Jumping through the data compliance hoops: Why ISO 27001 is the future for data communications
The last 12 months have seen some high profile – and dare I say pretty shocking – examples of consumer data breaches. This type of media coverage and hype – in addition to the changing legislative environment – has led to unprecedented scrutiny of data security.
One response to this increasingly regulated and paranoid environment is to apply for ISO certification – namely ISO27001. For the uninitiated, ISO 27001 defines a set of standards relating all aspects of data and information management in a business and is an essential certification for many businesses, and in particular, for the data communications arena for a number of reasons.
To demonstrate evidenced adherence to the technical and organisational controls is no longer a ‘nice to have’ but an essential part of any compliance department within the data communications business. At REaD Group, we have found that, increasingly, ISO certification has become a major focus – or in some cases a pre-requisite requirement – for procurement departments of our clients and potential clients.
It’s a tough, competitive market and data businesses need to raise their game. My analogy for this (and yes, it is a football one!) is if you want to play in the premier league – and, surely, every business wants to be in the premier league! – it is now a requirement to hold this level of certification. To be able to prove to current and new clients your commitment and independently verified adherence to information security could be the difference between winning the league or relegation.
Customers want to know where their data is going to be kept, how it is stored, managed, and secured, and who is responsible for managing and securing their data. If your vendor is ISO 27001 certified, they have the assurance you need that your processes are clearly defined, openly stated, and, crucially, backed by a third party auditor.
The certification of old – and I won’t mention names – just doesn’t ‘cut the mustard’ in terms of the information management controls required in this day and age. Not to mention the types of assets, information, and rich data that is collected and stored. And that’s not just consumer data and information but a wide range of business information as well.
The impending implementation of GDPR creates even greater urgency. Whether we adopt a full blown version or the potential ‘lite’ version will depend on the outcome of the first set of working party stakeholder meetings which have recently started – my views on this are probably better saved for separate piece – we will be as prepared as we can be. I am confident that the controls included in ISO 27001 certification, sit firmly alongside the stipulations of GDPR specifically Privacy impact assessments (PIAs).
Achieving this level of certification requires significant investment but, in my view, ISO 27001, is essential for the future success for REaD Group – and sets the bar for the future of due diligence in the data communications industry.
Andrew Bridges, September 2016
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.