On a chilly autumn morning, the Certification Europe ISO 27001 Roadshow started it’s eagerly awaited nationwide tour. The Roadshow began with a bang in Dublin with a full house at the Merrion Hotel in Dublin 2.
Representatives attended the sold-out Dublin seminar across multiple industries spanning start-ups, SME’s, and multinationals. The objective of this and our upcoming seminars in Cork, Athlone and Belfast is not just to discuss what GDPR is, but to dispel the myths around information security and GDPR, while explaining how management systems such as ISO 27001 can assist in your journey to compliance.
The title was ‘InfoSec vs GDPR’, but the content of the presentations showed how protecting information in a systematic way is common to both.
Myth busting GDPR
Information security expert Brian Honan of BH Consulting began with a brief overview of GDPR. Describing it as “a four-letter word in management and IT”, he said there are many misconceptions around the regulation. Coverage to date has focused on fines for non-compliance and a sense of “how bad GDPR is going to be”. In fact, its origins lie in protecting personal data about individuals. “We all have a right to privacy… it’s a right we shouldn’t take lightly or surrender easily,” he said.
GDPR comes into force on 25th May 2018, but many organisations aren’t ready for it. (No one in the audience raised their hands when the MC, Emma Cooke of Certification Europe, asked if anyone was fully compliant with the regulation.) Fortunately, Brian provided some reassurance. “If you are compliant with current data protection law, you’re probably 85% compliant with GDPR. Forget about the fines. If you have a good data protection regime, or if you are using the principles of an information security management system (ISMS), you are well on the way to being compliant.”
An ISMS is where ISO 27001 comes in. Brian described it as an information security standard covering all information, whether in electronic or physical format. The process of reaching the standard starts with identifying where key data resides, assessing the risk to that information, and establishing policies around it. “That is important as any security framework because that sets the tone for the organisation,” he said.
The Revenue Commissioners and ISO 27001
During each of our seminars we will have guest speakers who have successfully implemented the ISO 27001 standard. ISO 27001 is helping them manage their data, which in turn helps to prepare them for GDPR.
Jason Farina, Revenue Commissioners
Jason Farina, team leader for IT Security and Forensics, from The Revenue Commissioners was our first speaker. He provided first-hand knowledge of what it takes to implement ISO 27001 and expand the scope to allow opportunities to improve systems across multiple departments and manage data more effectively. The Revenue Commissioners are the first organisation in Ireland to become certified to the ISO 27001 standard. Jason described the standard as “a framework with best practice in a lot of areas. It covers nearly everything to do with IT.” In his presentation, he explained how Revenue used the standard and the resulting benefits.
The main reason for adopting ISO 27001 in 2009 was the move to 24/7 operations for its two public-facing websites, revenue.ie and ros.ie. This would ensure the sites could scale up while maintaining security. On the journey to certification, one of most important steps was a gap analysis that looked at Revenue’s current state and where it wanted to be.
A critical part of becoming certified to ISO 27001 is gaining support from the top of the organisation – even if the IT team is ultimately driving the project. “You really need management buy-in from the start. A security operative trying to say, ‘you must obey this rule’ really doesn’t have the authority,” said Farina.
Although “scope creep” is a phrase most project managers dread, Farina said this is positive in the context of ISO 27001. Having done the certification work when developing an asset register, for example, it became much easier to extend that mindset to other parts of the Revenue Commissioners. “As a result, we’ve increased our security throughout the organisation,” he said.
One of the biggest factors for the successful implementation of the information security standard was acquiring management buy in from the start. This paved the way for a smooth implementation process and successful Certification, and also provided the foundation for continuous improvement from within the organisation, which is one of key aspects of ISO 27001.
Once management came on board the next step was informing all staff about ISO 27001; this was one of the biggest benefits for the Revenue Commissioners. “As staff move from section to section, they bring their knowledge of ISO 27001 with them. They raise the standard of security in every section by asking for security best practice. That has benefits for the internal culture and dealing with outside agencies,” he said.
ISO 27001 enables a security-aware culture
Certification Europe CEO Michael Brophy took up this theme. Usually, organisations first want to become certified to ISO 27001 to bid for tenders or meet contractual requirements. As time goes on, the certification starts having a wider impact on the culture. “People are now aware of the risks around information security. Senior management give it their time. Budgets are made available. That begins to filter out with conversations with contractors and customers,” he said. “People learn the vocabulary of risk and methodology of risk, and take it to other parts of the organisation. A rising tide lifts all boats.”
Michael Brophy, Certification Europe
Brophy dispelled the myth that pits information security and GDPR against each other. “It’s not one or the other. It’s the same thing: protecting information in a structured, manageable way,” he said.
A-la-carte security controls
He addressed the misconceptions that organisations need to apply all ISO 27001 controls everywhere. “Nobody does it all, and nobody does it across the whole organisation.” Instead, he likened the standard to an a la carte menu. Organisations identify their key risks and choose from the 134 controls that apply to their needs.
Michael said it was wrong to assume the standard relates to IT only. Technology is a key element, but it covers areas outside the remit of an IT manager, such as staff awareness and training. He echoed Jason Farina’s point by saying: “an IT manager may volunteer to be the project manager for ISO 27001, but it needs buy-in from all parts of the organisation.” There is also no technical fix for ISO 27001. “This is a people, process and technology solution – in that order. You’ve got to have people who understand the risks. The technical solution is almost the last part,” he said.
The standard also becomes a framework that can apply to projects that don’t strictly fall under the information security umbrella. Consequently, that brings time savings and efficiency gains when dealing with legislative compliance, Brophy said. “You’re not starting with a blank sheet. You have a framework for recognising the risk and putting in place controls.”
The seminar reached its climax with a Q&A session that went on for over 30 minutes and could have continued through lunch. Questions spanned how data can be transferred from one organisation to another without consent, the auditing process of ISO 27001 and necessity of a DPO officer within an organisation.
It is clear from this seminar that there is a growing demand to understand what must be done to demonstrate compliance to GDPR and what procedures can be put in place now to achieve that.
If you missed the Dublin seminar we still have FREE tickets available to attend the seminars happening throughout the country. The roadshow continues with events in Cork on Wednesday 18th October at the Clayton Hotel, Athlone on Thursday 9 November and Belfast on Thursday 16 November. More details and links to register are here.