Man and woman sat at laptops looking at a tablet and managing a project

Information security, personal data protection & legal admissibility

Find out how much work you need to do to comply or get certified to BS 10008, ISO 27001, 27701 or BS 10012

What are management system standards?

Digitising paper-based processes means you now have all your information at your fingertips in a digital format. But digitisation also presents new types of risks you need to guard against.

All management system standards have two core components:

– a set of policies and procedures that sets out how your staff should work;

– an internal audit process which checks staff do indeed adhere to the policies and procedures defined.

The choice of standard to select and implement depends on the information you want to protect, the risks you want to manage and your business objectives.

Information security - ISO 27001 ISMS

ISO/IEC 27001 – Information Security Management provides the requirements to put in place measures to keep both digital and paper-based information secure; and reduce the risks to confidentiality, integrity and availability of your information.

In addition to the management system, this standard provides a list of 114 “controls” or methods to manage risk areas.  Those controls are categorised into 14 groups ranging from asset management and physical environment to cybersecurity, teleworking, suppliers and employees.  

Once implemented, complying with ISO 27001 will give you the peace of mind all risks to your information are considered and being managed.

Data protection - ISO 27701 or BS 10012

Both ISO/IEC 27701 – Privacy information management  and BS 10012 – Personal Information Management manage the risks to the security, integrity and confidentiality of personal information.

They are aligned with the GDPR principles and UK Data Protection Act.  If you choose to implement and certify to either of those standards, your organisation will be in a position to evidence its compliance with the legislation.

The choice of which standard to select is based on your current certification:

ISO/IEC 27001 should be implemented if your organisation already complies with ISO 27001 (Information Security) or wishes to implement it.

BS 10012 should be implemented if your organisation doesn’t comply with and has no intention to implement ISO 27001.

Legal admissibility

BS 10008 – Evidential weight and legal admissibility of Electronically Stored Information (ESI) aims to evidence the trustworthiness of your digital information to other parties, such as a court of law or regulator, including digital and electronic signatures.

This British Standard addresses how information needs to be managed by an organisation to enable it to be legally admissible, have strong evidential weight, and be demonstrably trustworthy with regard to its availability, authenticity and integrity. 

It covers the entire lifecycle of the information and provides evidence for any dispute resolution purpose, whether for business, compliance, legal or other internal or external challenge.

Why comply?

For many organisations, a key driver for implementing a management system standard is clients requesting compliance. But being able to tick the ISO 27001 or BS 10008 compliance box on a tender response is not the only benefit you’ll see from implementing a management system structure.

Make sure you comply with legislation (GDPR, Data Protection Act, etc)

Manage people and resources more efficiently

A Risk assessment is a great way to prioritise activities

Improve customer experience

Reduce the level of crisis management and delegate with confidence

Why Digital Octopii?

BSI associate consultant logo

As Associate Consultants of the British Standards Institute, we are recognised experts in this field. We will help you become compliant to one of the above standards; whether you want to obtain certification by BSI or another UKAS accredited body – or whether you just want to improve your current practices.

"My CTO and I purchased the ISO 27001 and BS 10008 standards and read them cover to cover. However, we found it difficult to know exactly what documentation was required. The penny dropped for us on the very first call with Elisabeth when she explained the entire process and objectives. Her presentation was very clear and it gave us a good understanding of what we were trying to achieve by certifying."

Read the Anatomap case study

Find out how Anatomap managed to get their ISMS up and running in just 5 weeks!

Not sure which standard is best for you or where to start?