The banks of the River Shannon provided the ideal backdrop for the third leg of the ISO 27001 Roadshow as we stopped off in Athlone Co. Westmeath to another full house for our seminar on GDPR and ISO 27001. Once again, we were joined by Brian Honan from BH Consulting and our very own Michael Brophy (CEO) of Certification Europe with special guest speaker Thomas Cox from Intuity.
The purpose of the seminars is to shine a light on what is GDPR and how businesses will need to adapt plus show what organisations like Intuity are doing to get ready for the May 25th deadline.
Dirty Four Letter Word
Brian Honan started the seminar discussing the dirty four-letter word in information Security right now GDPR. Brian discussed the severity of the fines and how they will be enforced by the Data Protection Commissioner. Fines for an organisation that breach GDPR will be 20 million euro or 4% of annual turnover.
Brian highlighted that this is not a software fix. You cannot buy off the shelf software to protect data and say you’re ready for GDPR. This is a challenge from management down as the human factor needs to be addressed and that is where ISO 27001 comes in. The most common breaches organisations experience is not a hack but human error and ISO 27001 puts measures in place to protect data from errors that can occur by staff and help protect data assets from external threats.
Intuity Journey to ISO 27001
This provided the ideal platform for our next speaker Thomas Cox who is HR Manager for Intuity and is a key member in their journey to Certification for ISO 27001 but also taking the management system and improving on it throughout the company to improve efficiencies. Intuity first achieved ISO Certification in 2011 and have gone on from strength to strength by integrating the ISO standard across more of the organisation in recent years.
Thomas explained how ISO 27001 provides the platform to tackle the beast that is GDPR and highlighted that they will be prepared because many of the controls and policies in ISO 27001 are also in the GDPR legislation.
Thomas echoed many of the points Brian made about this being a people issue, not software. Thomas revealed that Intuity has set up an ISO Committee that rotates within the organisation to ensure staff are involved. To ensure all members of staff are trained up and aware of all policies and threats around data protection, they have incorporated that into their performance reviews. This is an excellent example of a company buying into ISO 27001 and making it a part of the office culture instead of making a sperate task that needs to be ticked off.
Scope is everything
Our final speaker was Michael Brophy CEO of Certification Europe. Michael focused on how ISO 27001 is perceived and how it should be viewed by organisations when it comes to securing data. Michael focused on the misconception around the scope of certification should cover everything within an organisation. Michael highlighted organisations such as Vodafone which we also certify to ISO 27001 but the scope does not cover every aspect of the business.
Michael emphasised that the scope should be only what is important to you. This means reviewing your data assets and determine where are the weaknesses and place them with the scope. If needed prioritise assets that will be in the initial scope and then expand once Certification has been achieved. This is where continuous improvement comes in and now becoming one of the biggest and long benefits to organisations that implement ISO 27001. The management system is designed to adapt to the business objectives and as they change ISO 27001 changes along with it.
The seminar concluded with a lively Q&A session followed by in-depth One to One consultation sessions with attendees who wanted to know more about implementing measures to prepare for ISO 27001 and what is involved in Certification.