3 tips: How to get to the finish line with ISAE declarations

ISAE declarations - how dry can that sound? That's how stand-up comedian and TV host Jan Gintberg would probably have put it in a hypothetical program about "The Digital World". If you, like me, are a DPO or hold a position in the organization where you are responsible for the work with GDPR and information security, you are probably familiar with the declarations. Maybe your organization is also preparing them or maybe you will soon start the process?

A year and a half ago, the management of Emento made a decision that GDPR and information security should be a top priority in the company. We established an internal working group, which we called TRUST - because it is about our employees, customers, partners and users having confidence in our company and our solution.

At the time, I searched high and low for advice on how to get started with this process, but I only found some intro videos on YouTube for ISO 27001. I know that there are many other smaller companies facing the same challenge, so in this blog post I will share some of our experiences in Emento. At the end of the post, you will find 3 tips to help you succeed.

One of the TRUST team's first tasks was to prepare a risk analysis in which we mapped out all the scenarios we could think of that could potentially compromise the availability, integrity or confidentiality of data and thus harm the business or the rights of data subjects. We then assessed all the scenarios based on the likelihood of their occurrence and the magnitude of the impact. This gave us a good insight into the overall threat picture and we then started working on managing our risks. In short, there are 4 different ways to manage risks:

1. Trying to avoid the risk

2. Transfer the risk to others

3. Mitigate the risk - i.e. implement measures to reduce the risk

4. Accept the risk as it is

When working from a risk-based approach, the trick is to implement the measures that are necessary and economically viable. There will always be risks, but the overall threat level must be reduced to a level where the organization can accept it with peace of mind and a clear conscience.

The threat landscape is constantly changing, so the work on information security must be constantly maintained and updated. We have seen this, for example, during COVID-19, where malicious hackers have taken advantage of the fact that many employees work from home and, in terms of IT security, in some cases are not protected in the same way as if they were in the office. Therefore, the work with GDPR and information security is not a one-off pleasure but a process that must be deeply rooted throughout the organization across HR, development, implementation, sales and marketing. The process is anchored by implementing an information security management system - an ISMS - that ensures a systematic and transparent workflow based on the principle "Plan, Do, Check, Act". It is not enough to implement a large number of policies, procedures, instructions, guidelines, controls and documentation. You also need to continuously measure their impact, learn lessons and constantly adapt the system to the context in which you work.

In December, we started working with REVI_IT, an external independent audit firm that we asked to prepare an ISAE 3000 and an ISAE 3402 statement. REVI-IT has made an assessment of the extent to which our organization complies with the rules of the GDPR/data protection law for the ISAE 3000 statement and the guidelines in the ISO 27002 Code of Practice for Information Security Controls for the ISAE 3402 statement. The auditors' assessment is based on interviews with the organization's employees, physical observations in the organization, inspection of policies, procedures, instructions, guidelines and other documentation. In addition, they test a sample of the controls we have implemented to see if they are working as intended.

So, based on my experience of how we achieved our ISAE statements, here are 3 tips on how you as an organization can get through the process of preparing your first ISAE statements.

Make sure that top management is involved from the very beginning and supports the task. This is necessary to embed the process throughout the organization and to secure the necessary resources.

The process is long, time-consuming and costly. Therefore, I recommend that you look into whether your organization can get external funding. The regional business centers offer financial grants to entrepreneurs and small businesses that need advice on GDPR and information security. If your organization is more than 3 years old, SMV:Digital also offers grants to small and medium-sized enterprises for private advice on digital security.

Create internal ownership. GDPR and information security is the responsibility of the entire organization. Be precise in your communication on these topics - also internally. Take your colleagues' tasks as a starting point and involve them actively in the process, where it also provides value for them on a daily basis. 

Here are a few examples:

If your colleagues feel involved and see the value of working with GDPR and information security, my experience is that they will take ownership of their own part of the process and help you implement it in the rest of the organization. In Emento, we have used the concept of co-creation a few times in our previous blog posts. It's definitely valuable in this process as well.

So to end where I started, namely at Gintberg, yes, it may sound really dry, but it is actually super exciting and very very meaningful to work with GDPR and ISAE statements. It's for our own good and for the good of everyone else. And then I guess all that's left to say is: enjoy your work!