How GDPR and ISO 27001 Work Together
Detailed analysis of how GDPR requirements map to ISO 27001 controls, how Article 32 technical measures align with the ISMS framework, how to use ISO 27001 certification to demonstrate GDPR compliance, and how to conduct a gap analysis between the two frameworks.
- 1
GDPR and ISO 27001 are complementary, not alternatives. ISO 27001 provides the management system and technical controls for GDPR Article 32, while GDPR adds data protection-specific requirements that go beyond information security.
- 2
Article 32 maps directly to ISO 27001: pseudonymisation and encryption align with A.8.11 and A.8.24, CIA requirements map to the entire Annex A framework, and testing effectiveness maps to the Clause 9 performance evaluation cycle.
- 3
ISO 27001 does not cover data subject rights, lawful basis determination, DPIAs, GDPR-specific breach notification, or international transfer mechanisms. These require separate GDPR implementation.
- 4
ISO 27001 certification serves as strong evidence of GDPR Article 32 compliance in DPA enforcement, customer due diligence, DPAs, and litigation contexts.
- 5
An integrated implementation strategy — ISO 27001 as the structural foundation with GDPR requirements layered on top — reduces duplication and creates a more robust compliance programme than implementing either framework in isolation.
1. Two Frameworks, One Security Objective
GDPR and ISO 27001 approach information security from different directions but converge on a shared objective: protecting information through appropriate technical and organisational measures. GDPR is a legal regulation focused on personal data protection, establishing rights for data subjects and obligations for controllers and processors. ISO 27001 is a management system standard focused on information security, providing a systematic framework for managing all types of sensitive information. The two are not alternatives — they are complementary, and organisations that implement both achieve stronger security and compliance outcomes than those implementing either alone.
GDPR Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. It explicitly mentions pseudonymisation and encryption, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore availability and access to personal data in a timely manner following an incident, and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures. These requirements directly parallel the core concerns of ISO 27001: confidentiality, integrity, and availability of information, risk-based control selection, business continuity, and continual improvement through monitoring and evaluation.
The strategic value of combining GDPR and ISO 27001 lies in their different enforcement mechanisms. GDPR compliance is assessed by Data Protection Authorities through inspections, complaint investigations, and enforcement actions — it is a regulatory obligation with fines of up to EUR 20 million or 4% of worldwide annual turnover. ISO 27001 compliance is assessed through independent third-party audits — it is a voluntary certification that provides external validation. By implementing ISO 27001 as the operational framework for your GDPR Article 32 technical and organisational measures, you create a system that is both regulatory-grade and independently verified.
2. Mapping GDPR Article 32 to ISO 27001 Controls
Article 32(1)(a) requires pseudonymisation and encryption of personal data as appropriate. ISO 27001 Annex A addresses this through A.8.24 (Use of cryptography), which requires policies on the use of cryptographic controls including key management, and the new control A.8.11 (Data masking), which explicitly covers pseudonymisation and anonymisation techniques. Together, these controls provide the implementation framework for Article 32(1)(a) — the ISO 27001 ISMS ensures that cryptographic and masking measures are not ad hoc but are governed by policy, applied consistently, and monitored for effectiveness.
Article 32(1)(b) requires the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. This maps to the entirety of the ISO 27001 control framework — confidentiality, integrity, and availability (CIA) are the three pillars around which all 93 Annex A controls are designed. Specific controls with direct relevance include A.8.2-A.8.5 (access management), A.8.7 (Protection against malware), A.8.15-A.8.16 (Logging and monitoring), A.8.20-A.8.22 (Network security), and A.5.29-A.5.30 (Information security during disruption and ICT readiness for business continuity). The concept of resilience — not explicitly defined in ISO 27001 but increasingly important — is best addressed through the business continuity controls combined with the risk management process.
Article 32(1)(c) requires the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident. ISO 27001 controls A.8.13 (Information backup), A.8.14 (Redundancy of information processing facilities), A.5.29 (Information security during disruption), and A.5.30 (ICT readiness for business continuity) directly address this requirement. Article 32(1)(d) requires a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures. This maps to the ISO 27001 management system itself: Clause 9.1 (monitoring, measurement, analysis, and evaluation), Clause 9.2 (internal audit), Clause 9.3 (management review), and Clause 10 (improvement) collectively establish exactly the testing, assessment, and evaluation process that Article 32(1)(d) demands.
The EDPB has stated that while ISO 27001 certification does not by itself prove GDPR compliance, it is a relevant factor that DPAs should consider when assessing whether a controller or processor has implemented appropriate technical and organisational measures under Article 32.
