L-R: Pat Breen TD, Minister of State for Trade, Employment, Business, EU Digital Single Market and Data Protection, Geraldine Larkin (NSAI Chief Executive), James Kennedy (NSAI Chairperson) with Gunter Bayer, CIO, vCloud.ie
National Standards Authority of Ireland’s (NSAI) ISO 27001 a key international business standard
The General Data Protection Regulation (GDPR) will come into force on May 25th 2018 and all companies operating within the EU (or those outside the EU but with EU customers) are liable to large fines if it is found out that their data collection and retention is not compliant. The regulation is being introduced to make it easier for individuals to find out what data of theirs organisations hold and how it is used. It also requires organisations to report data security breaches to information commissioners and increases fines for serious breaches to €20m or 4% of global turnover, whichever is larger.
“While the GDPR is the largest overhaul of data privacy in decades, it is important that businesses do not fear it,” said Pat Breen TD, Minister of State for Trade, Employment, Business, EU Digital Single Market and Data Protection. He added:
Indeed, for Irish companies, being able to demonstrate compliance with the Regulation will offer competitive advantage in domestic, European and International markets.
To ensure compliancy, Irish companies can become certified with NSAI’s globally recognised ISO 27001 in information security. The qualification provides a framework for companies to manage their data both on and offline.
Geraldine Larkin, NSAI Chief Executive said:
It’s important to note that while ISO 27001 isn’t a catch-all for GDPR compliance, it will provide an organisation with a pathway to compliance in terms of risk assessment, breach notification and asset management.
“By examining their people, processes and technology using ISO 27001, companies will be well-placed to defend themselves from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures,” she continued.
Does your business need ISO 27001?
“ISO 27001 forms the scaffolding required for companies to engage in best practice behaviours,” said NSAI’s Head of Business Excellence, Fergal O’Byrne, “They still have to do the hard work but, with a little help from NSAI, the time they commit to establishing best practice in Cybersecurity will be time well spent.”
Regarding a business gaining ISO 27001 certification, O’Byrne said:
Typically it will take 6 to 9 months prior to an NSAI audit for a company to go through all the requirements of ISO 27001 Information Security standard. This involves the organisation testing all their systems including hardware, protocol, access, password protections, encryptions, training of staff, robust testing. Once a company is happy that the organisation is in compliance, then NSAI will send in an auditor to audit the company against the requirements of the standard.
To become certified the business must review in detail the requirements of the ISO 27001, ensure they comply, undertake an internal audit of their systems, and ensure there are corrective measures in place to counteract any gaps.