ISO 27001: A very non technical systems focused standard
We hear that ISO 27001 is a non-technical systems focused standard. This may confuse most of us and create queries on how this standard may help organizations, including the maritime ones, achieve the EU General Data Protection Regulation (GDPR). ISO 27001 may include people, processes as well as IT systems. However, the keyword here is information; the standard is not focused on technical systems but on processes and on continuous improvement.
So, what is ISO 27001?
ISO 27001 is the best-known standard in ISO 27000 family which is the International standard for managing information security. It is a quite mature standard, but it has been around since 2005. The current version released in 2014. Specifically, ISO 27001 provides the requirements of establishing an information security management system (ISMS). An ISMS is a systematic approach to manage sensitive information to remain secure from cyber-attacks, hacks, data leaks or theft. In other words, an ISO 27001-compliant ISMS is not only information security best practice but also integral to demonstrating data protection compliance. In order to further enhance the preparedness of organizations for dealing with potential cybersecurity threats effectively, we need to apply for certification to the information security management systems (ISO 27001) standard. But, to achieve compliance with the ISO 27001 standard, organizations need to demonstrate a process-driven approach their ISMS as described in the seven general sections of ISO 27001 below.
ISO 27001: The seven key elements
ISO 27001: Why it is important to achieve EU GDPR compliance
The EU GDPR adopted on 8 April 2016 and replaces the EU Data Protection Directive. The Regulation will apply to all EU Member States and will come into force on 25 May 2018. The Regulation updates the current legislation as a result of digitalization and technological developments and increases harmonization in standards between EU member states. It aims to protect individuals from unauthorized use of their personal information from organizations and to be easy for data controllers around the world to follow.
Amid its application organizations will move towards the adoption of best–practice standards. The law agreed upon two years before, however businesses had 24 months to bring their systems into compliance with GDPR regulations. By meeting the ISO 27001 standard requirements, organizations may implement adequate and effective security measures, based on the outcomes of a formal risk assessment, to comply with the GDPR.
Specifically, in Article 32 of the GDPR, policies are outlined for the:
- Data encryption which is encouraged by ISO 27001 as the primary method to reduce the possibility of risks.
- Confidentiality, integrity, availability and resilience of processing systems and services
- Regular testing, assessment and evaluation the effectiveness measures for ensuring the security of processing.
- Risk assessments; Annex A defines that appropriate controls should be in place to address the identified risk in more details. The non-certification standard ISO 27002, which designed to help organizations implement ISO 27001, covers the aforesaid.
- Continuity in business management whereby controls help organizations keep vital information available in case of interruption.
- Legislative, regulatory and contractual requirements compliance.
- Asset management; this is addressed under ISO 27001 control A.8, which includes personal data as an information security asset.
Furthermore, EU member states have until 9 May 2018 to transpose the Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) into national law. NIS Directive aims to achieve a high common level of network and information systems security across the EU.
Does the ISO 27001 cover the requirements of EU GDPR?
Although some sections under the GDPR, such as the right of a data subject to have his or her data moved or deleted, are not controlled under the ISO27001, the standard may the most secure of all the related standards and may be the most applicable standard under the GDPR. Organizations are quickly implementing the standard in advance of the new law with ship operators worldwide to apply for certification to ISO 27001.
What are the benefits of ISO 27001 compliant ISMS in shipping
Implementing an ISO 27001 ISMS may assist shipping organizations to:
- Assure existing and potential characters, business partners and stakeholders
- Further enhance their reputation
- Enter into new agreements
- Avoid failures associated with hacking
- Comply with regulatory requirements such as the EU GDPR Directive
- Studyconducted by Ponemon Institute and sponsored by IBM Resilient found that the majority of organizations are not ready for GDPR:
- 77% of respondents do not have a formal cyber security incident response plan (CSIRP)
- Most countries surveyed do not report confidence in their ability to comply with GDPR.
- According to TMSA 3 Best Practice Guide (Element 13), Companies should implement procedures regarding security items concerning shore based installations.
Cyber security in shipping industry should be considered as part of a holistic approach throughout a ship’s lifecycle. SQE MARINE has created a clear pathway to cyber security, summarizing the various security best practices and controls that operators should consider implementing.
You may find further tips on how to help keep your data safe in the 2nd Quarterly Special FOCUS Edition, dedicated on Cyber Security!