Should a company immediately try and achieve ISO certification or implement the GDPR requirements first, in order to transfer to ISMS via the build-up according to ISO 27001? Many companies are faced with this question.
In its native form, the ISO 27001 certification is more process-oriented in design. An important component of ISMS is an analysis for identifying risks and treating them accordingly. Also, the company must declare its position on the approx. 150 generally devised actions of the ISO standard. The standard does not however offer any specific recommendations for action, which means that the company needs to work out the details of implementation itself. This of course means a great amount of work; wrong interpretations are not excluded.
Based on the German IT baseline data protection, ISO 27001 is however designed to be action-oriented. The BSI (Bundesamt für Sicherheit in der Informationstechnik, German Federal Office for Information Security) takes the workload off the companies and evaluates typical risks itself – which means a comprehensive risk analysis is no longer necessary. But there is still a lot of work for the company. In order to implement the comprehensive basic protection, a large number of specific measures do in fact need to be implemented, which can involve a lot of work.
Both standards test the ISMS. In this process, the company needs to show evidence of procedures and rules with which it constantly controls, monitors and improves information security.
The GDPR also has a certificate in Art. 42 to certify that companies comply with legal data protection regulations. At the same time, Clause 4 clearly states that despite certification the company still has to comply with the other requirements of the GDPR conditions. Because certificates may only be issued by supervisory bodies or accredited certification authorities.
In principle, the ISO 27001 certification provides a good framework for meeting the requirements of GDPR. Building on that framework, it is important to analyse what requirements have already been met and what needs to be additionally built up.
We, the experts at Schleupen AG, will support your company too on its way to the introduction and implementation of a software-based GDPR and ISMS.
Just get in touch with us right away.