British law firm Walker Morris, France’s Centre Technique de la Gendarmerie Nationale, Vodafone GmbH and the Bavarian Red Cross all have one thing in common: an internationally recognised certificate such as ISO/IEC 27001 which guarantees that a company or organisation is fulfilling its basic information security requirements and that its information management system is up to scratch. These requirements include all of the measures and documents required to provide optimum data protection, safeguard the integrity of operational data and secure the availability of a company’s IT systems, including its risk analysis and emergency plans.
The examples of the companies mentioned above show that it is increasingly important to consider data protection and especially data security, and that executives in a range of industries are seeing it that way. The EU’s new General Data Protection Regulation (active from 25 May 2018) stipulates the right to informational self-determination. International certificates like ISO/IEC 27001 help companies to assess the current status of their data and IT security, develop effective security standards and observe these standards in their everyday business.
But before we look more closely at the certificate, here is a quick update around data protection and data security, which are terms we ought not to confuse.
Data protection – the right to informational self-determination
The EU’s General Data Protection Regulation (EU GDPR) regulates basic rights in regard to processing personal data throughout Europe, thus establishing a new international benchmark. Data protection aims to guarantee every citizen the right to ‘informational self-determination’ and protect them against the improper use of their data; companies in Europe therefore have new duties around transparency and information. Key themes are:
- Confidentiality of data (it should not be accessible to unauthorised third parties)
- Data integrity (ensuring that data cannot be falsified)
- Data availability and how robust systems and services are.
Data protection and data security – what’s the difference?
Unlike data protection, data security aims to protect data against things like manipulation, loss and unauthorised access – regardless of whether the data can be ascribed to a particular person or not. Data security, therefore, is not about whether data is collected and processed – that’s the job of data protection – it’s about what steps are taken to protect data once collected. The term information security encompasses all kinds of saved information.
Data protection and data security are of course related. Facebook boss Mark Zuckerberg recently had to vigorously defend himself against accusations of data misuse, and has even publicly praised the EU’s General Data Protection Regulation, but at the same time admitted that it could take several years to rectify all of the data problems they have in their company.
The General Data Protection Regulation (EU GDPR) – global protection?
The EU’s new General Data Protection Regulation has assumed a globally leading role. It would be interesting to see how data-collecting companies in Europe implement this newly applicable law, because an important principle of data protection and the right to informational self-determination is data economy. Constance Bommelaer de Leusse, Senior Director of the International Internet Society (ISOC), states that this is precisely where many companies are lacking – when their top priority is not the protection but the collection of data.
Facebook has famously collected the data of around two billion users and its international headquarters are located in Ireland. Europe’s data protection laws are now stricter than the USA’s, so will they now apply to all Facebook users? After all, if companies contravene EU’s General Data Protection Regulation, they face multi-million euro penalties or up to 4% of their global turnover. Companies like Facebook and business network LinkedIn recently announced the relocation of their administrations – and responsibility for members, including their data. By this they hope to bar their non-European users from gaining the rights and litigation opportunities of EU citizens. Of their two billion users, only the 370 million European ones are to remain allocated to the headquarters in Ireland.
Structured and clear: how the ISO 27001 certification process works. The ISO/IEC 27001 standard describes the basic information security requirements which an organisation’s management system has fulfil.
Only if data protection and security standards apply internationally will they really apply.
The fact is that every single digital application generates data, and the quantities worldwide are phenomenal. As long as there are no uniform international data protection and security standards that apply to all businesses, data protection will remain a problem and the collecting, saving and managing of data will remain a potential security risk.
So what we need is an effective international structure which convinces businesses and firms to adhere to fundamental security standards. This is especially important against the background of new developments involving Industry 4.0. Only internationally recognised security management standards can lastingly ensure that business partners, customers and consumers have faith in new information technologies and systems.
Information security management: which organisations are actively working internationally towards information security?
At the moment there are various organisations dedicated to information security in Europe and the rest of the world, and they work together and exchange information. In the first instance, organisations and institutions act on a national level, such as Germany’s Federal Office for Information Security (BSI). On a European level, the European Union Agency for Network and Information Security (ENISA) is an important focal point / organisation, and on an international level there is the International Organization for Standardization (ISO).
The concept of information security, for instance, can be found in the IT baseline security catalogues issued by Germany’s Federal Office for Information Security (BSI) and in ISO 27001’s international certification, and aims expressly at protecting information. There are other international certifications applying to both people and products (such as the product certificate issued in compliance with the International Standard Common Criteria).
ISMS certification to ISO 27001 – Leading the way has benefits.
In 2013, an international case study by ENISA examined Security Certification Practice in Europe and surveyed private businesses of different sizes (between 11 and 5,000 staff). This study revealed that there are several good reasons and motives to strive for certification. As well as improving security quality management, another important motivation is to make staff aware of security as a subject and strengthen a company’s position in the market. The study also stated that, in most cases, direct expenditure for certification does not exceed the €10,000 limit. But one should bear in mind that the preparation period before the first audit, including stock-taking, which usually takes six to twelve months, also incurs costs which depend on the SME’s area of activity and digital progress level. Training may also be required, depending on the workforce’s level of knowledge.
It’s worth mentioning that all of the surveyed businesses stated that they are very happy they chose ISMS certification to ISO 27001 and would agree with the statement that the costs of audit and certification were relatively low compared with the level of benefits and profits for the company.
This satisfaction is obviously being talked about. Between 2015 and 2016, the number of ISO/IEC 27001 certifications issued worldwide rose by 20 percent, and 33,290 certificates have now been granted, according to the ISO. This is a positive development, since internationally valid IT security standards help to create sustainable solutions to the global challenges of digitalisation, data and the information explosion.