Using ISO 27000 to comply with Data Protection Act principles

RELATED CONTENT Compliance and regulations Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits Tips to achieve PCI compliance How to choose an external compliance auditor Using a privacy impact assessment template for DPA compliance PCI DSS checklist: Mistakes and problem areas to avoid The elements of a compliance-oriented architecture Wireless network guidelines for PCI DSS compliance PCI DSS requirement: Implement strong access control procedures How to choose full disk encryption for laptop security, compliance Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds IT Security Frameworks and Standards How to develop a culture of security in the enterprise ICO issues draft guidelines for personal information online Using a privacy impact assessment template for DPA compliance Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to write an information security policy The elements of a compliance-oriented architecture New products aim to streamline compliance efforts A helpful BSI data protection standard for DPA compliance How project management maturity models can reveal security strength Consider a compliance-driven security framework

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The principle is accompanied by statutory interpretation, which addresses the use of technology, the reliability of employees who have access to personal data and the engagement of data processors. In summary, controllers of personal data are required to:

• Implement appropriate technology that will keep data safe and secure, taking into account the state of technological development, the cost of the technology, the nature of the data that is being protected and the harm that might result from a security breach.
• Hire a reliable staff and take steps throughout their employment to ensure their reliability. This will extend to pre-employment vetting and ongoing monitoring where appropriate.
• Use data processors who provide sufficient guarantees about security, who agree to work only pursuant to a contract and who agree to process data only on the controller's instruction. The controller must take appropriate steps to ensure the reliability of the processor.

Collectively these provisions address all the major themes within a comprehensive information security management system, and they dovetail nicely with the headline requirements of ISO 27001/2, an international code of practices for information security management.

ISO 27001/2 and the path to compliance
At this juncture it is worth reminding ourselves of the idea behind ISO 27001/2. In summary, these standards are designed to enable the implementation of an information security management system; ISO 27001 is designed for organisations that wish to implement an accredited ISMS, whereas 27002 provides a Code of Practice for organisations that do not wish to achieve accreditation. As a matter of law, the courts in the U.K. will take account of ISO standards when analysing whether an organisation has acted "negligently."

However, for those responsible for designing and implementing security systems, the seventh data protection principle is unfortunately lacking in detail, which raises the question of whether adherence to the ISO 27000 framework will result in a Data Protection Act-compliant environment.

The Information Commissioner's Office has provided the clearest indication that the body sees ISO 27000 as a route to compliance. For example, in its 2007 enforcement strategy, "Our Approach to Encryption," the ICO said, "personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with the organisation's security policy and using best practice methodologies such as using the International Standard 27001."

The government and the Financial Services Authority have also given their support to ISO 27000. Cabinet Secretary Gus O'Donnell's June 2008 report, "Data Handling Procedures in Government," lists a series of government departments that have embraced ISO 27001, saying "many Departments will, as now, work towards or achieve external ISO accreditation."

The FSA's April 2008 report "Data Security in Financial Services" similarly says that "there is an international quality standard for data security: the ISO 27001 Security Management Standard which was introduced in 2005," but it observes that the adoption of the ISO is not universal: "Some firms, particularly larger firms with dedicated information security officers, were aware of this code of practice and used it as a benchmark. However, it was interesting to observe that even some of the largest firms had not obtained certification to this standard."

What is 'the state of technological development?'
While the ISO 27000 framework provides a route to compliance, a particular difficulty concerns the implementation of security technologies; the statutory interpretation to the seventh data protection principle requires data controllers to have regard for "the state of technological development," but the DPA is silent on the meaning of this phrase. However, in a "good practice note" published in November 2007, the Information Commissioner said "the Act requires that organisations should take into account technological developments when they decide on security measures but it is a frequent misunderstanding that the Act requires 'state of the art' technology. This is not the case."

So, according to the ICO, the seventh data protection principle does not require the controller to implement state-of-the-art technologies. Instead, the controller must implement appropriate tools, having regard for the state of technological development, the nature of the data to be protected, the harm that might result from a security breach and associated cost. It should follow that if the information is highly sensitive and serious harm could be caused by a security breach, the controller might be required to implement "cutting-edge" technologies, which might not be necessary in cases where the information is not particularly sensitive. As such, controllers need to exercise good judgment about the nature of the security technologies they install.

Unfortunately, organisations who are looking for prescriptive guidance on the kinds of technologies they should employ will be disappointed when they examine the Data Protection Act and regulatory guidance for assistance; the Act is silent on the kinds of technologies that should be deployed and at this stage in the development of the law the regulators have identified only encryption as a specific technology. However, IT companies, including RSA, are working with the author to introduce and explain their technologies to the regulators, which may eventually lead to greater prescription in the law.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the UK's leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.