The last thing you want to do in this climate is to neglect your responsibilities when it comes to GDPR. We got to chat with industry expert Gerard Higgins about the importance of data protection, and where it can all go wrong. With extensive experience of implementing quality, environmental, health and safety, energy and information security management systems and advising companies on how to integrate them, Gerry adopts a very practical approach to designing, implementing and maintaining management systems and brings this expertise to SQT Training‘s ISO 27001:2017 Internal Auditor Training programme.
Can you tell me about your own professional background? What got you into this field?
I started my career as an engineer but fairly quickly I got into management systems such as ISO 9001, the quality management system standard and ISO 14001, the environmental management system standard. I then got involved in OSHAS 18001, the health and safety management system, which is in the process of being replaced by ISO 45001, the health and safety management systems standard. Then I got interested in ISO 27001, the information security management system standard. Antaris implemented the standard in 2008 because we felt that some of our clients were looking for assurance on the management of client confidential documentation
We’ve all heard the basics of GDPR; what are the biggest mistakes companies can make?
Under the GDPR companies are responsible for the data they collect, including if they transfer this to third parties to be processed. Companies need to ask themselves the five ‘W’s of data:
• Whose data is it?
• Why are we processing it?
• Where is it kept or transferred?
• When are we keeping it until?
• What safeguarding mechanisms do we have in place?
What could those mistakes potentially cost an SME? Any examples?
The GDPR introduces new data protection requirements such as requiring businesses to implement strict technical and organisational security measures, including pseudonymisation and data encryption. The SME needs to identify what personal data it holds. If the SME had a data breach it could potentially be prosecuted.
When it comes to ensuring GDPR compliance, what are the main differences (and possible pitfalls) for a smaller company compared to a larger one?
The SME may not have the resources or expertise to understand the requirements of the GDPR. Sometimes it’s necessary to keep data for long period of times – for legal or auditing purposes or for medical records – and in those cases, you must implement the appropriate retention policy that specifies the ‘shelf-life’ of the data. The SME may not have the resources to carry this out.
What is the ISO 27001 standard Annex SL and Annex A high-level structure? Why is it important?
One way of managing the security of data is by implementing and being certified to ISO 27001:2013, the information security management system standard. ISO 27001 facilitates the implementation of a robust and systematic approach to managing information, thereby protecting the organisation’s reputation.
The standard helps businesses to become more resilient and responsive to threats to information security. It helps keep the company secure so it can focus on doing “business as usual” whilst clearly showing clients and suppliers its commitment to protecting information.
ISO 27001 can assist companies with the requirements of GDPR by:
• Safeguarding the accuracy and completeness of assets;
• Ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes;
• Being accessible and usable upon demand by an authorised entity
Annex SL was developed in order to ensure that all future ISO management system standards (including ISO 27001) share a common format irrespective of the specific discipline to which they relate.
Annex SL prescribes a high-level structure, identical core text, and common terms and core definitions. This common structure will greatly facilitate the integration of management systems including quality (ISO 9001), environment (ISO 14001), energy (ISO 50001), health and safety (ISO 45001) and information security (ISO 27001).
Which are the companies you’d normally work with, and are they different when it comes to requirements or practices?
We work with both large and small manufacturing and service companies in the private sector and with organisations in the public sector. We look at the profile and scope of the organisation’s activities before deciding on the nature and degree of documentation of the management system.
When it comes to the assessment stage, what are the usual processes a business should undergo?
Before the company applies for certification to ISO 27001 it needs to ensure that it has met all of the requirements of the standard including undertaking an information security risk assessment and documenting a Statement of Applicability, which identifies the most appropriate information security controls that apply to the company.
It can best do this by carrying out a pre-certification audit of the information security management system.
How important is the audit and follow-up when it comes to the implementation of corrective action? What steps are usually required?
A company that is certified to ISO 27001 is required to implement an internal audit schedule and undertake internal audits of the whole management system. It is important that it implements the corrective actions that ensue in a timely and effective manner.
Can you tell me about the upcoming courses in September and November?
We are running a 1-day ISO 27001 Foundation course and a 2-day IRCA-approved Internal Information Security Management System Auditor training course. You can find out more about the programme details on the SQT site.
What is your average student profile? What skill level should they have going in?
The 1-day Foundation course does not require any knowledge of information security. The 2-day auditor course requires a basic understanding of ISMS. A number of the delegates start with the foundation course and then progress to the internal auditor training course.
How will they benefit from ISO 27001:2017 Internal Auditor training?
In the case of the 1-day course delegates will gain an understanding of the requirements of ISO 27001 that will assist them in implementing the standard. The 2-day internal auditor training course gives the delegates the skills to undertake internal audits of the information security management system standard.
Thanks again for taking the time to chat with us!
About Gerry Higgins
Gerry has carried out first-, second- and third-party audits in a number of jurisdictions and across a range of organisations involved in the manufacturing and service industries in both the public and private sector. He has also assisted many companies to demonstrate compliance with their statutory and regulatory requirements under the aegis of the Pegasus legal register service that Antaris offers on a multi-jurisdictional basis.
Gerry is CEO of Antaris, which he founded in 1994, has a degree in engineering and an MBA from the University of Limerick and is a chartered engineer and Fellow of Engineers Ireland. He is also a chartered environmentalist through IEMA. Previously, he held positions in industry and academia and enjoys the interaction between management system implementation and training.
Comments