The creators of isology®

This episode we are joined by Mark Frudd, Managing Director and Founder of Security and Software Development at company TriplePs.

Mark’s here to tell us about the information security Standard ISO 27001. It’s brought his business countless benefits, allowed them to expand, and win government contracts. But it hasn’t been all easy sailing, the ISO has brought up some unique challenges for Mark to overcome. He explains what these are, how he tackled them, and what he wishes he knew before embarking on this journey…

Mark Frudd is the Managing Director and Founder of Security expert at software development company TriplePs. His work history revolves around the cybersecurity industry and delivering high profile public sector projects.

With a personal motto that IT and security doesn’t need to be expensive to be effective, Mark now focuses on providing affordable security, and software solutions, that meet the needs of both his clients and their end-users.

This episode, Mark is here to talk  about his experience implementing and managing the information security standard ISO 27001. After putting the ISO into place his company quickly expanded in size and Mark soon realized that the standard wasn’t being effectively implemented across his business.

He explains  why this was, what he did to rectify it, and how he could have avoided that happening in the first place.

In his own words ‘An ISO isn’t just for Christmas, it’s there every single day. You don’t just manage it, you adopt it.’

Mark explains  how having ISO 27001 helped expand his business and why it’s so important when trying to gain government contracts.

Finally, he explains how following this standard has shaped TriplePs business strategy and the different benefits that it has brought to his business…

Website: https://www.triplepsltd.com/

Twitter: https://twitter.com/TriplePsLtd

Linkedin: https://www.linkedin.com/company/triplepsltd

You’ll learn

• How Mark ended up implementing ISO 27001.
• Why ISO 27001 is important for maintaining a high information and security standard.
• The challenges involved in implementing ISO 27001.
• The benefits of following ISO 27001 and how it can help with expansion.
• How Mark manages ISO 27001 across his business.
• The importance ISO 27001 has when gaining government contracts.
• Why Mark decided to bring in a specialist to help implement the standard properly.

Resources

• Blackmores
• TriplePs

In this episode, we talk about:

[00:33] Who Mark Frudd is and how he ended up implementing ISO 27001.

[01:04] Who TriplePs are.

[01:51] Mark’s history working in Butlins, and what he learnt there.

[02:51] The type of security work TriplePs does.

[05:35] Why TriplePs decided to work with Blackmores when implementing the ISO 27001 procedure.

[07:22] What Mark’s role in TriplePs is and what his daily work life looks like.

[09:00] What the process for implementing ISO 27001 looked like.

[11:16] The importance of maintaining the right ISO standards when your company goes through rapid growth.

[13:18] The importance of adopting ISO’s into the heart of your businesses culture.

[15:52] How ISO 27001 has shaped TriplePs business strategy.

[18:57] The best way to implement a new ISO standard.

[20:51] The benefits involved with following the ISO 27001 standard.

[23:34] Mark’s favorite book.

[24:36] How ISO’s are a constant and not ‘Just for Christmas’.

[25:27] How to find out more about TriplePs.

If you need assistance with implementing ISO 27001 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:Share the ISO Show on twitter or Linkedin

Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Is it okay to ever use a personal e-mail account address for business, or send business e-mails to my personal e-mail address?

The short answer is ‘No!’ This is because it opens your business up to security, legal and professional risks that may lose you customers and can damage your reputation.

All businesses have the capability to access their emails on all sorts of equipment, smartphones, tablets, PCs and laptops (the latter two through the use of a secure VPN back to the business itself. So, there is no reason to resort to personal e-mail accounts for business use.

However, there are far greater risks to the business in terms of Security, Legal Compliance and Business Reputation that should be enough to deter employees from using such risky methods in the corporate environment.

What are the security risks of using a personal account for business?

Personal email accounts exist outside of the IT department’s control, therefore, they are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations. Furthermore, as they are beyond the bounds of the IT department’s control there is no guarantee that e-mails are secure or will remain free of any viruses.

