We live in an era of profound transformation in the IT field, just think of the smartphones and tablets that we use daily or the programs that allow us every day to perform very quickly activities that until a few years ago required hours and hours of work.
The other side of the coin is that all these tools acquire and transmit information, not to mention the sensitive data of the various users, and, therefore, being able to guarantee the security of company networks from cyber attacks and ensuring the continuity of work has become a huge problem for any company.
Information and personal data are a precious asset to defend for any organization. Protecting them in the best way means becoming aware of their existence and their importance and then considering the risks to which they may be exposed.
Once this path has been taken, all that remains is to adopt an organizational model that allows them to be treated with maximum security. Without a program dedicated completely to information security, in fact, company data can never be said to be completely safe because they will be at the mercy of individuals and processes, the most disparate events, a technology present in work environments that, probably, is no longer able to provide adequate protection because it is obsolete. Without a direct interest from the company top management, then, the best plans for information security have already failed miserably in the past.
What to do, then? Let's start from the beginning.
What is meant by "cyber security"? This is the process of securing the management of information that travels on computer networks, information that can be of a very different type. Within an organization, in fact, thousands of pieces of information are managed daily and all this set of knowledge also has, of course, an economic value for the company.
Let's now see what the risks to information security could be. There are, of course, the attacks by hackers which, in recent years, have become increasingly frequent, there is cybercrime but also simple malware and phishing that each of you knows well because they are extremely widespread at all levels. If these risks are added to employees and collaborators who do not know well how to defend the company from these attacks, you understand well that the risk of exposing your work to enormous dangers grows exponentially.
For these reasons, many countries around the world have begun to approve legislation that regulates the ways in which organizations can collect and use customer and consumer data, and this has become necessary to impose certain standards relating to the management of privacy and security relating to such data.
In this sense, a fundamental legislative act arrived on May 25, 2018, when the General Data Protection Regulation of the European Union came into force (GDPR – General Data Protection Regulation, also abbreviated as RGPD and also known as Reg. EU 2016/679) which applies to all EU member states and the European Economic Area (EEA).
Since then, further privacy regulations have emerged and understanding what each of them requires and who sets the trend may not be so simple. For this reason we want to make a little clarity by explaining, for example, the difference between the GDPR and the ISO 27001 which, apparently, would seem to deal with the same subject.
What is the GDPR?
The General Data Protection Regulation is a binding standard that requires all companies operating within the EU or collecting data from EU citizens to comply with strict rules to protect them. In fact, it encourages organizations to manage the security of their data in line with best prescriptive practices and requires data controllers (companies that collect data) and any intermediaries (companies that process data on behalf of others) to comply with the provisions of the document.
In a nutshell, the regulation requires organizations to be aware of the data processed and the purposes for which they are processed, an assessment of the risks that these treatments entail and the adoption of security measures to minimize them.
Data breaches occur today more frequently than a few years ago and the cyber security standards previously put in place may no longer be sufficient to protect company information. This is why in Europe work has been done on GDPR which, unlike ISO 27001, focuses only on personal data and the rights and freedoms of individuals related to this data.
What is ISO 27001?
The norma ISO 27001:2017 is an international standard for the management of information security systems that organizations can adopt on a voluntary basis. The standard was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and subsequently revised and reissued in 2013 and 2017.
ISO 27001 is designed to be applicable to all organizations that process data on behalf of third parties and is designed to help organizations protect the confidentiality, integrity and availability of information and to proteggere i dati dai crimini informatici, from misuse, from theft and from other factors that could put them at risk (for example a fire).
ISO 27001 has a significantly wider range of operations than that of the GDPR because it aims to protect not only the personal data collected and processed by the data controller or data processor but the entire company information assets that are relevant to the organization such as, for example, data relating to projects and processes, customer master data, internal and external communications, intellectual property, any trade secrets, etc.
An Sistema di gestione per la protezione delle informazioni is a structure of policies and procedures that includes all the controls involved in the processes of managing the IT risks of a company. Following the best practices of the standard helps organizations to counter the risks to data security, to protect information and to identify the scope and any limits of their security programs.
The ISO 27001 standard includes the requirements for the creation, execution, management and improvement of an organization's information security management system and ensures that companies that meet them protect their information assets from data breaches.
All organizations able to meet the specifications of ISO 27001 can richiedere la certificazione to an accredited institution that will conduct an audit to ensure the organization's compliance with regulatory requirements.
How do ISO 27001 and GDPR differ?
ISO 27001 starts from the principle that information, in order not to be subjected to risks, must be available only to authorized persons, must be kept intact and must be accessible and usable at the request of an authorized person.
The General Data Protection Regulation, on the other hand, aims at the protection of individuals, with particular regard to the processing of personal data and prescribes that the processing of this data complies with the principles of lawfulness, fairness and transparency. Even if the premises are different, the two documents are two important compliance standards that have several points in common. Both aim, in fact, to improve data security, reducing the risks relating to a possible breach and pushing towards the creation of an organized system, in order to guarantee its security.
ISO 27001 is a voluntary certification that requires organizations to take a risk-based approach to the way they manage sensitive data. The GDPR aims to protect the personal data of EU citizens and compliance with its requirements is mandatory for most organizations working in Europe or with EU citizens.
Both ISO 27001 and the GDPR focus on risk and both direct organizations to identify certain risks and controls that can bring those risks to an acceptable level.
With regard to personal data, ISO 27001 incorporates encryption as part of business continuity management, as well as the ability to restore data, when necessary, in a timely manner. Similarly, the GDPR considers personal data as something that all organizations must strive to protect.