ISO/IEC 27001
Information security management systems - Requirements
Overview
Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Provides a systematic approach to managing sensitive company information.
Applicability
Organizational security management and governance
Relevance to General Data Protection Regulation (GDPR)
Key Coverage Areas
Standard Sections & Chapters
Organizational controls
People controls
Physical controls
Technological controls
Policies for information security
Threat intelligence
Information security for use of cloud services
User endpoint devices
Privileged access rights
Information access restriction
Management of technical vulnerabilities
Related General Data Protection Regulation (GDPR) Articles
Article 24: Responsibility of the controller
View Article →ISMS foundation for security measures
Implementation Guidance:
Implement ISMS as foundation for security of processing
Article 28: Processor
View Article →Supplier security agreements
Implementation Guidance:
Establish security requirements in processor agreements
Mapped Obligations:
- Controllers must only use processors with sufficient guarantees for GDPR compliance
- Processors need written authorization before engaging sub-processors
- Processors must only process data on documented instructions from the controller
- Processors must ensure confidentiality of personnel handling personal data
- Processors must implement security measures per Article 32
- Processors must assist controllers with data subject rights requests
- Processors must delete or return all data after services end
- Processors must allow and contribute to compliance audits
- Sub-processors must be bound by the same data protection obligations
Article 32: Security of processing
View Article →Comprehensive information security controls
Implementation Guidance:
Implement appropriate technical and organizational security measures: pseudonymization, encryption, confidentiality, integrity, availability, resilience
Mapped Obligations:
- Implement technical and organizational security measures appropriate to the risk
- Consider pseudonymization and encryption of personal data
- Ensure ongoing confidentiality, integrity, availability and resilience of systems
- Regularly test and evaluate security measures effectiveness
- Ensure staff only process data on controller's instructions
Article 33: Notification of a personal data breach to the supervisory authority
View Article →Information security incident management
Implementation Guidance:
Implement incident detection and response procedures
Mapped Obligations:
- Controllers must notify supervisory authority within 72 hours of breach awareness
- Processors must notify controllers without undue delay
Article 44: General principle for transfers
View Article →Information transfer policies
Implementation Guidance:
Establish policies for cross-border data transfers
Mapped Obligations:
- Both controllers and processors must comply with transfer requirements
Quick Information
- Organization
- ISO/IEC
- Category
- Information Security Management
- Certification
- ✓ Available