Quick answer. ISO 27001 is an information security management system standard. GDPR is a personal data protection regulation. They overlap on security controls (Article 32 GDPR maps to Annex A of ISO 27001) but diverge on data subject rights, lawful basis, breach notification, international transfers, and DPO obligations. ISO 27001 alone does not satisfy GDPR. The complementary standard for GDPR is ISO 27701 (privacy information management), which extends ISO 27001 to cover privacy.
ISO 27001 certification is increasingly required by enterprise customers — and increasingly cited by vendors as evidence of GDPR compliance. The two are related but not equivalent. A company that is ISO 27001 certified can fail a GDPR audit; a GDPR-compliant company may not satisfy ISO 27001 requirements.
This guide maps the overlap, identifies the gaps, and explains how to combine ISO 27001, ISO 27701, and GDPR work into a single integrated compliance program. For broader context, see our data privacy compliance guide. For audit methodology, GDPR audit methodology.
Key takeaways
- ISO 27001 covers information security; GDPR covers personal data protection. Different scopes.
- The overlap is about 60% — primarily on Article 32 GDPR (security of processing).
- GDPR-specific obligations NOT covered by ISO 27001: lawful basis, data subject rights, DPIA, breach notification to DPA, international transfers, DPO designation, ROPA, transparency.
- ISO 27701 extends ISO 27001 to cover privacy and is the natural complement for GDPR.
- ISO 27001 certification is not a defense against GDPR enforcement — it is one factor among many.
1. What ISO 27001 actually covers
ISO 27001 is the international standard for an Information Security Management System (ISMS). Certification requires:
- A defined ISMS scope
- A documented risk assessment methodology
- A statement of applicability listing which Annex A controls apply
- Implementation of selected controls (Annex A 2022 has 93 controls in 4 categories: organizational, people, physical, technological)
- Internal audit program
- Management review
- Continuous improvement
Annex A 2022 covers:
- Organizational controls (37): policies, roles, segregation of duties, supplier relationships
- People controls (8): screening, terms of employment, awareness, disciplinary process
- Physical controls (14): perimeters, secure areas, equipment protection
- Technological controls (34): access control, cryptography, secure development, network security, monitoring
Certification is by an accredited body (BSI, DNV, TÜV, Bureau Veritas, etc.) with surveillance audits each year and recertification every 3 years.
2. What GDPR covers (that ISO 27001 doesn’t)
GDPR has 99 articles and addresses:
| Topic | GDPR Article(s) | ISO 27001 coverage |
|---|---|---|
| Lawful basis for processing | 6, 9 | None |
| Transparency / privacy notice | 13, 14 | None |
| Data subject rights | 12-23 | None |
| Right of access | 15 | None |
| Right to erasure | 17 | Partial (data deletion = A.8.10) |
| Right to data portability | 20 | None |
| Right to object | 21 | None |
| DPIA | 35 | None |
| Prior consultation | 36 | None |
| DPO designation and tasks | 37-39 | None |
| Records of processing (ROPA) | 30 | None |
| Personal data breach notification (72h) | 33 | Partial (incident management = A.5.24-26) |
| Communication to data subjects | 34 | None |
| International transfers | 44-50 | None |
| Joint controllership agreement | 26 | None |
| Sub-processor authorization | 28 | None |
| Security of processing | 32 | Strong overlap with Annex A |
| Pseudonymization, encryption | 32(1)(a) | Annex A 8.24, 8.25 |
| Confidentiality, integrity, availability | 32(1)(b) | Annex A.5.1 |
| Restoration after incident | 32(1)© | Annex A.8.13, 8.14 |
| Testing and evaluating effectiveness | 32(1)(d) | Annex A.8.29 |
ISO 27001 strongly covers security of processing (GDPR Article 32) and incident management (GDPR Articles 33-34, partially). It does not address the rest of the GDPR.
3. ISO 27701 — the privacy extension
ISO 27701 is an extension of ISO 27001 specifically for Privacy Information Management Systems (PIMS). Published 2019, it adds:
- Controls for controllers (Annex A): privacy notice, consent, data subject rights, etc.
