Information security and GDPR

Information security is about preserving the confidentiality, integrity and availability of information. In other words, ensuring that the information you possess cannot be accessed by unauthorized persons - while at the same time making it available to those who need access.

Three important concepts in information security:

  • Confidentiality: Information to which unauthorized persons, entities or processes have access
  • Integrity: Information should be correct and complete
  • Availability: Information shall be available and usable when the authorized person requests it

GDPR integrated into management system

With GDPR came new guidelines within information security and privacy. In 4human QM365s systems, you will find functions that can meet the requirements of GDPR and ISO 27001 – the standard for information security.

Among other things, this is solved by allowing you to run risk assessments on information security. In addition, there is a requirement that you must be able to handle non-conformities that affect information security. This is integrated into 4human QM365's systems.

In the system, you register all assets - resources - and process them according to data storage and deletion requirements.

Availability of this functionality makes it easy for your business to comply with laws and guidelines. Read more about GDPR Management.

Certification in information security

To prove that you have control over the information you manage, a third-party certification is the simplest way. ISO 27001 provides a good structure on how to build and continuously improve your information security. An information security system consists of a set of policies, procedures, guidelines, resources and activities and is a systematic methodology for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security to achieve business objectives.

Key elements

In ISO 27001 we find the term Asset. Assets include both all types of information and information carriers. In short - what is of value to the business. These must be mapped thoroughly. Risk management is central to ISO 27001. This is a demanding exercise as you have to look at the threats and vulnerabilities that relate to all the different assets and the risk aspects that may arise. Each of these must be assessed and it must always be documented how the company meets the various risks through specific measures.

In ISO 27001 (Appendix A) there is a long list of security measures that should be considered as a solution, including other risks. This list of 114 measures is not complete and you are expected to look for other possible security measures in addition. If you have not implemented any of the 114 measures, this must also be documented. After security measures have been implemented, residual risk must also be assessed.

Prove your focus!

Information security is becoming more and more important. The information you manage is the foundation of your business. Proving to customers, suppliers and public authorities that you are in control of your information security can be demanding if you don't have a certificate that proves that you are in control of the area and focus on improving it.

Learn more about ISO 27001?

If you are interested in ISO 27001, please contact 4human QM365 today. We are happy to look at ISO 27001 with you, and preferably in combination with other standards in management systems – such as ISO 9001 (quality). Our systems handle what is needed and our implementation process ensures certification.

Information security ISO 27001. With SIMPLI, you can integrate ISO 27001 into your management system that also handles ISO 9001, ISO 14001, ISO 45001/HMS and other ISO-like standards.