If e-mails held in personal accounts are not back-up there is a loss of auditable trails and opens the business and employees up to losing important information that the business must, by law retain as business evidence of good business practices – this opens the company up to suspicions of fraud.

Employees sending e-mails to their personal e-mail addresses can not guarantee the security of their e-mails, particularly if they use systems such as Hotmail and Gmail, which are notoriously vulnerable e-mail systems and have been hacked on many occasions. How would it look if you lost company information because of a data breach in an employee’s personal e-mail account? It would damage you reputation and may result in lawsuits.

Whilst you may have appropriate antivirus protection in place, can the same be said of employees on home computers? Typically, the answer is no, either because the antivirus has not been kept up to date or the type being used is not as effective as those used within the business. If an employee sends an e-mail to a client from their home system it could be infected by a virus (that you have not been able to control) and the reputation of the company is impacted.

And since personal emails are not stored on company servers, discovery for DPA/GDPR and Freedom of Information requests are seriously compromised presenting legal risks to your organization.

If you are concerned about your organisations’ data security then you may want to consider ISO 27001 (Information Security Management) or BS 10012 (Personal Information Management).

If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Step 1 – Conduct a Privacy Impact Assessment (PIA)

Why?

Enables you to identify all the processes/activities that involve personal data and demonstrates to the ICO that you have carefully considered personal data within your business.

 How?

Complete a PIA for each information stream in your business, we have a host of template documents to help you and your business comply, contact us for further information.

Step 2 – Data Protection Policy Statement

Why?

This policy is your commitment/statement of intent as an organization to Data protection

How?

If you don’t have a DPS you will need one, then you need to consider if it needs to be publicly available or internal only. You should send it to new and prospective clients and share with suppliers.

Step 3 – Data Retention Policy & Data Retention Schedule

Purpose:

Data Retention Policy – This is required to support the creation, retrieval, proper storage and preservation of essential personal data records, and to enable identification and destruction of information where there is no continuing business, legal or historical significance.

Schedule – This schedule defines the different types of records typically found in businesses.  It may not capture all the personal data/records that you may have in your company.  Where any are missing, you need to add these to the ‘Other’ tab within the document.   The schedule defines any legal retention requirements/ guidance on best practice from the ICO.

Action: Make the Policy and schedule available to staff.

Step 4 – Privacy Policy Template

Why?

In the interest of transparency (a GDPR principle requirement), you are required to provide privacy information to data subjects when you are collecting their personal data.  Typically you will find a Privacy policy is put onto the website (as generally this is where you may have data capture forms).

How?

Have a look at what you have got already in your Privacy Policy and if it needs updating within the section related to Legal Basis for processing (as per the PIA/Data Matrix outputs) as not all may apply.

• Display it in an ‘easy to digest’ format on your website. i.e. section headers with an overview paragraph – they option to expand to see full details.
• Add in a link to this page on your email signatures
• Have a think where else in the business where you might be collecting personal data that you should be providing some level of privacy information i.e. Terms of engagement (use the same headings if possible).

Step 5 – Security Incident Procedure

Why?

This is the document that you need to describe the process for reporting data breaches or security weaknesses, events, and investigation of security incidents.  All staff must be made aware of document and understand the procedure as they have responsibilities to be able to know how to report breaches/ security incidents as they become aware of them.

How?

• Write up your procedure and make it available to staff and ensure they’re aware of their data protection/ information security breach responsibilities as appropriate.

Step 6 – Information Security Breach Checklist

Why?

The checklist is to capture the key elements relating to a data breach to ensure actions are recorded and progressed as appropriate. The root cause can then be understood, and that is any new/changed controls are needed to be made and applied as part of the lessons learnt activities.

How?

• Ensure it’s availability to staff and they understand and are aware of their data protection/ information security breach responsibilities as appropriate.

Step 7 – Subject Access Request (SAR) Procedure

Why?