3. What GDPR Requires That ISO 27001 Does Not Cover
While ISO 27001 provides strong coverage for GDPR's security requirements, several GDPR obligations fall outside the scope of information security management. Data subject rights (Articles 12-22) — access, rectification, erasure, restriction, portability, objection, and automated decision-making rights — are data protection requirements with no direct ISO 27001 equivalent. Your DSAR fulfilment process, consent management system, and data portability mechanisms must be built separately from the ISMS, though the ISMS can provide the access control and data classification infrastructure that supports them.
Lawful basis determination (Article 6), Data Protection Impact Assessments (Article 35), Data Protection Officer appointment and responsibilities (Articles 37-39), Records of Processing Activities (Article 30), and data breach notification to supervisory authorities and data subjects (Articles 33-34) are all GDPR-specific requirements without direct ISO 27001 parallels. ISO 27001's incident management process (A.5.24-A.5.28) provides a foundation for breach detection and response, but GDPR's 72-hour notification requirement, risk assessment to determine notification obligation, and communication obligations to data subjects require specific GDPR procedures layered on top of the ISMS incident process.
International data transfers (Articles 44-50) represent another significant area where GDPR goes beyond ISO 27001. While ISO 27001's supplier management controls (A.5.19-A.5.22) and cloud security control (A.5.23) address the security aspects of third-party relationships, GDPR's transfer mechanisms (adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules), Transfer Impact Assessments, and the CJEU Schrems II requirements are data protection-specific obligations. The gap analysis in Section 5 provides a systematic approach to identifying and addressing these differences.
4. Using ISO 27001 Certification as GDPR Evidence
GDPR Article 42 encourages the establishment of data protection certification mechanisms and seals. While ISO 27001 is not a GDPR certification under Article 42 (no GDPR-approved certification schemes exist as of March 2026 for general processing), it serves as powerful evidence of compliance with GDPR's security requirements. Data Protection Authorities across the EU have consistently recognised ISO 27001 certification as a positive indicator when assessing Article 32 compliance. In enforcement decisions, DPAs have noted the presence or absence of ISO 27001 certification as a relevant factor in determining the appropriateness of technical and organisational measures.
To maximise the evidentiary value of ISO 27001 certification for GDPR purposes, ensure your ISMS scope covers all personal data processing activities (not just a subset). If your ISO 27001 certification scope is narrower than your GDPR processing scope, the certification only provides evidence for the covered processing activities. Map your ISO 27001 controls explicitly to GDPR Article 32 requirements in a documented mapping table — this makes it easy for DPAs, auditors, and customers to understand how your ISMS addresses GDPR security obligations. Include GDPR-specific risk scenarios in your information security risk assessment: risks to data subjects' rights and freedoms, not just risks to business operations.
Beyond DPA enforcement, ISO 27001 certification serves as evidence in several other GDPR-relevant contexts. In data processing agreements (Article 28), controllers can reference the processor's ISO 27001 certification as evidence of appropriate technical and organisational measures. In Data Protection Impact Assessments (Article 35), the DPIA can reference ISO 27001 controls as the measures that mitigate identified risks. In customer due diligence, the ISO 27001 certificate often satisfies the security assessment component of vendor onboarding processes. And in litigation following a data breach, ISO 27001 certification demonstrates that the organisation took systematic, audited measures to protect personal data — a relevant factor in assessing whether the organisation met its Article 32 obligations.
Create a formal GDPR-to-ISO 27001 mapping document and maintain it alongside your Statement of Applicability. When DPAs, customers, or auditors ask about your GDPR technical measures, this mapping provides an immediate, authoritative answer backed by independent certification evidence.
5. Conducting a Gap Analysis Between GDPR and ISO 27001
A structured gap analysis identifies where ISO 27001 implementation satisfies GDPR requirements, where GDPR requirements exceed ISO 27001 scope, and where GDPR-specific implementation is needed. Start with GDPR's key obligations and map each to ISO 27001 coverage. For Article 5 principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability): integrity and confidentiality map directly to ISO 27001 CIA objectives, accountability maps to the ISMS documentation and audit requirements, but lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, and storage limitation are data protection principles with no ISO 27001 equivalent.
For Articles 12-22 (data subject rights): ISO 27001 provides the data classification (A.5.12-A.5.13), access control (A.5.15-A.5.18), and information deletion (A.8.10) infrastructure that supports DSAR fulfilment, but the rights management process itself — intake, identity verification, data retrieval, redaction, response, and deadline tracking — must be built as a GDPR-specific process. For Article 25 (data protection by design and default): ISO 27001's A.8.25-A.8.27 (secure development lifecycle, security requirements analysis, secure system architecture) provide the security-by-design foundation, but GDPR's data protection by design requirements extend to privacy-specific concerns such as data minimisation, purpose limitation, and transparency that go beyond security.
