Part 2 to the Interview with Mr Max Goh of LSA Consultants Pte Ltd

This is a continuation of the interview with Mr Max Goh of LSA Consultants Pte Ltd. Please view the previous interview here


1. Many SMEs view standards as too complex and costly, What are the best ways to encourage SMEs to turn to standards?
Besides the existing government related grants which assist to defray part of ISO 27001 consultancy and certification costs, typically ISO standards are not complex. They are generic in nature and intended to be applicable to all organizations regardless of industry or size. 

The ISO 27001 Information Security Management System standard does not provide a one-size-fits all model for Information Security; rather it is based on a risk approach to help SMEs design their own Information Security Management system that is reasonable and proportionate. 
2. How much has the GDPR enforcement changed or impacted information security in Singapore?
GDPR enforcement, similar to regulations to PDPA have now enhanced the awareness and the need for companies in Singapore to focus and ensure that  information held and managed by them are not compromised. 

3. Will compliance with PDPA be enough for organisations to meet GDPR, what other steps do Singapore companies need to take to be GDPR compliant.
Compliance with the PDPA does not necessarily equate to compliance with the EU GDPR as there are differing data protection requirements under the two regimes.

The  way forward for Singapore companies to meet GDPR compliance is to firstly carry out a Gap Analysis to determine what remains to be done to meet the EU GDPR requirements. Thereafter, these requirements can be integrated as part of a holistic ISO 27001 Information Security Management System implementation process.

4. How can ISO/IEC 27001 help companies to comply with GDPR? 
The implementation of ISO 27001 can help with some of the requirements of the EU GDPR. This includes but not limited to personal data protection relating to Risk Assessment, Legal Compliance, Breach Notification, Asset Management, Privacy Design and Supplier Relationship.

5. How can ISO certification be continually sustained?
Management support is fundamental to the success of an effective ISO 27001 Information Security Management System program. If leadership by senior management is lacking, the appropriate focus, priority and resources may not be devoted to sustaining the program. 

We cannot stress enough that ISO 27001 adoption is top driven. Thus, it is vitally important to engage senior management at the earliest stage. Senior management is also expected to maintain its support during and after the initial stages of ISO 27001 program implementation. Their involvement cannot be over emphasised and the effort required to achieve this should also not be underestimated.

Published Sep 18