As stipulated by GDPR any individual that you hold information on has a right to know what data you hold on them eg name, address, etc – this info can be requested by an individual using a  ‘Data Subject Access Request’.

How?

Write up your procedure outlining the steps to be followed by staff upon receiving this request, what information they need to record and how to go about it. This will ensure that your company receives and processes Data Subject Access Requests in accordance with the General Data Protection Regulations.

Step 8 – Subject Access Request (SAR) Log

Why?

There are rules relating to how long you have to respond (within 30 days) to these requests and this log enables you to keep track of any requests in progress, or any historical requests made.  This log is linked to/ referenced within the Subject Access Request procedure.

Step 9 – GDPR Staff Training

Why?

Most data breaches/ Information Security breaches/incidents can be traced back to an individual’s actions or decisions.  Providing awareness training to staff is a form of control that you may need to evidence to the ICO/Client in the event of a data breach.

How?

• Ensure all staff receive this training.
• Retain evidence that this training has been delivered i.e. staff training records

Step 10 – Supplier Data Compliance Questionnaire

Purpose:

This questionnaire is to check that the suppliers that your business shares personal data with are GDPR compliant. It is a requirement for your company to check the security and data protection compliance of any processors/ sub-processors used by the business

How?

• Identify those suppliers/ partners to whom you may supply personal data (Use the Data Matrix/ PIA results as a reference point)
• Send the questionnaire to the companies likely to respond.
• Conduct the required due diligence for larger organisations and retain evidence of findings
• Take action depending on the outcome of the questionnaires/ proactive due diligence.

Next steps………

1. Use your common sense when it comes to protecting your client dataJ
2. Review your client terms of engagement – are you being transparent about the handling and protection of your client data?
3. Complete the Privacy Impact Assessment (PIA)
4. Identify your risks and implement the organisational controls (Policies, procedures and training)
5. Identify the risks and implement the technological controls i.e. data back-up, anti-virus software, restricted access, password management.

May 25th 2018 – GDPR becomes law

This is the date the ICO has set for all organisations to align with GDPR.
Are there any legal implications for my business?

GDPR becomes law on May 25th 2018.  Therefore compliance to the requirements becomes a legal implication for your business on this date.

Steve wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR. He stated “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”  He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.
What happens if my company does not comply?

Under the GDPR there are tiers of fines that can be imposed depending on the severity of breach.  The worst case scenario for fines are 4% of global turnover or £20M – whichever is greatest.

Not only are fines imposed, but the ICO  ‘name and shame’ businesses that are in breach.  This is not a new development – this is also the case under the DPA. More information can be found HERE.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How much work is involved in implementing BS10012

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

Gone are the days when a simple communicated Data Protection policy and registration with the Information Commissioner would suffice for Data Protection compliance.   One of the biggest changes is the ‘accountability’ principle underpinning the six other principles.   You now need to be able to prove you have applied all the principles within your business.

Over and above just the basic principles, you should be striving to:

• Demonstrate that you understand what personal data you control or process,
• Identify the legal basis for processing
• Demonstrate the steps you have taken to understand and control/mitigate risk
• Communicate requirements to interested parties
• ‘Bake in’ Data Protection within your organisation (including required processes and review of planned/unplanned changes)
• Review performance and strive for continual improvement.

When you consider the potential consequences of getting any of this wrong – 4% of global annual revenue or €20M whichever is greater – why wouldn’t you take the best practice approach and implement BS 10012?

What is data subject consent?

This is clearly defined by GDPR, what the data subjects wishes are in processing their data.

What is a freedom of information request?

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

You must provide a copy of the information free of charge.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

In order to provide the information you must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.
Neither GDPR or B S10012 alignment happens without input or effort. Both require action and top level commitment from a business. There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How will BS 10012 add value to my business?

By implementing and certifying your business against BS 10012:2017, you will be able to demonstrate some clear advantages over your competitors:

• Commitment to protecting client and stakeholder personal data – independently assessed by a 3^rd party certification body
• Identify risks to personal information and implement controls to mitigate them – reducing risk for both your organisation, and any clients whose personal data you may process
• Utilise a management system to actively demonstrate compliance with both the GDPR and the revised UK Data Protection Act
• Continually improve your management of personal data against recognised best practice and improved controls
• Proactively protect your reputation – both in the market and to your interested parties
• Achieve competitive advantage when tendering for new business

Running a successful business is all about reducing risk wherever possible (BS 10012 is a risk-based standard) and seeking opportunities to improve on the competition (BS 10012 certification sets you apart from mere internal GDPR ‘compliance statements’).

You can confidently state that you have credible 3^rd party assurance that you are meeting your data protection obligations under GDPR – through certification to BS 10012 with a recognised certification body such as ISOQAR, BSI, LRQA, SGS etc.

Will ISO 27001 make me GDPR compliant?

ISO27001 v BS 10012

On its own No – this is a myth.

Information security is just one of Six principles of BS10012 and GDPR

 “f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Whilst a very important principle, if you rely on just having ISO 27001 for GDPR compliance you run the risk of not being in full alignment with all the principles (and related articles and recitals).

 

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client related personal data they may be controlling in the business.

With BS10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

Are you ready for GDPR? Is your business data secure from cyber threats?

The General Data Protection Regulations (GDPR) will come in to force on 25th May 2018. If your business controls or processes any personal information – e.g. employee and/or customer data – you will need to comply. Failure to do so could cost you dearly, resulting in heavy fines and serious damage to the reputation of your business.

Central to GDPR compliance is making sure that the personal data your business deals with is controlled and processed securely. Businesses of all sizes are increasingly under threat from cyber attacks. If you have not put the appropriate technical measures in place to protect personal data, your business will be liable should you suffer a data breach.

Cyber Essentials is the UK Government Cyber Security standard for all businesses and organisations. Meeting the standard demonstrates that your business is taking all reasonable steps to protect the data you hold, and that you take cyber security seriously.

Node IT Solutions are holding this business briefing on GDPR and Cyber Essentials in partnership with Blackmores, specialists in Quality, Risk & Environmental Management. Mel Blackmore will be talking about GDPR and how businesses can prepare. Leigh Wood from Node IT will be taking you through the government Cyber Essentials standards and what businesses need do to qualify and pass the assessment.

9:00-9:30 Arrival: tea, coffee & refreshments

9:20-9:30 Introduction

9:30-10:10 Mel Blackmore, Blackmores
GDPR compliance and the steps you need to take now

10:10- 10:20 Break

10:20-11:00 Leigh Wood, Node IT Solutions
Why Cyber Security should be central to your GDPR strategy

11-11:20 Q&A with Mel & Leigh

Join us to find out what your business needs to know about GDPR and Cyber Security and start taking positive steps towards GDPR compliance. Click here to register for the event. 

 

How to go about implementing BS 10012

The first step to Implementing BS 10012 would be to carry out a Gap Analysis to identify where the gaps are in your Personal Information Management. Evaluate the results and formulate a plan to put the correct policies and procedures in place to be compliant. This evaluation will also highlight any potential existing risks with your personal information management, which can then be addressed as you create your management system.

Unless you are familiar with BS 10012 requirements, we suggest seeking out guidance or support with the process of establishing a management system. Blackmores also offer assistance with BS 10012, so feel free to contact us for more information.

Do I have to delete all historical data?

No – If there is a legal basis to retain and use this data, then the GDPR should not prevent you from using this, or require you to delete this data. However, under GDPR you are required to identify the legal basis in line with the overarching principles.

You should review your data retention policies and ensure that you are not keeping historical data unnecessarily.

What if I want to keep personal data I have previously collected?

The requirement to keep data retention to a minimum is not a new concept. The DPA has always mandated that only necessary data should be collected and only used for as long as required. The same principle applies with the GDPR.

