Data security and privacy continue to be critical issues for Aires’ clients, and we have recently issued a white paper on this subject. Below, we’ve highlighted a blog post from Peter McShea, Aires’ Manager of Privacy, Risk, & Compliance, originally released in April 2020, focusing on the key issues of data security and data privacy and the best ways to ensure compliance with regulations such as GDPR.
“Private information is practically the source of every large modern fortune.” – Oscar Wilde
Technology and privacy are two words that best describe the information age. Data security and data privacy have become exceedingly important given the growing number of data breaches that have occurred over the last few years. The issue presents an ongoing challenge to individuals, businesses, and enterprises of all sizes. Despite the increase in breaches over the years, how many organizations have proactive plans to mitigate the risks?
IMPLEMENTING A STRONG INFORMATION SECURITY MANAGEMENT SYSTEM – ISO 27001
ISO 27001 is an information security standard that was created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in order to implement a framework for managing information security risks. The standard defines a process to predict and analyze potential risks to the information a business processes and build policies to manage those risks. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach.
A certified company sends the important message that they treat the security of their clients’ and partners’ information as a top priority. They care about doing the right things the right way. Demonstrating compliance not only improves business processes but provides a distinct advantage in managing contractual and regulatory requirements.
PROTECTING PERSONALLY IDENTIFIABLE INFORMATION – ISO 27701
By now, most everyone knows that the General Data Protection Regulation (GDPR) is the most comprehensive privacy law in existence. It allows for organizations to become GDPR-certified but doesn’t describe the control framework for doing so. Because of this, ISO stepped in and created ISO/IEIC 27701. The new standard was published on August 6, 2019, and provides the requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) for the processing of Personally Identifiable Information (PII).
The ISO 27701 standard is an extension to ISO 27001. Organizations who are already ISO 27001 certified can combine and implement the ISO 27701 controls and obtain the certification to both standards in a single audit. When certification is achieved, the certification body will conduct an annual surveillance audit to ensure continual improvements are made and ongoing conformity is practiced.
A primary operational impact of ISO 27701 is the inclusion of privacy concepts and the incorporation of many articles from the General Data Protection Regulation (GDPR) into the ISO framework. Similar to the focus of the GDPR regarding who serves as controller and processor when managing personal data, ISO 27701 places the responsibility of compliance on the PII controller (i.e., the person or agency who determines the purposes and means of the processing of personal data) and the PII processor (i.e., the person or agency who processes personal data on behalf of the controller).
AIRES’ ISO 27701 CERTIFICATION
Aires is proud to have achieved ISO 27001 certification and was one of the first ANAB (ANSI National Accreditation Board)-approved ISO 27701 companies in the world in March 2020. The largest such body in North America, ANAB provides accreditation services and training to public and private sector organizations throughout the world. The certification is assurance that Aires has a clearly defined and audited framework in place to support our organization and the appropriate controls to protect the privacy of our employees, clients, transferees, and any other data subjects.
Aires’ robust Privacy Information Management System (PIMS) gives us four significant advantages:
- Certification is valuable in communicating privacy compliance to existing clients, potential clients, and partners. Clients demand evidence that our privacy management system adheres to applicable privacy requirements. A uniform evidence framework based on international standard will greatly simplify such communication of compliance transparency, especially when the evidence is validated by an accredited third-party auditor.
- A managed privacy approach eases the compliance burden. A single privacy control satisfies multiple requirements from GDPR and future privacy law.
- Achieving and maintaining compliance with applicable requirements is a governance and assurance advantage. Based on the certification, we can provide the necessary evidence to assure stakeholders such as senior management, clients, and the authorities that applicable privacy requirements are satisfied.
- ISO 27701 certification serves to signal trustworthiness to the public.
To receive a copy of Aires’ white paper on this topic, please contact your Aires representative.