Will the EU General Data Protection Regulation (GDPR) force us to implement an Information Security Management System (ISMS)?

Data protection officers are in the heated phase already of implementing the actions required under new European data protection legislation. The question as to the requirements that may be expected to apply to corporate information security will occasionally arise. Is the implementation of an ISMS compulsory?

Definition of an ISMS pursuant to ISO27001:
Part of the complete Management System covering the development, implementation, execution, monitoring, checking, maintenance and improvement of information security, based on a business risk approach.

In terms of the Federal Data Protection Act, information security in the Data Protection Regulation is now of increased importance. This became apparent, among other, by incorporation of the obligation to implement suitable technical and organisational measures into Art. 5 of the Data Protection Regulation as a fundamental requirement.

Art.5 Para. 1 lit.f GDPR:
Suitable technical and organisational measures must be taken to ensure that personal data will be processed in a way to guarantee adequate security of such data, including protection against unauthorised or illegal processing and accidental loss, destruction or damage (“integrity and confidentiality”).

The concepts defined in Art. 5 GDPR give additional indications of “extended information security”. “Integrity and confidentiality” are elementary IT security principles. These were not included in previous laws on the protection of personal data.

Criterias for technical and organisational measures in Art. 32 “Security of processing”

Art. 32 Para. 1 
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Art. 32 Para. 2
In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of , or access to personal data transmitted, stored or otherwise processed.

Compared to the Annex to § 9 BDSG [Federal Data Protection Act], offering at least indirect measures, Art. 32 appears even more abstract. Essential parts of an ISMS are, however, assignable.

Step 1 Determining the need for protection Art. 32 Para. 2
The need for protection and potential consequential damage/loss as a result of unauthorised disclosure of knowledge will determine the level of protection of personal data. This implies a requirement for risk analysis. Data will normally be assigned different categories of risk, for instance: normal, high and very high.

Step 2 Risk assessment
Art. 32 Para. 1 and Para. 2 deal with risk assessment. Measures for personal data protection will in future need to take into account the risk of loss of personal and freedom rights of those affected. This approach to risk assessment no longer applies only to conventional corporate values but includes also the affected person and his personal data.

Step 3 Selection of measures and treatment of risk
Art. 32 Para.2 lit. a-c offers measures for the treatment of risk.

  1. a) Pseudonymisation and encryption of personal data;
  2. b) Ensuring the sustained ability, confidentiality, integrity, availability and resilience of systems and services involved in processing;
  3. c) The ability to rapidly restore the availability of personal data and access to these after a physical or technical incident;

Step 4 Audits, Management evaluation, correction
Art. 32 Para. 1(2) lit.d also demands a procedure to regularly check, assess and evaluate the efficacy of technical and organisational measures designed to guarantee security of processing.

Interim conclusion
I will therefore need to work on the introduction of an ISMS. Although I have little relevant experience, I am confident that I will be able to do important preparatory work already.

Since information security is unique to every area of responsibility, experience gained in my company will allow me to draw important conclusions on which to base recommendations to my commissioned companies.


“Publish or perish”
You have probably heard this proverb. It is a pithy definition of the principle of traceability. What is needed: Submission of preliminary considerations for the structure of a Management system to a central body. It will be important to also invite other staff who will in future be involved in the ISMS project to this data storage project.

Information to Management

Information security and thus also security of personal data is a Management issue. Motivating Management to cooperate towards achieving the common objective is essential. The drastically increased penalties in Art. 83 GDPR are also an important indication to Management. The focus should, however, be on the positive effects of an ISMS:

  • Risk minimisation
  • Increasing corporate stability
  • Meeting the expectations of business partners
  • Positive public image towards customers and interested parties
  • Satisfying tender requirements of banks or insurances

You should in discussions with Management obtain approval for assembling an “ISMS Planning team”. It is essential that the next important steps are planned jointly, irrespective of whether external specialists will in future be appointed in a supporting capacity.

Potential team

Information Security Officer (ISO)

The appointment of an ISO is always advisable. This will create a central instance to focus on IT security directly. The necessary expertise must be acquired, for instance via the UDIS Akademie Ulm.

IT Department representative

An additional IT member of staff may later be required, for the technical implementation of defined requirements.

Existing Management appointees

This position should be integrated into the ISMS team if your company already has a Management appointee responsible for quality or environmental protection. The team will benefit from existing experience in management.

Data Protection Officer

By establishing a Management System in response to the GDPR requirements, we should also in our own interest be promoting the ISMS issue.

Preparatory tasks

Vulnerability analysis and risk assessment must be based on the knowledge of existing data processing methods practised in the company. Should existing overviews of procedures be outdated or incomplete, then remedial action must be taken.

My tip:
The GDPR presents an opportunity for a new start. Sending a simple questionnaire to all departments will allow undocumented data processing procedures to be discovered and recorded.

Deciding on an appropriate path to follow

Potential standards must be evaluated jointly with the team. Various options may be considered, depending on the size and orientation of your company. Best known are ISO 27001 and IT baseline protection. ISIS12 and VdS3473 may also be considered for small and medium enterprises. The “approved codes of conduct” described in Art. 40, 41 GDPR are another option. These are developed by associations and other organisations to address micro enterprises and approved by the data protection supervisory authority, following a defined procedure.


I would recommend an ISMS based on Cyber guideline VdS 3473 for our company. I consider this guideline an ideal compromise of required measures for implementation and required human and financial resources. It also represents a sound base for possible later ISO 27001 certification.

Please visit website for a free quick check to evaluate the IT security status in your company.

Stefan Bachmann

This article was written for the 02/2017 edition of magazine Datenschutz Digital.

Thank you for the go-ahead.