ISO/IEC 27001:2022: changes and comparison with the GDPR
In-depth analysis of the structure of ISO/IEC 27001:2022, its key frameworks, its impact on data protection and comparison with EU regulation 2016/679
The publication of ISO/IEC 27001:2022 - "Information security, cybersecurity and privacy protection - Information security management systems - Requirements" represents a significant advance in information security management. This international standard, released in October 2022, particularly emphasizes the protection of personal data, as reflected in the title and demonstrated by the multiple checks that affect data protection, both directly and indirectly. This article aims to explore the points of convergence and the differences between the standard and the EU Regulation 2016/679 (GDPR).
The ISO/IEC 27001:2022 frameworks and comparison with the GDPR
The structure of ISO/IEC 27001:2022 consists of three main frameworks: requirements, control and risk management. These sets of guidelines determine the security context and expectations for organizations by establishing specific controls for information confidentiality, availability, and integrity. For the risk analysis aspect, the standard has similarities with the GDPR, which in turn requires a risk analysis, respecting the principle of accountability and identifying vulnerabilities and potential threats.
Scope of application, normative references and responsibilities
ISO/IEC 27001:2022 covers all data, both personal and business, regardless of its physical location, unlike GDPR, which only covers personal data and only applies to the European Union. The ISO standard, unlike the GDPR, also refers to verbal treatments. The standard also requires organizations to apply specific controls to comply with privacy and data protection laws and contractual requirements. This involves defining specific responsibilities, establishing a "privacy officer", and creating and distributing policies and procedures for the protection of personal data.
Measurement of personal data protection and conclusions
Many controls of ISO/IEC 27001:2022 are intended specifically for the protection of personal data. These include "Protection of records", "Information deletion", "Data masking" and "Data leakage". The standard once again demonstrates its value in providing measures dedicated to the protection of personal data. In conclusion, as highlighted during the Privacy Day 2023 at the CNR in Pisa, ISO/IEC 27001:2022 together with the ISO/IEC 27002:2022 guideline offers a solid and robust approach for the protection of personal data, also with reference to various other ISO/IEC standards for privacy impact assessment and management.
Follow us on Twitter for more pills like this06/12/2023 08:01
Editorial AI