ISO 27001 and GDPR address overlapping but distinct objectives. ISO 27001 is an information security management standard focused on the confidentiality, integrity, and availability of information assets. GDPR is a data protection regulation focused on the rights and freedoms of individuals whose personal data is processed. The overlap is substantial — an effective ISMS provides much of the security infrastructure that Article 32 requires — but the gap is also real: GDPR’s obligations extend well beyond security into lawful basis, data subject rights, transparency, and accountability that ISO 27001 does not address.
For organisations that hold or are pursuing ISO 27001 certification, this article provides the mapping needed to understand which GDPR obligations are addressed by the ISMS and which require additional, GDPR-specific controls. For organisations considering whether to pursue ISO 27001, this article shows why certification is a strong foundation for GDPR compliance — and why it cannot be the whole programme.
ISO 27001:2022 Structure and GDPR Alignment
ISO 27001:2022 consists of a management system framework (clauses 4–10) and Annex A, which contains 93 controls organised into four themes: Organisational controls (37), People controls (8), Physical controls (14), and Technological controls (34). The GDPR alignment analysis covers both the management system clauses and the Annex A controls, since both contribute to GDPR compliance.
ISO 27001 CLAUSE-LEVEL ALIGNMENT WITH GDPR
| ISO 27001 Clause | Clause Topic | GDPR Alignment | Gap |
|---|---|---|---|
| Clause 4: Context | Understanding the organisation; interested parties; ISMS scope | Art. 32 risk-based approach; identifies stakeholders including data subjects and regulators as interested parties | Does not require identification of data subjects as a category; personal data processing context not explicitly required |
| Clause 5: Leadership | Management commitment; policy; roles | Art. 32 requires organisational commitment to security; DPO role partially mapped to ISMS security manager | GDPR requires DPO independence and specific Article 38/39 functions; ISO 27001 security manager role does not cover DPO obligations |
| Clause 6: Planning | Risk assessment; risk treatment; objectives | Art. 32(2) risk assessment directly mapped; risk treatment selects controls from Annex A | GDPR risk assessment must include impact on data subjects’ rights and freedoms, not just information asset risk; DPIA not addressed |
| Clause 8: Operation | Operational planning; risk assessment; risk treatment | Security controls implemented per risk treatment; incident management maps to Art. 33/34 breach notification | Operational controls for data subject rights, consent, and lawful basis not covered by ISMS |
| Clause 9: Performance evaluation | Monitoring; internal audit; management review | Regular testing and evaluation per Art. 32(1)(d); accountability documentation | GDPR compliance audit scope extends beyond security to all GDPR obligations; management review not required to cover GDPR-specific metrics |
| Clause 10: Improvement | Nonconformities; corrective action; continual improvement | Remediation of security gaps; continual security improvement programme | GDPR requires compliance improvement as well as security improvement; corrective actions must address GDPR findings |
Annex A Control Mapping to Article 32
ISO 27001:2022 ANNEX A — KEY CONTROLS MAPPED TO GDPR
| ISO 27001 Control | Control Description | GDPR Mapping | Satisfies Art. 32? |
|---|---|---|---|
| 5.7 — Threat intelligence | Collects and analyses information on threats to information security | Art. 32(1) ‘state of the art’; threats relevant to personal data processing | Partial — informs risk assessment; does not directly address personal data risks to individuals |
| 5.12 — Classification of information | Information classified and handled according to sensitivity | Art. 5(1)(f) ‘appropriate security’; classification of personal data by sensitivity | Partial — classification framework applies to personal data; special category data should be classified highest |
| 5.16 — Identity management | Full identity lifecycle managed for users and systems | Art. 32 access control; Art. 5(1)(f); directly supports RBAC and JML process | Yes — directly addresses Art. 32 access limitation; supports least privilege principle |
| 5.18 — Access rights | Access provisioned, reviewed, and revoked based on business need | Art. 32 least privilege; directly implements RBAC for personal data systems | Yes — core Art. 32 control; access review cadence critical for GDPR compliance |
| 5.33 — Protection of records | Records protection from loss, destruction, falsification, and unauthorised access | Art. 5(1)(f) integrity and confidentiality; Art. 32(1)(b); audit log integrity | Partial — covers integrity and availability; does not address retention limitation per Art. 5(1)(e) |
| 7.1 — Physical security perimeters | Physical security controls for secure areas | Art. 32 physical security; protects personal data processing equipment | Partial — physical security contributes to Art. 32; does not address all organisational measures |
| 8.5 — Secure authentication | Authentication policies and controls for system access | Art. 32 access control; MFA requirement for sensitive personal data systems | Yes — directly addresses authentication standard; MFA requirement maps to Art. 32 ‘state of the art’ |
| 8.24 — Use of cryptography | Rules for use of cryptographic controls; key management | Art. 32(1)(a) encryption requirement; key management obligation | Yes — directly satisfies Art. 32(1)(a) encryption; key management policy required |
| 8.25 — Secure development lifecycle | Security integrated throughout software development | Privacy by design (Art. 25); security of personal data in developed products | Partial — covers security; Art. 25 privacy by design extends to data minimisation and rights, not only security |
| 8.29 — Security testing in development and acceptance | Security testing before deployment | Art. 32(1)(d) regular testing; DAST/SAST for applications processing personal data | Yes — directly addresses Art. 32(1)(d) testing obligation |
The GDPR Gap: What ISO 27001 Does Not Cover
ISO 27001 certification provides strong coverage of GDPR’s Article 32 security obligations, but leaves significant gaps across GDPR’s other requirements. Organisations that treat ISO 27001 certification as equivalent to GDPR compliance — a common but incorrect assumption — will have well-managed security and an underdeveloped data protection compliance programme.
