ISO 27001 and GDPR: Where They Overlap
If your organization handles personal data of EU residents and is pursuing ISO 27001 certification, you are already covering a significant portion of GDPR’s technical and organizational requirements. The overlap is substantial - roughly 70-80% of what GDPR demands from a security perspective maps directly to ISO 27001 Annex A controls. But the two frameworks serve different purposes, and understanding where they diverge is just as important as knowing where they align.
How the two frameworks relate
ISO 27001 is an information security management standard. It provides a systematic approach to managing risks to all types of information - personal data, trade secrets, intellectual property, financial records. GDPR is a regulation focused specifically on protecting the personal data and privacy rights of individuals in the European Union.
The key difference is scope. ISO 27001 protects information assets broadly. GDPR protects personal data specifically and grants data subjects enforceable rights. An organization can be fully ISO 27001 certified and still fall short on GDPR if it has not addressed data subject rights, lawful basis for processing, data protection impact assessments, and breach notification obligations.
That said, the security controls required by both overlap heavily. GDPR Article 32 requires “appropriate technical and organizational measures” to ensure security - which is exactly what an ISMS built on ISO 27001 delivers.
Where ISO 27001 satisfies GDPR
The Annex A controls in ISO 27001:2022 map directly to several GDPR requirements. Here are the most significant overlaps:
Access control and authorization. GDPR requires that only authorized personnel access personal data. ISO 27001 controls A.5.15 (access control), A.5.18 (access rights), and A.8.2 (privileged access rights) address this directly. If you have implemented role-based access control as part of your ISMS, you are meeting GDPR’s access limitation requirements.
Encryption and pseudonymization. GDPR Article 32 specifically mentions encryption and pseudonymization as appropriate measures. ISO 27001 control A.8.24 (use of cryptography) covers encryption policies, key management, and implementation. Organizations that encrypt personal data at rest and in transit under their ISMS are satisfying this GDPR requirement.
Incident management. GDPR requires notification of personal data breaches to supervisory authorities within 72 hours. ISO 27001 controls A.5.24-A.5.28 cover incident management, reporting, and learning from incidents. The incident response process you build for ISO 27001 forms the foundation for GDPR breach notification - you just need to add the regulatory reporting steps and timelines.
Supplier management. GDPR Article 28 requires data controllers to ensure processors provide sufficient guarantees. ISO 27001 controls A.5.19-A.5.23 address supplier relationships, security requirements in agreements, and monitoring. Your supplier assessment process under ISO 27001 covers GDPR’s processor due diligence requirements.
Risk assessment. Both frameworks require risk-based approaches. ISO 27001 Clause 8.2 requires regular risk assessments using defined methodology. GDPR Article 35 requires Data Protection Impact Assessments (DPIAs) for high-risk processing. The risk assessment skills and infrastructure you build for ISO 27001 transfer directly to GDPR DPIAs - same methodology, narrower focus on personal data risks.
Where GDPR goes beyond ISO 27001
Several GDPR requirements have no equivalent in ISO 27001. These are the gaps you need to fill separately:
Lawful basis for processing. GDPR requires a documented legal basis for every processing activity - consent, contract, legal obligation, vital interests, public task, or legitimate interests. ISO 27001 does not address lawful basis. You need a processing register that maps each activity to its legal basis.
Data subject rights. GDPR grants individuals rights to access, rectification, erasure, portability, and objection. ISO 27001 has no equivalent. You need documented procedures for receiving, verifying, and fulfilling data subject requests within the required timeframes (typically one month).
Data protection by design. GDPR Article 25 requires privacy considerations built into systems and processes from the start, not bolted on afterward. While ISO 27001’s risk-based approach supports this philosophy, you need explicit procedures for privacy impact assessment during system design.
Data Protection Officer. GDPR requires certain organizations to appoint a DPO. ISO 27001 requires management commitment and defined roles but does not mandate a specific privacy role. If GDPR applies to you, evaluate whether you need a DPO and document the decision either way.
International data transfers. GDPR Chapter V restricts transfers of personal data outside the EEA. ISO 27001 does not specifically address cross-border data transfer restrictions. You need mechanisms like Standard Contractual Clauses or adequacy decisions for international transfers.
Breach notification to individuals. ISO 27001 requires incident management and reporting within the organization. GDPR additionally requires notifying affected individuals when a breach poses a high risk to their rights and freedoms - a communication obligation that goes beyond internal incident management.
Implementing both frameworks together
For organizations pursuing both ISO 27001 and GDPR compliance, a practical approach is to build your ISMS first and layer GDPR-specific requirements on top.
Start with your ISMS. Implement ISO 27001 as the foundation. The risk assessment process, control framework, and management system provide the structure that GDPR compliance needs. Most SaaS companies we work with find that 15-20 of their risk treatment actions directly satisfy GDPR security requirements.
Map your processing activities. Create a Record of Processing Activities (ROPA) as required by GDPR Article 30. This maps what personal data you process, why, on what legal basis, who has access, where it goes, and how long you keep it. The asset inventory from your ISO 27001 implementation gives you a head start.
Extend your policies. Your ISO 27001 information security policy needs a privacy section or a companion privacy policy. Add data retention schedules, data subject request procedures, privacy notice requirements, and breach notification processes.
Integrate your risk assessments. Run DPIAs alongside your ISO 27001 risk assessments. Use the same methodology and scales, but focus specifically on risks to individuals from personal data processing. This avoids duplicating effort and keeps both frameworks aligned.
Align your audit cycles. Internal audits for ISO 27001 can include GDPR compliance checks. Adding privacy-specific audit criteria to your existing program is more efficient than running separate audit cycles.
Common mistakes when combining both
Assuming ISO 27001 certification means GDPR compliance. It does not. Certification demonstrates you have an effective ISMS, but auditors do not verify GDPR-specific requirements like lawful basis or data subject rights. These need separate attention.
Treating GDPR as a one-time project. Like ISO 27001, GDPR compliance is ongoing. Processing activities change, new systems are introduced, and regulatory guidance evolves. Build privacy reviews into your regular management review cycle.
Ignoring the overlap. Some organizations implement ISO 27001 and GDPR as completely separate programs with different documentation, different risk registers, and different audit schedules. This doubles the work without improving outcomes. Integrate them from the start.
Focusing only on technical controls. Both frameworks require organizational measures too - policies, training, awareness, defined responsibilities. A well-configured firewall means nothing if staff do not understand their obligations around personal data handling.
How 27kay can help
We help organizations implement ISO 27001 and GDPR together - building one integrated management system rather than two separate compliance programs. As part of ISO 27001 implementation and GDPR advisory, we map the overlap, identify the gaps, and build the policies and procedures that satisfy both frameworks. For the full picture on ISO 27001, see our knowledge hub.
Need help understanding where your ISO 27001 implementation leaves GDPR gaps? Get in touch - we will assess your current state and build a plan that covers both frameworks without duplicating effort.