I was delighted to recently receive the news that TipTop Media passed the ISO 27001 re-accreditation. If you’re not familiar with this ISO, it’s the international standard for information security, and you can read about why we decided to become ISO 27001 certified in our original blog post on the topic. When it came to getting GDPR ready, we found that we had a great starting point thanks to our ISO procedures and as we approach the six-month mark from the date that GDPR came into force, we thought we’d take a look at how our ISO accreditation helped us achieve GDPR compliance.
We’re fairly certain that the majority of UK businesses is aware that GDPR was designed to protect personal data held by organisations through the implementation of business appropriate policies, procedures and processes. Article 32 of the GDPR states that organisations must undertake certain measures to protect the data they hold, such as rendering it anonymous, ensuring the safety of systems in place that process the data, regularly testing and evaluating these systems along with identifying and mitigating any risks to this data, however despite this, the GDPR does not offer any guidance on achieving these goals. An effective Information Security Management System is essential, but designing one can be a daunting task and this is where ISO 27001 can help.
When considering information security it can be tempting to simply look at enhancing or changing the technologies that you use to protect data. However, with one of the biggest risks to your security being simple human error, ignoring the people and processes inherent to your business will undermine any technology that you put in place. Becoming ISO 27001 certified helped us redesign our data management systems and in order to achieve our recent re-accreditation, we were required to continually monitor and evaluate these systems, which means that we can make amendments to take into account any changes to our business or newly emerged potential threats. Without this, any controls that we put in place would risk being left to operate in isolation and become obsolete over time, rather than continuing to be effective as part of our bigger plan. Obtaining and retaining certification also means that our business has external validation of the systems in place, which allows us to offer reassurance to our clients that their data is protected and feel confident that our information security management systems adhere to best practice.
In addition, deciding to undertake ISO 27001 accreditation (or indeed any of the ISO management systems!) requires dedication from the top down due to the work and cost involved. Leadership commitment has been proven time and again to ensure the efficacy of these types of plans and I would like to thank all of the team at TipTop Media for their ongoing commitment.