing.
Too late for DSG but if they’d earlier established an ISO27001 compliant information security management system then they most certainly would have had the controls in place to manage all of the vulnerabilities identified. What’s more, by having a certified system it would have been subject to internal and external audit. What does that mean? It means that someone, for example a trained competent auditor, would have checked that the information security controls were implemented, maintained and effective (or at least subject to robust penetration testing).
The ICO, the UK’s independent regulator for data protection, has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
Will the UK leaving the EU effect GDPR?
The General Data Protection Regulation (GDPR) is a recent data protection law which came into being in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU will not affect GDPR legislation and indeed the EU Withdrawal Act 2019 sets out how legislation will be considered post Brexit.
How much are GDPR fines?
The ICO can enforce fines intended to change the behaviour of organisations that collect, use and keep personal information. This includes criminal prosecution and non-criminal enforcement. The ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
What are the data protection principles?
The GDPR evolved from the original Data Protection Act, it sets out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary; and
- Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Which brings me back to my original question and perhaps poses a few more. What is ISO27001? Yes, it is a way to save your organisation from potential monetary losses through fines and reputational damage but its also a way to manage information security in your business.
A structured approach to information security through the application of ISO27001 and its controls provides huge benefits in operational resilience and also gives confidence to you and your stakeholders that you have a robust information security system in place, independently certified and always improving.
How do you implement ISO27001?
The approach taken depends on the organisation, but an initial gap analysis will allow QCS to establish just where you are on the journey towards full conformance. Our consultants can support you through the early stages of setting things up, helping you establish an information security management system, assisting you in training and finally supporting you at certification body audit. Just get in touch with us on 01236 734447.