ISO 27001 is not GDPR

We destroy some myths and give 4 Key Facts

If someone says to you: ‘OK, we’ll get you GDPR compliant, we need to start you off with 27001‘ or they say ‘ISO 27001 is the standard for, or the certification for GDPR‘ or ‘it’s focused on GDPR‘, all of this is wrong.

We’ll set out why, we’ll destroy some myths, and we’ll highlight four Key Facts along the way.

And stay with us, as we’ll give you some stunning statistics on the adoption of ISO 27001 in the UK and the European Economic Area. You’re going to be very surprised!

You can also watch our free video  ‘ISO 27001 is not GDPR’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

ISO 27001 is not GDPR

First, we have to stress, we’re major fans of Security and anything that increases security – including ISO 27001, the international standard for information security.

But 27001 is not GDPR.  It’s not the starting point for a GDPR program, and it’s not focused on GDPR.  Let’s look at our first Key Point.

#1:  Different focus

Our first Key Point: while there’s some overlap they’re focused on different things.

GDPR’s longer title clearly states it’s about:

‘the protection of natural persons [that’s living individuals to you and me] with regard to the processing of personal data and … the free movement of such data

It goes on to set out many rules that you’ll be familiar with, such as:

  • providing appropriate privacy notices on collection,
  • only collecting for specified purposes,
  • having an EU Representative or a Data Protection Officer if you need one, and
  • basing your processing on one of the six core lawful grounds, perhaps an additional ground depending on what that data is.

None of that is in 27001.

Now, the first sentence in 27001’s introduction confirms that it’s there to:

‘provide requirements for establishing, implementing and maintaining and continually improving an information security management system’

Brilliant!  It’s absolute fantastic.  But it’s not GDPR.

Together with 27002, it goes on to offer suitable controls to address security risks and create that system.

Again, let’s be very clear: Security is fundamental to Data Protection, particularly at this time when so many people are working from home.

But Security, as defined for 27001 and as generally used, looks at securing ‘Information Assets‘ to reduce the risk to the organisation.  And not only does it cover personal data, it covers non-personal data, such as confidential information, intellectual property, etc.  It’s far broader from a security envelope perspective.

Now, even when GDPR talks about Security, it’s not talking about information security in that way.

GDPR only talks about Security in terms of addressing the risk to individual data subjects from your processing of their personal data.  It’s far narrower from a security envelope perspective.  Think of it as Information Security for the purposes of Data Protection.

This brings us to our second Key Point.

#2:  GDPR’s 7 Principles

Our second Key Point is that GDPR sets out seven principles and there’s no mention of Security in six of them.

You can see the principles in full in Article 5 of GDPR, so we’ll just set out the official summary names here:

  1. ‘lawfulness, fairness and transparency’,
  2. ‘purpose limitation,
  3. ‘data minimisation’,
  4. ‘accuracy’,
  5. ‘storage limitation’,
  6. ‘integrity and confidentiality’ – they really mean Security – and
  7. ‘accountability’.

Again, while Security is absolutely fundamental to Data Protection and it is one of GDPR’s seven principles, it is only one of seven principles, or just 14%.  The other six principles don’t talk about Security.

You might argue that ‘accuracy’ implies protecting integrity and hence it’s Security, but that’s really covered in the Security Principle anyway, because it specifically mentions integrity.

Let’s return to Risk for our third Key Point.

#3:  Different risk

This fundamental issue is the very different way that ISO 27001 and GDPR look at risk

Sorry to say – GDPR doesn’t care about the risks to your organisation.  GDPR only cares about the risks to the individual data subjects, to be specific: to their fundamental rights and freedoms.  It’s a real outlier to the normal enterprise risk programs.

ISO 27002, which goes with 27001, confirms that it’s the risk to the organization that’s the focus, comprised of, or derived from the risk to its Information Assets.  You can see confirmation of this different approach everywhere, for example in documents on Security, Privacy and Risk from the European Agency for Cybersecurity (ENISA):

Now, buckle up as our fourth Key Point is a belter!

#4:  Adoption vs Applicability

We checked and rechecked this data a number of times, because it’s so surprising.  Those active in the Security and 27001 arena that we’ve talked to about it are also stunned.

In practice, GDPR applies to every organisation in the EEA – and there are millions out there.  On EU figures, in 2017, there were roughly 2.5 million ‘active enterprises’ in the UK and about 28 million active enterprises in the UK plus the EEAA 30.  GDPR applies to all 28 million active enterprises.

Now, the International Organisation for Standardisation, or ISO, which creates standards like ISO 27001, released a survey showing the number of valid certificates to organisations for various standards, including 27001 by country in each year.

In 2018, in the EEA and the UK combined, there were just 10,661 certificates for 27001 in issue to organisations.  There were 28 million organisations or active enterprises, so that’s an adoption rate of just 0.04%.

You can see more in our deeper dive on these figures, but here are some more surprising stats based on those EU business population figures, and the ISO’s 2018 Survey:

  • Nearly half of the EEA 30, 14 countries, had fewer than 100 organisations with ISO 27001 certificates in 2018.  Portugal had just 85 for example, Denmark just 48.
  • And only 12 of that EEA 30 had more 200 organisations with certificates, and only two made over 1,000 certificates.
  • The UK, which of course is no longer in the EEA, had the most – it had 2,444 certificates.
  • With its 2.5 million active enterprises, that made the UK one of only three countries in the old EEA 31 to get above just 0.1 per cent adoption.
  • The UK had more than twice the next country, which was Germany, on 1,057 certificates.
  • With their 28 million active enterprises, that gives Germany 0.04% adoption for 27001, which as we saw is the ‘EEA 31’ average.

We’ve relied on the ISO’s own figures and on the EU figures on business populations – and they may have a margin of error.  However, on these figures, at 0.0X% adoption in the EEA, ISO 27001 just doesn’t seem statistically relevant to discussions of a law that applies to every organisation.  It’s not speaking to 99.9%.

We feel quite badly about this, because we’re fans of 27001, and it has great lessons and best practices we can all learn from and emulate.  But these figures are shocking.

So there you go!

If someone says you have to have ISO 27001 to be GDPR compliant – we’ve seen our four points here – that’s not true.

If someone says ISO 27001 is the standard for GDPR, that’s not correct either.  (We’ll be doing another video on ISO 27701, which is an extension to 27001 that has GDPR in its sights.  Of course, it’s an extension to 27001, and looking at the adoption of 27001, that doesn’t sound like it’s going to be statistically relevant either.)

And if someone says 27001 is a great starting point for GDPR, we respectfully disagree.  The right starting point for GDPR, and you can see our ‘10 Steps to GDPR Compliance‘ video, is to do a personal data inventory.  Find out where your personal data is, where it lives, how it passes through the data lifecycle in your organisation, who you share with etc.  Then you can work out your gap analysis, you can move to remedy, and get into compliance.

Please do look at our other Privacy Kitchen videos, including ‘What is a breach for GDPR?‘.  And please do get involved, use #privacykitchen to tell us the questions and topics and topics you want us to cover.

Stay well in the meantime and I’ll see you in Privacy Kitchen soon!

Links

GDPR

EU statistics on business populations

ISO on ISO 27001

ISO Survey


Related Articles

DPOs Part 1: Do I need a DPO?

Struggling to decide if you need a Data Protection Officer?  You’re not alone – and many organisations have made the wrong decision, putting employees under conflict and signposting they don’t…

Read More
Did Brexit kill GDPR?

If you’re hoping Brexit means you could forget about GDPR, we’re sorry to disappoint you.  You may well have to comply with two almost identical, but slightly different GDPRs.  And…

Read More