Information Security Management | Antaris

Information Security and Data Privacy

The information security management system standard is ISO 27001 and it helps you keep your information assets secure.

It is an internationally recognised management system for managing information security governance risk. The standard provides a best-practice framework, describing key requirements necessary to implement an effective and compliant ISMS.

We can help your organisation manage the security of your assets, such as financial information, intellectual property, employee details or information entrusted to you by third parties.

You simply can’t be too careful when it comes to protecting personal records and commercially sensitive information. 

ISO 27001 facilitates the implementation of a robust and systematic approach to managing information, protecting your organisation’s reputation. The Antaris team has extensive experience and expertise with ISO 27001, and we are certified to the standard ourselves.

ISO 27001 helps make businesses more resilient and responsive to threats to information security. It helps keep your business secure so you can focus on doing “business as usual”, while showing clients and suppliers your commitment to protecting their information.

ISO 27001 follows a risk-based approach, ensuring that security controls implemented are appropriate and proportionate both to the assets to be protected, and your organisation’s appetite for risk. 

Our ISMS consultancy services include:

  • Gap analysis and scoping

  • Risk assessment

  • Statement of Applicability

  • Remediation planning

  • ISMS framework development

  • Policy and documentation support

  • Internal audit

  • Pre-assessment review

This standard has a focus on the context of your organisation, risk-based thinking, enhanced leadership responsibilities, and the new annex SL high level structure which is aligned with other ISO standards

ISO 27001 certification covers 14 information security domains and consists of 114 security controls to ensure all information assets covering people, processes and technology, including suppliers and vendors, are secure.

As a risk-based information security management framework, ISO 27001 is generally regarded as the means by which organisations can meet the required level of data protection stipulated as ‘appropriate controls’ under regulations such as the UK and Irish DPA (Data Protection Act) and the EU GDPR (General Data Protection Regulation).

ISO 27001 also requires that legal and regulatory obligations are understood and incorporated into the management system.

The EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 were enacted in May 2018 and apply specifically in the following areas:

  • Enhanced risk management processes to consider privacy as a primary concern

  • Inventory and accountability

  • Communications with customers and staff

  • Personal privacy rights and supporting procedures

  • Changes to access requests

  • Consent and legal basis

  • Processing children’s data

  • Breach reporting

  • Privacy Impact Assessments (PIAs) and “Privacy by design”

  • Data protection officers (DPOs)

  • International data transfers

Implementation of ISO 27001 will go a long way to helping you achieve compliance with the GDPR although there are areas under the GDPR that are not controlled under the standard.

However, ISO 27701:2019 is a data privacy extension to ISO 27001. This information security standard provides guidance for organisations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701 also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems. The standard is based on the requirements and Annex controls outlined in ISO 27001 and includes additional privacy-specific controls and objectives.

This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.

This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.

The significant overlap in system and technical requirements between a privacy information management system and an information security system presents a compelling case to implement ISO 27001 and ISO 27701. Organisations looking to get certified to ISO 27701 will either need to have an existing ISO 27001 certification or implement ISO 27001 and ISO 27701 together as a single implementation audit.

For more information on gaining certification for your organisation, please get in touch with a member of our team and we will be more than happy to help you. 

Antaris - Here To Help