ISO 27001 as Support for Compliance with the LGPD

By December 7th, 2021 No Comments

*By Julie Oliveira

Despite the LGPD (General Data Protection Law) being in force, many companies are still not fully in compliance with its requirements or have not started the adaptation process. These, in turn, are more susceptible to having data leaked for not properly structuring security controls and may suffer fines and sanctions provided for in the Law.

To assist in the process of adapting to some requirements of the Law, especially those referring to the protection of information, there are several Information Security standards, such as ISO (International Organization for Standardization) 27001, an international standard for the implementation of the Information Security Management System (SGSI), which is based on the management and treatment of risks in order to protect the integrity, availability and confidentiality of information. Below, we list some controls provided for in ISO 27001 that, being well structured, can ensure the protection of information and demonstrate compliance with the requirements of the Law.

Information Classification

In the topic related to Asset Management of ISO 27001, we find the Information Classification control in order to ensure that the information receives the appropriate level of protection according to its degree of sensitivity, thus avoiding undue access and sharing.

The information handled by the company is generally classified into four levels, namely:

  • Public: Information that can be made available and accessed by anyone.
  • Internal: Information that should be accessible only to company employees.
  • Confidential: Information that, if shared externally of the company, can lead to financial and image losses, among others. They must be accessible to a group of people within the organization.
  • Restricted: Information that, even within the company, can generate risk. They should only be accessible to specific people.

In this way, the company must analyze its documents and define a classification level for them, in addition to defining specific security controls for each level.

Physical and Logical Security

The LGPD determines, in its article 46, that companies adopt “security, technical and administrative measures, able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of treatment”. inappropriate or illegal”. In this way, they can be based on ISO 27001 requirements that aim to guarantee the Physical and Logical Security of the information. Grouping A.9 – Physical and Environmental Security, of ISO 27001, cites controls such as:

  • Physical input controls: The company must ensure that the place where the equipment for the use and processing of information is located is safe against undue access, through the control of information from people who enter and leave the place, such as security cameras, turnstiles, reception with security guards.
  • Safety of equipment outside the organization's premises: The company must ensure that the equipment that needs to be removed from its premises (due to home office, customer service, etc.) are insured in the event of theft and have logical security controls that prevent equipment information from being improperly accessed (example: bitlocker).
  • Reuse and safe disposal of equipment: When reusing or disposing of equipment, it must be ensured that all old information is completely deleted, performing the total formatting of the system and storage, so that there is no risk of access to confidential information by the new person who will use the equipment or by the company that will carry out the disposal.
  • Property removal: In conjunction with the control to protect equipment outside the company's premises, a control must also be applied so that equipment is not removed from the organization without authorization from a person in charge, avoiding the loss of information tracking and improper access to it.

In addition to the physical controls mentioned above, it is also important to remember to use software malware protection, vulnerability monitoring, use of encryption, logical access control to mitigate risks of improper access to information.

Incident Management

Even applying security controls at the organization's location and equipment, the possibility of incidents involving personal data exists. Therefore, it is important that the company is prepared to manage these incidents and knows how to act in accordance with the requirements of the LGPD.

In grouping A.13 of ISO 27001, referring to Information Security Incident Management, there are controls such as:

  • Notification of events or suspected fragility of information security, where everyone in the organization needs to be aware regarding communication to the stakeholders about any suspected or happening security incident;
  • Responsibilities and procedures for incident management, defining who should act and how they should act in cases of incident, ensuring an agile and effective response;
  • Lessons learned, ensuring that information about incidents that occurred is monitored and used to improve the company's current controls.

In addition to Incident Management, the company must also structure a process for Business Continuity Management, involving a risk assessment of events that may occur and cause interruptions to services, defining the probability of occurrence and the impact on the organization, ensuring a vision preventive action and application of controls to obtain the least possible impact.

Information Security Infrastructure

Last but not least, Information Security must have a very well established structure within the organization, with the support of top management and all employees so that the controls applied are effective. For this, it is important to develop policies, rules and procedures regarding information security controls, which must be approved by the top management and made available to everyone in the organization, in addition to organizing and carrying out events and training on the subject, ensuring that everyone has the knowledge needed to keep the data safe and the company GDPR compliant.


As noted in this article, we have come to the conclusion that there are frameworks available with various controls that can be applied both for Information Security in the organization in general and for the company's compliance with LGPD. Would you like more details on how to apply them? We can help you! Contact.

— Julie Oliveira is GRC and Information Security Consultant at [SAFEWAY] 

About Safeway:

THE SAFEWAY is a company of Information security, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.

Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!