GDPR OBLIGATIONS NOT ADDRESSED BY ISO 27001
| GDPR Obligation | Required Control | ISO 27001 Gap |
|---|---|---|
| Lawful basis for processing (Art. 6/9) | Documented lawful basis for each processing activity; LIA for legitimate interests; consent records | Not addressed: ISO 27001 does not require assessment of legal basis for processing |
| Records of Processing Activities (Art. 30) | Maintained RoPA covering all processing activities | Not addressed: ISMS asset register covers information assets, not personal data processing activities and their legal contexts |
| Data subject rights (Art. 15–22) | Operational procedures for SAR, erasure, rectification, objection, portability, restriction | Not addressed: no requirement to implement rights fulfilment procedures |
| Privacy notices and transparency (Art. 13/14) | Published privacy notices; just-in-time notices; notice version management | Not addressed: transparency to data subjects is not within ISMS scope |
| Data Protection Impact Assessments (Art. 35) | DPIAs for high-risk processing; DPO consultation; DPA prior consultation where required | Not addressed: ISO 27001 risk assessment is security-focused; DPIA assesses rights and freedoms impact |
| Data Protection Officer (Art. 37–39) | DPO designation, tasks, independence, and contact publication where required | Not addressed: ISO 27001 requires a security owner but not a DPO with the independence and functions Art. 38/39 require |
| Cross-border transfer mechanisms (Art. 44–49) | Chapter V transfer mechanisms; TIAs; SCCs or adequacy documentation | Not addressed: international data transfers within ISMS scope are security transfers; Chapter V legal mechanisms not covered |
| Breach notification to DPA and individuals (Art. 33/34) | 72-hour notification procedure; breach register; individual notification assessment | Partial: incident management maps to breach response; but 72-hour DPA notification requirement is GDPR-specific and not part of ISO 27001 |
Building a Unified ISO 27001 + GDPR Programme
The most efficient approach for organisations subject to both ISO 27001 and GDPR is a unified programme that builds on the ISMS foundation and adds the GDPR-specific controls as a complementary layer. The key is to avoid duplication: where an ISO 27001 control already satisfies a GDPR requirement, reference the ISMS control in the GDPR compliance record rather than building a separate mechanism. Where a GDPR requirement is not addressed by the ISMS, implement the additional control within the same governance framework.
UNIFIED PROGRAMME — INTEGRATION APPROACH
| Integration Area | How to Unify | Efficiency Gain |
|---|---|---|
| Risk assessment | GDPR risk assessment (Art. 32) integrated into ISMS risk assessment methodology; personal data risks to individuals added as a risk category alongside standard information security risks | Single risk assessment process; personal data risks visible alongside security risks; avoids two separate risk registers |
| Policy framework | GDPR-specific policies (data protection policy, consent policy, retention policy) added to ISMS policy suite; shared governance (board approval, annual review, version control) | Single policy governance process; consistent approval and review cadence; no separate GDPR policy management framework |
| Internal audit | GDPR compliance audit scope added to ISMS internal audit programme; audit cycle covers both security controls and GDPR-specific obligations | Single audit function; GDPR compliance tested alongside security controls; single audit report to management |
| Incident management | GDPR breach assessment step integrated into ISMS incident response procedure; DPO in incident response team; 72-hour notification checklist in IR playbook | No separate GDPR incident procedure; security incidents automatically assessed for GDPR breach status; DPO engaged as standard |
| Training | GDPR awareness integrated into ISMS security awareness training; GDPR-specific module for data handling staff | Single training programme; no separate GDPR training rollout; combined completion tracking |
| Supplier management | GDPR processor assessment and DPA execution integrated into ISMS supplier security assessment and contract process | Single supplier security and privacy gate; GDPR DPA executed as part of supplier onboarding; no separate GDPR vendor process |
| BITLION INSIGHT | ISO 27001 certification is one of the strongest signals an organisation can provide to enterprise clients, DPAs, and its own board that security is managed systematically. In the GDPR context, it provides direct coverage of Article 32 and is explicitly referenced in GDPR’s recitals as an example of appropriate certification. But the certification is a foundation, not a complete solution. The organisations that maintain the most robust combined programmes are those that have genuinely integrated their ISMS and GDPR compliance frameworks — using the same risk management discipline, the same governance structures, and the same evidence management approach for both. |