This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.
Neeraj Rawat from BSCIC asked whether compliance to GDPR can be achieved by being compliant to ISO 27001:2013 and ISO 27018:2014.
ISO 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). A company that has effectively implemented ISO 27001 has already achieved about 50% of GDPR compliance by minimising the risks on CIA of information and data. The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold. This is achieved by implementing defining policies and processes under ISO 27001, keeping GDPR guidelines in mind.
Additional requirements in the GDPR that are covered by a privacy framework like BS 10012:2017 – Specification for a personal information management system (PIMS) have to be met before an organization is GDPR compliant.
ISO 27018:2014 is meant for protecting personally identifiable information in clouds. That means, being compliant to ISO 27001 and 27018 cannot guarantee compliance to ISO 27001.