If there is a legal basis to retain and use this data, then the GDPR should not prevent you from using this. However, under GDPR you are required to identify the legal basis in line with the overarching principles.

ONI successfully recommended for BS 10012 certification

Leading the way in GDPR compliance, Blackmores are delighted to announce that ONI Plc have been recommended for certification to the updated British Standard for Personal Information BS 10012:2017 with Certification body Alcumus ISOQAR.

The standard was updated in 2017 to provide a framework to support organisations to align their Personal Data Protection Policies and procedures with the GDPR requirements coming into force on the 25th May 2018.

Supporting ONI Plc to integrate their robust information security (ISO 27001) controls with BS 10012 to demonstrate commitment to GDPR, we are delighted that ONI Plc are the first to be recommended for certification.

Aligning with GDPR assures your clients that you understand data protection & have the controls to keep their information safe. GDPR takes into consideration the rights of the data subjects, security threats and new technology.

What difference will it make to the customers?

Ultimately, the customers will be assured that you are aligning to the GDPR Data Protection Principles, that you understand data protection risks relative to your activities and are applying proportionate controls to ensure that you keep their personal data protected within your business.

Data Protection is not a new concept, however the changes with GDPR have recognised the rights of data subjects, recognized information security threats and the fact that new technologies have expanded the availability of personal data.

If you share customer data, ensure that you comply with the data protection principles. There are 7 data protection principles that ensure confidentiality, integrity and security of data.

We don’t share the customer data we collect?

Regardless of if you share the customer data you collect, the GDPR still applies. There are several Data Protection principles that need to be upheld, to include ensuring confidentiality, integrity and security of data.

The principles are defined below:

Principle (a) Lawfully, fairly and transparently processed;
Principle (b) Obtained only for specific legitimate purposes;
Principle (c) Adequate, relevant, limited in line with data limitation principles;
Principle (d) Accurate and up to date, with every effort to erase or rectify without delay;
Principle (e) Stored in a form that permits identification no longer than necessary;
Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures; and
General Accountability for the above

Reviewing your procedures – as your business will constantly evolve your GDPR procedure should align with the growth.

How regularly do I need to review my procedures?
Business are constantly evolving – through the development of new services, the use of new technology and growth within their industry. This means that controls implemented for GDPR (both logical and physical) may no longer be sufficient or relevant in 1 – 2 years time.

As with any other applicable legislation or risk based activity, it is best practice to perform a ‘health check’ every year to ensure that you remain in alignment with the requirements of GDPR. This should include a review of awareness within your organisation

GDPR becomes law on May 25th 2018.  Therefore compliance to the requirements becomes a legal implication for your business on this date.

Steve wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR. He stated “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”  He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.

My customers are not in the UK, does GDPR still apply?

Even if your customers are not in the UK, it is likely that you still employ staff, and hold HR information on these staff in the UK.  Therefore the requirements of GDPR will still apply to you.

What difference will it make to the customers?

Ultimately, the customers will be assured that you are aligning to the GDPR Data Protection Principles, that you understand data protection risks relative to your activities and are applying proportionate controls to ensure that you keep their personal data protected within your business.

Data Protection is not a new concept, however the changes with GDPR have recognised the rights of data subjects, recognised information security threats and the fact that new technologies have expanded the availability of personal data.

It is VITAL that all staff are made aware of GDPR and their responsibilities for Data Protection within your organisation. Even with the most stringent automated controls in place, ‘people’ will always be your weakest link (and greatest risk) in terms of data protection.

Therefore you need to ensure you are planning your GDPR awareness campaign now to ensure that your staff understand:

• the requirements of GDPR,
• What your expectations are as an employer and
• What controls and processes are in place that must be adhered to
• How to recognise and report a data breach
• Who to speak to regarding Data Protection

The introduction of GDPR is an evolution of the existing UK data protection law (rather than a revolution). One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.

The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing.