How ISO 27001 can act as a springboard to CCPA compliance

Enforcement of the California Consumer Privacy Act (CCPA) is just around the corner, coming into effect on January 1, 2020. Compliance with this important piece of legislation is becoming ever more urgent as this deadline nears. If you haven’t already made plans to bring your organization into compliance with the law, now is the time to get started.

Luckily, you may not have to start entirely from scratch. While the CCPA is an entirely new initiative for California and the first of its kind in the U.S. designed to protect consumers against data misuse and privacy violations, many of its stipulations are not entirely foreign in their substance to businesses that handle consumer data.

That’s because the vast majority of businesses that handle consumer data have already encountered ISO 27001, an industry-standard dealing with information security. Though not required by law, many customers and even some investors  expect to see that an organization is compliant with ISO 27001 to trust in its ability to conduct itself in a secure manner.

So, what does ISO 27001 have to do with the CCPA? Surely the new legislation is closer to Europe’s GDPR, the data security legislation that inspired the CCPA? The short answer is yes, the CCPA is similar to the GDPR in many respects although even there, compliance with one does not equal compliance with the other.

What’s more, the GDPR is only relevant to businesses that handle the data of European citizens. Companies operating out of California, where the CCPA will come into force, have not necessarily encountered the GDPR. Instead, these companies can look to ISO 27001 as a platform to build on and achieve CCPA compliance. And if you aren’t ISO 27001 compliant already, this is your chance to kill two birds with one stone and get CCPA compliance done at the same time.

It’s important to note that being compliant with ISO 27001 absolutely does not mean you are already CCPA compliant. But there is enough of an overlap to make ISO 27001 a solid base from which to progress towards CCPA compliance. Here are some examples of this helpful overlap:

• Privacy policy – If you’re already ISO 27001 compliant, a small update to your publicly-available security policies is all that’s necessary. If not, you’ll need to write them from scratch, and writing them to follow CCPA requirements is hardly any extra work.
• Processes and procedures – The CCPA requires proof that a number of processes are in place in your company. How do you prove that these processes have been established? By putting them in writing as formal procedures that can be taught to new employees and repeated throughout the company. Lucky, ISO 27001 requires a set of written procedures that closely, though not perfectly, match the CCPA-required processes. This is true of important items like information security policy, third-party/vendor information security and HR procedures. Take note, however, that while ISO 27001 gives you a solid base for proving some processes, the CCPA requires others that are not a part of ISO 27001 at all.
• Inventory and classification – ISO 27001 requires that you take a full inventory of your assets and classify the information you gather. Though not specifically required by ISO 27001, you can define all PII as data assets to meet one important clause of the CCPA.

By approaching the CCPA through the lens of ISO 27001, you can save your organization valuable time and effort that you might otherwise spend on achieving compliance with both individually. As such the systematic process used to achieve ISO 27001 compliance can be applied to the CCPA.