Establishment of an Information Security Management System (ISMS)
Particularly in digital companies, information is the basis of any business activity and is therefore seen as an intangible corporate asset. Many companies are currently focusing on not only understanding it, but also on protecting it.
The ISO/IEC 27001 standard was developed to ensure the selection of suitable security mechanisms to protect all information assets of a company. This includes the establishment of procedures and rules within the company that serve to permanently define, manage, control, maintain and ultimately continuously improve information security.
With the establishment of a centrally controlled, uniform and subsequently auditable information security management system (ISMS), you can demonstrate that all necessary prerequisites have been met to effectively protect against security breaches.
It also raises the awareness of management and employees about intangible corporate values and which risks can threaten them. This documents an extremely high level of trustworthiness towards customers and partners.
Why does an additional data protection management system (PIMS) makes sense?
Data protection is closely linked to data security. Information Security Officers (ISO) and Data Protection Officers (DPO) in the company have partly overlapping responsibilities, which, must be carried out separately in terms of different people. With the additional standard ISO/IEC 27701, the classic ISMS is expanded to include data protection aspects, so that both officers can work towards each other via the same set of documents.
The ISO/IEC 27701 standard deals with the development, implementation, maintenance and continuous improvement of the Privacy Information Management System (PIMS).
It represents an extension to the already established information security management system (ISMS), and can also be certified later.
However, the certification of a data protection management system within ISO 27701 should not be confused with certification by a data protection seal of approval (according to Art. 42 GDPR). Only a data protection seal of approval verifies whether the data processing measures comply with the provisions of the GDPR.
The demarcation from a certification of a data protection management system within the framework of ISO 27701, which only deals with the processes of a management system, is therefore not quite easy to understand. If you are in any questions, please feel free to contact our experts or read more information about this on our new ePrivacycert GmbH website: www.eprivacycert.eu.