If my organization is ISO 27001 certified, does that mean we also are Safe Harbor compliant?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The ISO 27001 specification and the Safe Harbor, an agreement between the European Union (EU) and U.S. Department of Commerce, are two entirely different programs. While many of the security and privacy controls that organizations adopt for one program may partially or fully satisfy the requirements of another program, there is not generally a significant amount of overlap among multiple programs. In particular, organizations seeking to fulfill either ISO 27001 or Safe Harbor should fully understand the requirements of both.
ISO 27001 is an internationally accepted standard framework for an information security management system that includes control requirements in 11 domains. Organizations are not required to adopt ISO 27001, but may choose to do so on a voluntary basis. Those that do implement ISO 27001 may further choose to have their compliance independently audited to obtain ISO 27001 certification.
The Safe Harbor program allows a U.S.-based company to self-certify that it maintains data privacy controls that are adequate to comply with the EU's Data Privacy Directive. To become Safe Harbor compliant, companies must successfully complete the certification checklist to ensure adequate privacy controls are in place under the laws of the 28 member states of the European Union. An EU-based company can view qualified U.S. firms on the Safe Harbor website and receive assurance that the law permits them to exchange private information about EU citizens.
Dig Deeper on ISO 17799
Related Q&A from Mike Chapple
Cloud compliance issues are no reason for enterprises not to move to the cloud. Expert Mike Chapple explains why, as well as what to keep in mind ...continue reading
The GAO reported on SEC cybersecurity weaknesses, even though the SEC regulates cybersecurity. Expert Mike Chapple discusses the effects of this ...continue reading
Enterprise compliance can be a burden to manage, which is where a PCI ISA can be helpful. Expert Mike Chapple explains how a PCI Internal Security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.