End this summer by being prepared for next
As we move into Autumn, one of the jobs in many households will be to clean and pack away all the barbeque tools, garden furniture and toys, so they are clean and easily found when next summer comes around. Or, if you are like me, it’s a last-minute frantic runaround to squeeze everything away wherever I can find space before it gets really cold. I then won’t give any of these items a second’s thought for another 9 months.
Yet I know that I will regret this approach next year. I’ll spend the first barbeque of the season stressed and trying to locate all the tools before I can even think about cooking any food.
In the past, many organisations employed the same methodology when it came to ISO27001. It was often an eleventh-hour dash to tick all the boxes required to pass the audit, having not actioned anything since the previous one. Or, at least it used to be. Luckily, today the importance of security due diligence has grown, with most organisations placing it at the centre of their business operations. In parallel to this, the demand for ISO27001 certifications has also grown, as businesses want to demonstrate their capabilities around security controls and the effectiveness of the management systems which govern these.
However, 18 months since the GDPR came into effect, organisation’s data privacy functions present a slightly different scenario. For instance, although many organisations were caught somewhat by surprise by GDPR last year, they did manage to implement the required policies, processes and controls around data privacy (most of them at the last minute). Many organisations saw this as a point-in-time hoop that needed to be jumped through. It’s been 18 months since a lot of organisations have looked at any of their policies, processes and controls around data privacy, and aren’t in a position to answer as to the state of their maturity in this area. At Bridewell, we have noticed that organisations are less effective at providing a framework which monitors and continuously improves their data privacy processes on an ongoing basis. Essentially, an organisation’s governance around information security is often a lot more mature than their governance around data privacy.
IS027701 Could Have the Answer
It acts as an extension of ISO27001 and allows you to build a privacy information management system (PIMS) on the back of your existing information security management system (ISMS). ISO27701 enables you to include the processing of personal data in the scope and context clauses of your organisation, and tailor risk assessments to account for factors affecting data privacy as well.
You may be more familiar with BS10012 as the ISO27701 framework is relatively new. At Bridewell, we have been building and implementing ISO27701 PIMS systems and integrating them into security management systems for years. We have built established methodologies, which we constantly refine, to do this.
Some organisations have suggested that our approach can only work when information security teams are also responsible for data privacy. However, this isn’t an opinion which we subscribe to.
As our director, Scott Nicholson says, “A data privacy function doesn’t need to sit as part of an information security team in order for the PIMS to operate effectively as part of the ISMS. But, when clearly defining the scope and context of the ISMS and PIMS, defining roles and responsibilities is pivotal. By doing this, we’ve actually found that organisations have benefited from leveraging the skillsets of both the security and data privacy teams to achieve a common goal.”
There’s never been a better time to formalise your data privacy governance by implementing a Privacy Information Management System. At Bridewell we think it’s PIMS o’clock…