On 25 May 2018, the EU General Data Protection Regulation (EU-GDPR) entered into force. At the same time the topic of information security has become significantly more important. Various positions of the EU-GDPR refer to the establishment of an ISMS (Information Security Management Systems) in the company:
Art. 5 GDPR implies i.a.
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Reference to the ISMS
Integrity and confidentiality are well-known principles of the ISM, these were not valid in the legal requirements until now.
Art. 32 GDPR implies in par. 1
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”
Art. 32 GDPR implies in par. 2
“In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Reference to the ISMS
Main components of the ISMS are a level of protection appropriate to the risk and a corresponding risk management.
QSEC® links ISMS and data protection
profitable and sustainable!
As integrated data security and information security management system QSEC® accomplish all requirements of data security and information security.
The methodical, holistic procedure established in QSEC® enables:
- the sustainable, holistic risk minimization
- the wide securing of corporate values
- the control through audit-proof documentation of activities
- the verifiability of compliance towards business partners, clients, interested parties, banks and insurance companies
Based on the EU GDPR and the requirements of ISO 27001 or / and of the IT baseline security QSEC® establishes approved procedures with which methodical processes and guidelines are introduced, which enable to identify the risks and including all technical and organizational measures to drive, control and constantly improve (Plan-Do-Check-Act cycle of the ISMS).
- a comfortable implementation of all measures of the EU-GDPR;
- the consideration of all information regardless if the data is in hard form or digital and if they are personal or non-personal;
- methodical integration of security assessment, risk assessment including the derived measures to encounter risks in data security into one data protection and information security management system;
- the guarantee of confidentiality, integrity, availability and resilience of IT systems and services in relation to data processing;
- the determination of the maturity level (variance analysis) of existing data security activities;
- the complete and audit-proof documentation of all data security and information security activities (e.g. keeping a register of processing activities or the instruction in order processing with all AV contracts and the service providers per business process or the reporting of data protection incidents);