Project Description

ISO 27001 – Information security management

The ISO 27000 family of standards helps organizations keep information assets secure.
Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

What is an ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
It can help small, medium and large businesses in any sector keep information assets secure.

ISO 27001:2013

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements. To purchase the standard please visit the ISO Store.

Certification to ISO 27001:2013 ISMS

Certification to ISO/IEC 27001 is adopted by more and more organizations in order to benefit from the best practice it contains to reassure customers and clients that its recommendations have been followed.

Introduction to GDPR

The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018.  The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data.

The local organizations shall have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.

Depending on the impact and its due diligence, the offending organization to GDPR may be subject to a fine up to the higher amount of EUR 20,000,000 and 4% of its annual global revenue.

Key Terms in GDPR:

  • Personal data: “Any information that relates to an identified or identifiable living individual.”
  • Data controller: “The entity that determines the purposes, conditions and means of the processing of personal data.”
  • Data processor: “An entity which processes personal data on behalf of the controller.”

Key Requirements of GDPR

As compared to Directive 95/46/EC, the requirements are enhanced. The key points include, but are not limited to:

  • Territorial scope: Not limited to organizations within EU.
  • Purpose limitation: Collected for specified, explicit and legitimate purpose.
  • Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
  • Accuracy: Accurate and, where necessary, kept up to date.
  • Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Integrity and confidentiality: Processes in a manner to ensure security.
  • Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
  • Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
  • Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
  • Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
  • Data portability: Data subjects have right to receive their data upon request and to transfer that data to another controller.
  • Data protection officers:  Some organizations, such as those with a primary purpose for processing personal data or sensitive information, shall appoint Data Protection Officer(s) — an employee or a third party.
  • Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data processors shall also inform the controllers for a known data breach.
  • Parental consent: Processing the personal data of children under age of 16 for online services shall obtain parental consent. Member states can designate a lower required age (down to 13) for consent.
  • Special categories of data: Some types of data have more stringent requirements for consent, such as the data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
  • Third countries: Specific rules for transferring data to third countries or international organizations.
  • Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
  • Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
  • Certification: Voluntary data protection certification to show compliance to this regulation.

Relation between ISMS and GDPR

Relations Between GDPR And ISO 27001 ISMS


  • Confidentiality, integrity and availability of data.
  • Risk assessments.
  • Breach notification.
  • Access control.
  • Data identification.


  • GDPR applies only to personal data, while ISO 27001 has a broader scope on the information.
  • GDPR covers the right to be forgotten, data portability and the right to be informed about your personal data, which is not mandatory requirement in ISO 27001.


A management system based on ISO 27001 can support the achievement of compliance with GDPR.

Possible Solutions by the Organizations

  • Arrange management and front-line employees to attend GDPR related training courses.
  • Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
  • Implement controls on outsourced processes
  • Implement regular internal and external audits on operations.
  • Improve the ISMS based on risk levels.

Related Training Courses | 相關培訓課程

Related Important Posts | 相關重要發佈

Go for ISO Certifications with support by TVP 借助[科技卷]獲取ISO 認證

IT Security Courses with Grant by HK Government 政府資助資訊安全自學課程


ISO 27001:2013  資訊安全管理國際標準之制定為企業經營者及其員工提供了一套建立和確保資訊安全的系統管理模式。組織策略性決策應包含資訊安全管理。

ISO 27001 認證能為企業帶來許多重要的策略與營運優勢,包括:

  • 強化企業安全: 透過27001 認證,可減少企業通訊的弱點,並提高企業的風險控管能力。
  • 提高安全規劃效率:ISO 27001 列舉了分屬於11個領域共39個管制目標與133個安全控制措施,引導企業進行人力資源、法務與突發事件應變的規劃。這些針對資訊安全而提出的全面性詳細建議,可使得企業開始導入安全措施時,作到更完善、更容易管控且非常符合經濟效益。
  • 提高安全管理成效:所有企業都必須開始制定或重新檢視其資訊安全政策與程序。與企業一般的安全計劃不同的是,ISO 27001 已證實是資訊安全的最佳實務準則法則。
  • 持續保護:企業經過認證及其持續更新與審核將確保企業隨時了解最新的弱點以及最佳的實務準則法則。
  • 改善合作關係:為了讓企業網路受到更好的保護,同時又要能進行電子資料交換(EDI),企業可以27001驗證作為合作夥伴與供應商的安全要求。
  • 提高客戶信心:隨著客戶對組織資訊安全漏洞的愈發關注,他們也會開始尋求具體的安全保障,ISO 27001 認證提供客戶需要的信心。
  • 降低法律風險:企業通過ISO 27001 認證後,將可減少因為安全突發事件而面臨的法律問題,因為法庭將會把企業符合該項標準的事實,認定為企業已經做到足夠程度的安全防護。


Related News 相關新聞:

Crypted Wifi no more secured

October 17th, 2017|Comments Off on Crypted Wifi no more secured

A flaw in WPA2's cryptographic protocols could be exploited to read and steal data that would otherwise be protected, according to new research from [...]

DQS Compact 81 – Customer Journal – II/2017

August 8th, 2017|Comments Off on DQS Compact 81 – Customer Journal – II/2017

DQS Compact 81 Customer Journal to clients from DQS. Please refer to below letter for details. Be the first to know, subscribe DQS Newsletter.   [...]


May 24th, 2017|Comments Off on 借助「科技券」獲取認證

- Technology Voucher Programme (TVP) - 資助額高達20萬的香港政府「科技卷」計劃 -- 適用於 DQS的ISO管理體系認證服務 Replaced by the news on May 30, 2018.