For Articles 33-34 (breach notification): ISO 27001's incident management controls (A.5.24-A.5.28) provide the detection, classification, and response framework, but GDPR requires additional procedures for the 72-hour supervisory authority notification, the risk assessment to determine whether notification is required, the data subject communication process, and the specific content requirements for notifications. For Articles 44-50 (international transfers): ISO 27001's supplier controls (A.5.19-A.5.22) and cloud security control (A.5.23) address security aspects, but GDPR transfer mechanisms (SCCs, adequacy decisions, BCRs), Transfer Impact Assessments, and supplementary measures are entirely GDPR-specific requirements. Document each gap, assign ownership, set an implementation timeline, and track closure through your ISMS improvement process.
6. An Integrated Implementation Strategy
For organisations implementing both GDPR compliance and ISO 27001 certification, an integrated approach reduces duplication and accelerates both programmes. Start with the ISO 27001 ISMS as the structural foundation — the management system provides the governance, risk assessment, control management, monitoring, and improvement infrastructure that both frameworks require. Layer GDPR-specific requirements on top of this foundation: add personal data-specific risk scenarios to the ISO 27001 risk assessment, extend the scope to explicitly include personal data processing activities, and integrate GDPR documentation (RoPA, DPIAs, lawful basis records) into the ISMS document control system.
Build unified processes where possible. A single incident management process can serve both ISO 27001's incident handling requirements (A.5.24-A.5.28) and GDPR's breach notification obligations (Articles 33-34) — add a decision gate after initial triage to determine whether the incident involves personal data and triggers GDPR notification requirements. A single supplier assessment process can address both ISO 27001's supplier security requirements (A.5.19-A.5.22) and GDPR's processor due diligence and DPA requirements (Article 28). A single training programme can cover both information security awareness (A.6.3) and data protection awareness. Unified processes reduce operational complexity and ensure consistent application.
Assign clear accountability for each framework's unique requirements. The Information Security Officer (or ISMS Manager) owns the management system and security controls. The Data Protection Officer owns GDPR-specific obligations: lawful basis determination, data subject rights, DPIAs, DPA liaison, and transfer mechanisms. These roles should collaborate closely — the DPO depends on the ISMS for technical and organisational security measures, and the ISO depends on the DPO for data protection requirements that feed into the risk assessment and control selection. In smaller organisations, these roles may be held by the same person, but the responsibilities remain distinct. Regular coordination meetings between the two functions (or structured self-review for combined roles) ensure that changes in one programme are reflected in the other.
Do not assume that ISO 27001 certification makes you GDPR-compliant. ISO 27001 covers approximately 40-50% of GDPR obligations (primarily Article 32 security measures). Data subject rights, lawful basis, DPIAs, breach notification specifics, and transfer mechanisms require separate GDPR-specific implementation.
Does ISO 27001 certification mean we are GDPR-compliant?
No. ISO 27001 certification demonstrates that you have implemented appropriate technical and organisational security measures, which satisfies a significant portion of GDPR Article 32. However, GDPR includes many obligations beyond security: data subject rights (Articles 12-22), lawful basis requirements (Article 6), Data Protection Impact Assessments (Article 35), DPO requirements (Articles 37-39), Records of Processing Activities (Article 30), breach notification specifics (Articles 33-34), and international transfer mechanisms (Articles 44-50). ISO 27001 covers approximately 40-50% of GDPR obligations. The remaining obligations require separate implementation.
Should we implement ISO 27001 or GDPR compliance first?
If your organisation processes personal data (virtually all EU organisations do), GDPR compliance is a legal obligation that takes priority. However, the most efficient approach is to implement both in parallel using an integrated strategy. Start with ISO 27001 ISMS design and GDPR data mapping simultaneously. The ISMS provides the management system structure, risk assessment methodology, and control framework that supports GDPR implementation. Running the programmes in parallel avoids rebuilding processes later and ensures that security and privacy requirements are addressed together from the start.
How do DPAs view ISO 27001 certification in enforcement actions?
Data Protection Authorities across the EU have consistently recognised ISO 27001 certification as a positive factor when assessing Article 32 compliance. In several enforcement decisions, DPAs have noted the presence of ISO 27001 certification as evidence that the organisation took systematic measures to ensure information security. Conversely, the absence of any recognised security framework has been cited as an aggravating factor. While certification does not create a compliance safe harbour, it significantly strengthens the organisation's position in enforcement proceedings and demonstrates that security measures are not ad hoc but are systematically managed and independently audited.
Can ISO 27001's risk assessment serve as a GDPR DPIA?
No. They serve different purposes. ISO 27001's risk assessment evaluates risks to the confidentiality, integrity, and availability of information from the organisation's perspective. GDPR's DPIA (Article 35) evaluates risks to the rights and freedoms of data subjects from the individual's perspective. The methodologies are different, the risk criteria are different, and the outputs are different. However, the ISO 27001 risk assessment can inform the DPIA — the security risks and controls identified in the ISMS assessment are relevant inputs to the DPIA's assessment of technical and organisational safeguards. Conduct both assessments separately but use shared risk data where applicable.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.