13 Jun, 2017 | Auditing, ISO 27001, ISO 9001

Following on from my colleague, David Cole’s, article on information security news stories on this topic keep coming and the breadth of scope of application grows with every headline. There was the ransomware story that was lead item on news bulletins for days and lately it transpires another headliner, BA’s Disaster Recovery story, also appears to have roots in data corruption.

The message I am hearing is that we all need to be better aware of obligations in the markets we operate and under current legislation. All organisations use information as part of their core processes and have duties to manage security of that information. We have less than 12 months until the introduction of heightened obligations under the General Data Protection Regulations (GDPR) and indications are that the UK is not ready to meet these new requirements.

Not quite at the same level of dramatic impact, the Information Commissioner’s Office (ICO) recent list of enforcement action indicates continuing data protection lapses across sector. The list includes a Council’s prosecution for publishing sensitive information in the form of a statement supporting a planning application. The issue of liability centred on the balance between the Council’s need to publish information and for it to protect personal privacy. In its judgement, the ICO highlighted failures in Council procedures and training for protecting data in the course of carrying out its duties.

In the same listing we can see evidence of the ICO’s approach to dealing with data security breaches and their follow up regime. RBS undertook to introduce revised procedures for managing faxes after breaches in October 2014 and the ICO lists the results of their follow up process with the need for further action by the bank to ensure faxes remain secure.

The role of the ICO is not confined to Local Councils and large companies; in the same listing the ICO refers to prosecution of an individual for unauthorised access to personal records.

As quality professionals we need to ensure management systems we have responsibility for reflect changes to our organisations operating environment – its ‘Context’ in ISO 9001 terms and, as in my earlier article linked above that we keep our skill set up to date through CPD. Only by being aware of changing requirements can we advise our organisations of the need for process enhancements, updated controls and employee awareness and training to be able to comply with regulatory requirements.

The resources listed in my previous article still apply. A suggested new resource for this challenge is:

ICO 12 step plan for preparing for the GDPR

Quality professional’s may also be interested in Integrated ISMS and QMS Auditor Training Course  which covers how to incorporate Information Security within a Quality Management System Audit – for Existing QMS Auditors.

Paul Simpson
Bywater Associate
Providing consultancy and training on quality strategy and implementation.