Discussion – iso 27001 certification

We're the ideal place for homework help. If you are looking for affordable, custom-written, high-quality and non-plagiarized papers, your student life just became easier with us. Click either of the buttons below to place your order.

Order a Similar Paper Order a Different Paper


From your research, discuss whether or not your organization has ISO 27001 certification. Outside of overall protection from cyber-attacks, describe, in detail, some other benefits your organization will achieve in obtaining this certification. If your company does not have this certification, how can they go about obtaining it?

Present your discussion post as if you were presenting to senior leaders of your company.

Please make your initial post and two response posts substantive. A substantive post will do at least TWO of the following:

  • Ask an interesting, thoughtful question pertaining to the topic
  • Answer a question (in detail) posted by another student or the instructor
  • Provide extensive additional information on the topic
  • Explain, define, or analyze the topic in detail
  • Share an applicable personal experience
  • Provide an outside source (for example, an article from the UC Library) that applies to the topic, along with additional information about the topic or the source (please cite properly in APA)
  • Make an argument concerning the topic.

At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources from the UC Library. Use proper citations and references in your post.

Needed 1 page… with 2 responses

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3

How ISO 27001 can help achieve GDPR compliance

Isabel Maria Lopes
Polytechnic Institute of Bragança, Bragança, Portugal
UNIAG, Polytechnic Institute of Bragança, Portugal
ALGORITMI Centre, Minho University, Guimarães,

[email protected]

Pedro Oliveira
Polytechnic Institute of Bragança, Bragança, Portugal

[email protected]

Teresa Guarda
Universidad Estatal Península de Santa Elena – UPSE, La

Libertad, Ecuador
Universidad de las Fuerzas Armadas – ESPE, Sangolqui,

Quito, Equador
ALGORITMI Centre, Minho University, Guimarães,

[email protected]

Abstract — Personal Data Protection has been among the most
discussed topics lately and a reason for great concern among
organizations. The EU General Data Protection Regulation
(GDPR) is the most important change in data privacy regulation
in 20 years. The regulation will fundamentally reshape the way in
which data is handled across every sector. The organizations had
two years to implement it. As referred by many authors, the
implementation of the regulation has not been an easy task for
companies. The question we aim to answer in this study is how far
the implementation of ISO 27001 standards might represent a
facilitating factor to organizations for an easier compliance with
the regulation. In order to answer this question, several websites
(mostly of consulting companies) were analyzed, and the aspects
considered as facilitating are listed in this paper.

Keywords – regulation (EU) 2016/679; general data protection
regulation; ISO/IEC 27001.

In recent years, data protection has become a forefront issue

in cyber security. The issues introduced by recurring
organizational data breaches, social media and the Internet of
Things (IoT) have raised the stakes even further [1, 2]. The EU
GDPR, enforced from May 25 2018, is an attempt to address
such data protection. The GDPR makes for stronger, unified data
protection throughout the EU.

The EU GDPR states that organizations must adopt
appropriate policies, procedures and processes to protect the
personal data they hold.

The International Organization for Standardization (ISO)
/International Electrotechnical Commission (IEC) 27000 series
is a set of information security standards that provide best-
practice recommendations for information security management

This international standard for information security, ISO
27001, provides an excellent starting point for achieving the
technical and operational requirements necessary to reduce the
risk of a breach.

Not all data is protected by the GDPR, since it is only
applicable to personal data. This is defined in Article 4 as
follows [4]:

“personal data” means any information relating to an
identified or identifiable natural person (’data subject’); an
identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that natural person.

The structure of the present work consists of an introduction,
followed by a desk review on the general data protection
regulation and the desk review of ISO 27001, the international
standard for information security. Section 4 focuses on the
research methodology. Before presenting the results the
discussion is made, focusing on the relationship between ISO
27001 and GDPR. The results of the study are presented in
section 6 and section 7 consists of the conclusions drawn from
the study. Finally, the limitations of this research work are
identified and possible future studies are proposed.

The enforcement of the GDPR on natural persons’ protection

regarding personal data treatment and movement, which repeals
the Directive 95/46/CE of October 24 1995, poses innumerable
challenges to both public and private entities as well as to all the
agents whose activities involve the treatment of personal data.

Although the full application of the new GDPR has been set
for May 25 2018, date from which the directive 95/46/CE was
effectively repealed, its enforcement on May 25 2016 dictated
the need for an adaptation to all the aspects changed or
introduced by the regulation. Such adaptation of the present
systems and models as well as of best practices regarding
personal data treatment and protection by companies is now an
imperative stemming from the regulation in order to safeguard
its full applicability. In Fig.1, we can see all the stages which the
GDPR has undergone.

The GDPR mandates a baseline set of standards for
companies that handle EU citizens’ data to better safeguard the
processing and movement of citizens’ personal data.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 03,2021 at 04:05:03 UTC from IEEE Xplore. Restrictions apply.

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3

Figure 1. Stages of the GDPR [5]

According to author [6], the main innovations of the General
Data Protection Regulation are:

1. New rights for citizens: the right to be forgotten and the
right to a user’s data portability from one electronic system to

2. The creation of the post of Data Protection Officer (DPO).
3. Obligation to carry out Risk Analyses and Impact

Assessments to determine compliance with the regulation.
4. Obligation of the Data Controller and Data Processor to

document the processing operations.
5. New notifications to the Supervisory Authority: security

breaches and prior authorization for certain kinds of processing.
6. New obligations to inform the data subject by means of a

system of icons that are harmonized across all the countries of
the EU.

7. An increase in the size of sanctions.
8. Application of the concept ‘One-stop-shop’ so that data

subjects can carry out procedures even though this affects
authorities in other member states.

9. Establishment of obligations for new special categories of

10. New principles in the obligations over data: transparency
and minimization of data.

All organizations, including small to medium-sized
companies and large enterprises, must be aware of all the GDPR
requirements and be prepared to comply.

III. ISO/IEC 27001
Information security risks threaten the ability of

organizations to reach their operational and strategic goals.
Increasing diversification of the information security landscapes
makes addressing all risks a challenging task. Information
security standards have positioned themselves as generic
solutions to tackle a broad range of risks and try to guide security
managers in their endeavors [7].

The ISO 27001 standard represents the international
framework for information security management.

The ISO 27001 standard has undergone continuous
improvements over the years and stems from a previous set of
standards, namely BS7799-2 and the BS7799 (British
Standards). In fact, its primary origin is a document published in
1992 by a department of the British government which

established a code of practices regarding the management of
Information Security.

The adoption of ISO 27001 results in the companies’
adoption of an adequate model to establish, implement, operate,
monitor, revise and manage an Information Security
Management System.

ISO 27001:2013 is part of the management system in an
organization based on a business risk approach that purposed to
build, implement, operate, observe, maintain and improve
information security. The application of ISO/IEC 27001 allows
the organization or company to compare the competition and
give relevant information about IT security [8].

ISO 27001 outlines three essential aspects or ‘pillars’ of
effective information security: people, processes and
technology. This three-pronged approach helps organizations
defend themselves from both highly organized attacks and
common internal threats, such as accidental breaches and human
error [9].

The implementation of an information security management
system according to ISO/IEC 27001 has the following
advantages to organizations:

It enables the identification and elimination of threats
and vulnerabilities;

It provides security and trust to all stakeholders (clients,
partners and others);

It improves security awareness;

It increases the capacity to foresee, manage and survive
a disaster;

It deepens the knowledge regarding the organization
and its processes, assets and liabilities;

It provides real knowledge of the risk that the
organization faces;

It ensures business continuity;

It contributes to a reduction in costs and to the
improvement of the processes and services;

It ensures compliance with the legislation in force;

It reduces costs associated with ‘non security’.

ISO 27001: 2013 provides specifications for information
security management systems along with practice [10].

ISO 27001: 2013 has 14 security control clauses that contain
a total of 35 control objectives and 114 controls [11]. The 14
security control clauses are as follows:

Information security policies,

Organization of information security,

Human resource security,

Asset management,

Access control,

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 03,2021 at 04:05:03 UTC from IEEE Xplore. Restrictions apply.

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3


Physical and environmental security,

Operations security,

Communications security,

System acquisition, development, and maintenance,

Supplier relationships,

Information security incident management,

Information security aspects of business continuity


The implementation of ISO 27001 implies a high commitment
to information protection, which represents a considerable level
of comfort for the organizations that interact with the certified

The use of a research method is paramount since it represents

the means to an end. A research methodology does not look for
solutions but chooses the way to find them, integrating
knowledge through the methods which are applicable to the
various scientific or philosophical subjects. Although there are
several ways to classify them, research approaches are normally
distinguished between quantitative and qualitative [12].

It is acknowledged that the choice of the method must be
made according to the nature of the problem being addressed.
Therefore, we considered it appropriate to follow a quantitative
research method (traditional scientific research), based on the
positivist rational thought according to which, through empirical
observations, we build theories (expressed in a deductive way)
that try to explain what is observed. Among the possible research
methods to use, we applied the content analysis.

Content analysis is a method which differs from the other
research methods because instead of interviewing or observing
people, the researcher deals with pre-existing records and
interferes based on those records.

Content analysis is a research technique for the objective,
systematic, and quantitative description of manifest content of
communications. So that this description can be objective, it
requires a precise definition of the analysis categories, in order
to enable different researchers to use them and get the same
results. So that it is systematic, the whole relevant content must
be analyzed in relation to all the meaningful categories. Finally,
quantification allows the provision of more precise and objective
information concerning the occurrence frequency of content
features [13].

The similarities between the ISO 27001 framework and the

GDPR requirements mean that organizations which certify to the
Standard are already halfway to GDPR compliance.

Its requirements (ISO 27001) are similar in many places to
the GDPR, but whereas the Regulation only occasionally

suggests specific practices (such as encryption), ISO 27001
clearly lays out what organizations need to do in order to remain
secure [9].

Article 42 of the GDPR details demonstrating compliance
with the regulation through; “data protection certification
processes”. ISO 27001 compliant Information Security
Management Systems follow a risk based approach addressing
specific security threats faced by organizations considering
people, processes and technology [14].

How ISO 27001 can help meet GDPR requirements [15]:

1 – Assurance

The GDPR recommends the use of certification schemes
such as ISO 27001 as a way of providing the necessary assurance
that the organization is effectively managing its information
security risks.

2 – Not just personal data

ISO 27001 follows international best practices and will help
companies put processes in place that protect not only customer
information but also all the information assets, including
information that is stored electronically and in hard copy format.

3 – Controls and security framework

The GDPR stipulates that organizations should select
appropriate technical and organizational controls to mitigate the
identified risks. The majority of the GDPR data protection
arrangements and controls are also recommended by ISO 27001

4 – People, Processes and technology

ISO 27001 encompasses the three essential aspects of
information security: people, processes and technology, which
means companies can protect their business not only from
technology – based risks but also other and more common
threats, such as poorly informed staff or ineffective procedures.

5 – Accountability

ISO 27001 requires companies’ security regime to be
supported by top leadership and incorporated into the
organization´s culture and strategy. It also requires the
appointment of a senior individual who takes accountability for
the ISMS. The GDPR mandates clear accountability for data
protection across the organization.

6 – Risk assessments

ISO 27001 compliance means conducting regular risk
assessments to identify threats and vulnerabilities that can affect
organizations’ information assets, and to take steps to protect
that data. The GDPR specifically requires a risk assessment to
ensure that an organization has identified risks that can impact
personal data.

7 – Continual improvement

ISO 27001 requires that the companies’ ISMS is constantly
monitored, updated and reviewed, meaning that it evolves as
their business evolves using a process of continual
improvement. This means that the ISMS will adapt to changes –

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 03,2021 at 04:05:03 UTC from IEEE Xplore. Restrictions apply.

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3

both internal and external – as companies continually identify
and reduce risks.

8 – Testing and audits

Being GDPR – compliant means that an organization needs
to carry out regular testing and audits to prove that its security
regime is working effectively. An ISO 27001 – compliant ISMS
needs to be regularly assessed according to the internal audit
guidelines provided by the standard.

9 – Certification

The GDPR requires organizations to take the necessary steps
to ensure the security controls work as designed. Achieving
accredited certification to ISO 27001 delivers an independent,
expert assessment of whether organizations have implemented
adequate measures to protect their data.

The link between ISO/IEC 27001 and GDPR is [16]:

ISO/IEC 27001 and GDPR at their core have in common the
commitment to properly process and store the sensitive and
confidential data. Therefore, the implementation of the ISO/IEC
27001 comprehensive framework steers compliance with the EU
GDPR, as many of the EU GDPR requirements are covered by
ISO/IEC 27001. However, particular controls have to be
adjusted to address the protection of personal data within the
Information Security Management System.

If organizations already have an ISO/IEC 27001 framework
in place, they will not face duplication of effort, cost and time to
comply with the GDPR requirements.

The ISO/IEC 27001 certification supports organizations in
creating better business efficiency, safeguards the valuable
assets such as personal data, protects staff and organizations’
reputation, and simultaneously facilitates the attainment of
compliance objectives. Some of the GDPR requirements are not
directly covered in ISO/IEC 27001; however, ISO/IEC 27001
provides the means to push companies one step closer to
accomplishing conformity to the regulation.

In case that an organization is not ISO/IEC 27001 certified,
then the GDPR may be a good catalyst in considering
implementing such scheme for higher information protection
assurance. Thus, by being ISO/IEC 27001 compliant, companies
demonstrate that the data owned and used is managed based on
data protection regulations.

Does compliance with ISO 27001 guarantee GDPR
compliance [17]?

Certification with ISO 27001 can simplify the process of
achieving GDPR compliance. However, there are several
differences between these standards. The GDPR is a global
standard that provides a strategic vision of how organizations
need to ensure data privacy. ISO 27001 is a set of best practices
with a narrow focus on information security; it provides practical
advice on how to protect information and reduce cyber threats.
Unlike the GDPR, it does not directly cover the following issues
associated with data privacy, which are outlined in Chapter 3 of
the GDPR (Data Subject Rights):


Data portability,

The right to be forgotten,

The right to restriction of processing,

Right to object,

International transfers of personal data.
As we can see, the GDPR focuses on data privacy and

the protection of personal information; it requires
organizations to put more effort into obtaining explicit
consent for data collection and ensuring that all data is
processed lawfully. However, it lacks technical details on
how to maintain an appropriate level of data security or
mitigate internal and external threats. In this regard, ISO
27001 comes in handy: It provides practical guidance on
how to develop clear, comprehensive policies to minimize
security risks that might lead to security incidents.

Although conforming to ISO 27001 does not guarantee
GDPR compliance, it is a valuable step. Organizations
should consider pursuing ISO 27001 certification to ensure
that their security measures are strong enough to protect
sensitive data.

According to the GDPR, personal data is critical information

that all organizations need to protect [6, 14, 15]. Therefore, we
analyzed the content of the 15 websites, and after the above
discussion, we will summarily present some aspects which we
believe deserve to be highlighted when assessing whether the
implementation of ISO 27001 might be a facilitating factor for
organizations to comply with the GDPR.

After analyzing the websites with regard to the following
statement: if the implementation of ISO 27001 identifies
personal data as an information security asset, we found that in
9 (60%) sites there is information agreeing with this statement
and in the other 6 (40%), there is no mention whatsoever to this
respect (see Fig. 2).

Figure 2. GDPR compliance.

Considering the aspects highlighted in the previous section
for being in compliance with the GDPR through the ISO 27001

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 03,2021 at 04:05:03 UTC from IEEE Xplore. Restrictions apply.

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3

implementation, we can see in Fig.3 the ones which were more
or less focused in the websites under analysis.

From the Fig. 3, three aspects stand out as deserving most
attention: People, Processes and technology, which takes
security beyond the people only, Certification, which proves
that the measures were implemented in that organization, and
Controls and security framework, which are paramount in any

Figure 3. How to be in compliance.

When analyzing the aspect which are highly detailed in the
GDPR but barely focused in ISO 27001, we found the data
presented in Fig. 4.

Figure 4. Aspects highly focused in the RGPD

The aspects which stand out are those concerning consent
and penalties. Data controllers have to prove that data subjects
have agreed to the processing of their personal data (Articles 7
and 8). The request for consent must be given in an easily
accessible form, with the purpose for data processing attached.
Data subjects also have the right to withdraw their consent at any

The GDPR establishes a sanction application framework
which is quite heavy on companies which do not comply with
the new data protection legislation requirements.

Lastly, is The ISO 27001 standard an excellent framework
for compliance with the EU GDPR? The results regarding this
aspect are presented in Fig. 5.

As we can see, 11 sites (73%) agree that the ISO 27001
standard is an excellent framework for compliance with the EU
GDPR, 3 (20%) do not mention this aspect, and only 1 (7%) of
the websites analyzed shows to be in disagreement.

Figure 5. ISO 27001 is an excellent framework for compliance with GDPR

From these findings, we can conclude that it is consensual
that although ISO 27001 does not comprise certain important
controls, its implementation is considered to be a facilitating
factor for organizations to be in compliance with the new
personal data regulation.

The implementation of the GDPR by organizations should

be seen in the context of achieving their business goals. There is
a clear need to emphasize its benefits for organizations and the
values adding to business. It is absolutely wrong to understand
the GDPR as another restriction to the operating environment.
The GDPR is a tool for generating a strategic advantage based
on trust between the organization, its employees, clients and
partners [18].

The GDPR encourages the use of certifications such as ISO
27001 in order to show that the organization is actively
managing its data security according to international best

Our findings allow concluding that any organization that has
already implemented or is in the process of implementing
ISO/IEC 27001 is in an excellent position to show compliance
with the new GDPR requirements.

The new regulation of data protection introduces a set of
rules, which require organizations to implement controls. The
implementation of ISO 27001 will help organizations respond to
these requirements.

As a possible future work, we suggest assessing
organizations by means of a survey on how far the certification
of the information security management system by ISO 27001
grants companies’ compliance with the GDPR, since the
implementation of an information security management system
by a company must ensure that all the relevant controls of risk

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 03,2021 at 04:05:03 UTC from IEEE Xplore. Restrictions apply.

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3

containment associated with confidentiality, integrity and
availability are implemented and kept functional.

UNIAG, R&D unit funded by the FCT – Portuguese

Foundation for the Devel-opment of Science and Technology,
Ministry of Science, Technology and Higher Education. .
Project n. º UID/GES/4752/2019.

This work has been supported by FCT – Fundação para a
Ciência e Tecnologia within the Project Scope:

[1] J. Mäkinen, Data quality, sensitive data and joint controller ship as

examples of grey areas in the existing data protection framework for the
Internet of Things. Information & Communications Technology Law 24,
3, 2015, pp. 262–277.

[2] JRC. Nurse, S. Creese, S and D. De Roure, Security risk assessment in
Internet of Things systems. IEEE IT Professional 19, 5, 2017, pp. 20–26.

[3] T. Clements and S. Milton, Maintaining Data Protection and Privacy
Beyond GDPR Implementation, ISACA, 2018.

[4] European Parliament and Council, Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016, Official Journal
of the European Union (2016).

[5] Goubau, T.: How GDPR Will Change Personal Data Control and Personal
Data Control an Affect Everyone in Construction.
personal-data-control-construction, last accessed 2018/07/20.

[6] E. Díaz, Díaz, The new European Union General Regulation on Data
Protection and the legal consequences for institutions, Church,
Communication and Culture, v. 1, 2016, pp. 206-239.

[7] D. Milicevic and M. Goeken, Ontology-Based Evaluation of ISO 27001.
In: Cellary W., Estevez E. (eds) Software Services for e-World. I3E 2010.
IFIP Advances in Information and Communication Technology, vol 341.
Springer, 2010.

[8] E. Bilbao, A. Bilbao and K. Pecina, Physical Logical Security Risk
Analysis Model. IEEE, 2011, pp. 1-7.

[9] L. Irwin, How ISO 27001 can help you achive GDPR compliance, IT
Governance, 2018.

[10] A. Calder and S. Watkins, IT GOVERNANCE, 2008.
[11] I. 27001:2013, INTERNATIONAL STANDARD ISO / IEC Information

technology — Security techniques — Information security management
systems — Requirements, vol. 2013, 2013.

[12] M. D. Myers, Qualitative Research in Information Systems ACM
Computing Surveys (CSUR), MISQ Discovery, 1997.

[13] B. Berelson, Content Analysis in Communications Research. Free Press,
New York, 1952.

[14] NQA, GDPR and ISO 27001 – how do they map?
27001, last accessed 2019/01/18.

[15] L. Dattani, GDPR and ISO 27001 – how to be compliant.
compliant, last accessed 2019/01/25.

[16] M. Middleton-Leal, GDPR and ISO 27001 Mapping: Is ISO 27001
Enough for GDPR Compliance?, netwrix.
iso-27001-enough-for-gdpr-compliance/, last accessed 2019/01/27.

[17] PECB, The link between ISO/IEC 27001 and GDPR,
https://koolitus.ee/images/sisu_pildid/ISO_GDPR_link.pdf, last accesed

[18] T. Tzolov, One Model For Implementation GDPR Based On ISO
Standards, International Conference on Information Technologies
(InfoTech-2018), 2018, pp. 1-3.
















Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 03,2021 at 04:05:03 UTC from IEEE Xplore. Restrictions apply.


Do you need academic writing help? Our quality writers are here 24/7, every day of the year, ready to support you! Instantly chat with a customer support representative in the chat on the bottom right corner, send us a WhatsApp message or click either of the buttons below to submit your paper instructions to the writing team.

Order a Similar Paper Order a Different Paper