We have seen in a previous article that privacy by design and by default is a fundamental principle that needs to be integrated into all aspects of a project, particularly where personal data is processed, which is often the case. By adopting this approach, organisations can comply with current regulations such as the GDPR, FADP and cantonal data protection laws, increase stakeholder confidence and reduce data security risks.
The Information Security and Data Protection (ISDP) concept, found, for example, in the Swiss HERMES methodology, is a good approach to data protection right from the design stage. It is increasingly important in today’s digital world.
what is the ISDS concept?
The ISDP concept is an essential element in project management. It serves as a basis for defining the technical and organisational measures to ensure adequate data protection. Here are some of its key points:
- Qualification of the data and the system: the SIPD concept requires the data in the future system to be qualified, together with the requirements for protecting it and the future system from a security point of view.
- Risk Analysis: the ISDP approach requires a detailed analysis of the risks associated with future data processing. This enables potential threats to data security to be identified, whether they come from the IT environment or the organisation itself.
- Protective measures: the organisational and technical protective measures required to minimise the risks must be specified. These measures, which may need to be described in more detail later, include the security policy, access controls, business rules, backup procedures, etc.
- Residual risks: once the measures have been identified, the ISDP approach needs to determine what residual risks will remain after the protective measures have been put in place. This helps to better understand vulnerabilities and to make further informed decisions.
- The contingency plan: the ISDP approach also addresses the management of emergency situations. It specifies how to respond during a security incident or data breach.
how do you implement the ISDS approach?
Implementing the ISDS concept in a project requires a methodical approach and must be integrated from the earliest stages of the project.
Getting started:
- Understand the functional scope: Start by identifying and bringing together all the project stakeholders, including technical teams, security managers, lawyers, and end-user representatives. Clearly communicate the project’s objectives and scope, the functionalities required, and the expected outcomes. This includes an understanding of the personal data and documents that will be collected, produced, and used by the future system.
- Data access: Then identify who needs to access the data for what purposes. This will help define strict access control policies based on the principle of least privilege.
- Data storage and retention: Determine how data and documents will be stored and for how long. Identify “disposition actions” (such as deletion of data, anonymisation of data for statistical processing or research purposes, historical retention of data, etc.) at the end of the retention period in accordance with internal policies and legal requirements.
Then consider three areas:
- Governance: Identify who is responsible for the processing and the data at each stage of its lifecycle. Clearly define the roles and responsibilities of the various stakeholders to ensure effective data protection.
- Legal: Ensure that data processing complies with the principles of proportionality and purpose, as well as applicable regulations. Consider whether user consent is required and ensure that it is obtained in an appropriate manner.
- Security: Determine the appropriate technical and organisational measures to protect data against unauthorised access, loss, and leakage.
Finally, bring together those responsible for these three areas and list the risks. Classify these risks according to their likelihood and impact. Then, for each risk identified, decide on actions to mitigate, maintain or outsource.
If risks could potentially harm an individual’s privacy or if sensitive data is being collected and processed, you should carry out a more detailed and formal impact assessment.
Finally, you will discuss the implementing regulations and the specific guidelines for implementing and auditing safeguards.
the ISDS approach in the project lifecycle
The process does not stop at the design stage. Ensure that the ISDP concept is dynamic and evolves as the project progresses, e.g., by incorporating new functionality that may prove necessary or by discovering specific features in the tools used.
Of course, the project manager is responsible for ensuring that the approach is followed. However, depending on the complexity of the project, the project manager will call on one or more specialists to effectively manage these aspects throughout the project. These experts will then use their experience to ensure all data security and protection measures are integrated and adhered to.
When data is a vital business asset, it is essential to guarantee its integrity, confidentiality, and availability, as well as the rights of the individuals concerned. The ISDP concept should, therefore, be at the heart of every project, demonstrating its role in protecting against external and internal threats, ensuring regulatory compliance, and safeguarding the company’s reputation. It complements information security and data protection requirements by providing an in-depth analysis of risks and the necessary protective measures.
Tags:
More insights
AI chatbots and agentic AI
digital solutionsgovernance & service management
February 13, 2026
[IT Governance Breakfast] L’intégration de l’IA dans le SI et dans la culture d’entreprise
company newsgovernance & service management
January 26, 2026
facilitating the adoption of a business solution: the challenge of change management
digital solutionsgovernance & service management
January 13, 2026
