Skip to main content

Managing security and privacy risks: compliance, security and business value

How business leaders can stay on top of security and privacy risks by implementing a management system

Digitalisation of business processes is shaping the organisations of the future. Effective security and privacy risk management gives you the confidence to take full advantage of technological opportunities.

Leading standards for information security and privacy

Being on top of security and privacy challenges is instrumental for business leaders and managers to thrive in this era of interconnectivity, technological dependency, and increasingly advanced threats. Effectively managing these challenges is complex and can only be done with a structured approach, which includes all levels of an organisation, usually referred to as a management system.

Management systems exist for a wide variety of topics, and are usually documented in international standards or frameworks. The leading standards for information security and privacy are:


ISO/IEC 27001

Information Security Management System

ISO/IEC 27001 is the internationally recognised standard for information security management. It specifies requirements for establishing, maintaining and improving an Information Security Management System (ISMS). It also contains reference control objectives and guidance for the implementation of information security controls customised to the needs of the organisation. 


ISO/IEC 27701

Privacy Information Management System

ISO/IEC 27701 enables controllers and processors of personal data to establish a holistic Privacy Information Management System (PIMS) and bring accountability into practice.

The PIMS extends the ISO/IEC 27001 security standard with privacy and data protection components to support organisations in complying with privacy and data protection laws and regulations across the globe. This new standard is designed to manage requirements stemming from different global privacy and data protection laws. Thanks to its modular approach, the elements of an ISO/IEC 27701 management system can be easily mapped to GDPR, CCPA, HIPAA, ePrivacy, and many other privacy and data protection laws and regulations.

The PIMS is an instrument to effectively establish, maintain and continually improve organisational and technical measures for the protection of personal data within your organisation. This standard enables you to operationalise compliance in an effective and efficient way by integrating and aligning information security and data protection management processes.

Integrated management systems

Integrating management systems with a significant overlap in requirements, processes and stakeholders can bring additional value to organisations. Although a management system can stand on its own, an integrated management system is typically more effective and efficient. For example, an integrated management system optimises stakeholder engagement, reduces complexity, and simplifies resource allocation.

Implementing a(n) (integrated) management system brings several advantages to organisations:

  • Manage risk: Ensure a proper understanding of risks by top management, giving them the information they need to get involved and make informed decisions, leading to a reduction in risks.
  • Support the business: Being on top of security and privacy risks enables you to focus on the business, sparking the confidence to move full speed ahead.
  • Operationalise and demonstrate compliance: Demonstrate ongoing compliance with security and privacy laws, regulations or frameworks like the NIS directive, TISAX, GDPR and other international data privacy legislation.


NIS Directive

In Belgium, the NIS Directive is implemented through the &quotact establishing a framework for the security of network and information systems of general interest for public security&quot.

Article 22(1) of the law explicitly states that, until proven otherwise, the OES the requirements of the information security management standard ISO/IEC 27001 shall be considered as complying with the security requirements embedded in Article 20 if its compliance is supported by a certification issued by an accredited certification body.



The German automotive industry has created a security label (TISAX), where manufacturers, service providers and suppliers are obliged to protect their own critical information as well as the critical information of their business partners.

TISAX has become a prerequisite for close cooperation between companies in the industry on the topics of information security.

The TISAX model enables independent confirmation of compliance against international baseline standards when storing, processing and exchanging sensitive data. A sophisticated catalogue of information security and privacy requirements based on the ISO/IEC 27001 standard lies at the heart of the TISAX model.



Article 5(2) stipulates that controllers shall be responsible for, and be able to demonstrate compliance with the principles of the GDPR. In practice, this means that controllers are required to maintain evidence of their data protection processes and controls.

An ISO/IEC 27701 PIMS can help controllers and processors to meet the accountability requirement under the GDPR. It has been referred to by several supervisory authorities as a potential best practice for managing data protection, including the Spanish (AEPD), French (CNIL), and European (EDPS) supervisory authorities.


Why choose Deloitte as your partner in this journey

Deloitte has a multidisciplinary team that has experience in designing, implementing, running, continuously improving, and auditing management systems. We are by your side in every stage of your journey, just as we are and have been with multiple other organisations.

Our proven experience brings you:

  • A tailored approach: The context of the organisation determines the approach that is right for you. Together we determine what makes sense for your organisations and what does not.
  • A pragmatic approach: Although there is a certain formalism in management systems, we ensure that what we co-create is pragmatic and brings value.
  • A compliant approach: Regardless of whether you want to pursue certification in the short term or not, our modular approach ensures that each building block is aligned with ISO standards, so that whenever you decide to go for certification, you can face the auditors with confidence.

When properly executed, a management system will be the catalyst for transformation. Let us be the partner to launch you on this exciting journey. Reach out today and we can get in touch to further explain our approach and demonstrate our expertise.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey