Certification body (CB) assessors conducting ISO 27001 audits have increasingly emphasized compliance with the General Data Protection Regulation GDPR principles. Previously, assessments primarily focused on whether organizations were registered with the Information Commissioner's Office (ICO), GDPR compliance with the "Privacy and protection of personally identifiable information" control (ISO 27001 Annex A control 18.1.4), and the existence of a legal and regulatory register and a data protection policy.
However, since the implementation of the GDPR, CBs now expect a more rigorous approach, understandably so. They require:
Integration of the GDPR into the organization's risk and opportunity considerations (ISO 27001 Clauses 4 and 6.1.1), including determining actions under Article 3 (main establishment/territorial scope).
Allocation of resources and competencies to the data protection officer (DPO) role (ISO 27001 Clause 7) as part of the support provided.
Establishment of a defined process to handle all types of data subject requests (ISO 27001 Annex A Control 18.1.4), with particular attention given to data subject access requests (DSARs).
Inclusion of steps for reporting information security events to the ICO in the information security breach process (ISO 27001 Annex A, A.16).
Addressing data transfers to non-UK and non-EEA countries within the context of supplier relationships and related controls (ISO 27001 Annex A, A.15 controls) and contracts. This includes considering the impact of the European Court of Justice's ruling in the Schrems II case and the adequacy of the ICO's International Data Transfer Agreement (IDTA) and the EU standard contractual clauses (SCCs), especially for onward transfers within the supply chain. Formalizing the IDTA, EU clauses, and SCCs' Annex II commitments to security measures is important for safeguarding internal and inter-group transfers.
Incorporating security and privacy considerations (e.g., privacy by design and default) into system acquisition, development, and maintenance controls (ISO 27001 Annex A, A.14 and A.6.1.5).
Specifying retention periods for personal data under the "Protection of records" control (ISO 27001 Annex A, A.18.1.3).
While one could argue that all these measures are appropriate and part of prudent planning, they do represent a significant change in CBs' expectations.