- Controls for processors (Annex B): contract terms, sub-processor management, etc.
- Mapping to GDPR Articles
For an ISO 27001 certified organization, adding ISO 27701 covers most of the GDPR-specific operational requirements. It does not, however, replace the legal interpretation work (lawful basis selection, DPIA judgment calls, transfer mechanism choice).
ISO 27701 + ISO 27001 = approximately 80-90% of GDPR operational compliance. The remaining 10-20% is legal interpretation that requires a DPO or external counsel.
4. Where ISO 27001 alone is insufficient
A vendor that says “we’re ISO 27001 certified, so we’re GDPR compliant” is wrong. The certification covers security, not privacy. Specific gaps:
Lawful basis
ISO 27001 does not require the controller to identify and document a lawful basis under Article 6 GDPR. A vendor processing data without a valid lawful basis can be ISO 27001 certified.
Data subject rights
ISO 27001 does not require a process for handling access requests, erasure requests, etc. A vendor with a perfect Annex A implementation can still violate GDPR by failing to honor a data subject request within the 30-day window.
International transfers
ISO 27001 does not address the GDPR-specific framework of adequacy decisions, SCCs, BCRs, DPF. A vendor transferring EU data to a non-adequate country without an Article 46 safeguard violates GDPR regardless of ISO 27001 status. See our Standard Contractual Clauses guide.
Breach notification to authority
ISO 27001 covers incident management. GDPR Article 33 requires notification to the supervisory authority within 72h. ISO 27001 doesn’t specify this timeline or the authority.
DPIA
ISO 27001 doesn’t require a Data Protection Impact Assessment. GDPR Article 35 does for high-risk processing. See our Article 35 RGPD guide.
5. Combining ISO 27001 + GDPR + ISO 27701
For an organization pursuing all three:
Single ISMS scope
Define the ISMS scope to cover all systems processing personal data. This makes the ISO 27001 controls automatically apply to GDPR security obligations.
Integrated risk assessment
The ISO 27001 risk assessment can include privacy risks (impact on data subjects), making it serve double duty for GDPR DPIAs. EDPB guidance supports this integration.
Combined Statement of Applicability
The Statement of Applicability for ISO 27001 + ISO 27701 covers Annex A (security), Annex A privacy controls (controllers), and Annex B privacy controls (processors). One document, comprehensive coverage.
Unified audit cycle
External certification audit can cover ISO 27001 + ISO 27701 simultaneously. Annual surveillance audits track both standards.
DPO + CISO coordination
The DPO (legal/privacy lens) and CISO (security/risk lens) collaborate on the integrated program. In smaller organizations, one person may hold both roles.
6. Practical case: SaaS vendor
A SaaS vendor selling to EU customers needs:
- ISO 27001 for enterprise customer requirements (security baseline)
- ISO 27701 for privacy compliance demonstration
- GDPR-specific activities not covered by either:
- Public privacy policy
- Lawful basis documentation per processing
- DPA template offered to customers (controller-processor contract)
- DSR handling process (specific to GDPR rights)
- DPIA for high-risk features
- Breach notification process aligned with 72h
- International transfer documentation (SCCs + TIA)
Total program cost: ISO 27001 + 27701 certification ~€30K-€80K initial + €15K-€30K/year. GDPR-specific overlay: ~€20K-€50K initial + €10K-€20K/year.
7. ISO 27001 in vendor due diligence
When auditing a vendor for GDPR compliance (Article 28 audit), ISO 27001 certification is a strong signal but not a complete answer. The audit should still verify:
- Signed DPA conforming to Article 28(3)
- Sub-processor list available and update process operating
- Cross-border transfer mechanism for any non-adequate destination
- DSR assistance process (how the vendor helps you respond to user requests)
- Breach notification SLA (typically 24-48h to controller)
- Right to audit clause exercised at least with a SOC 2 Type II or ISO 27701 report
For the full vendor audit framework, see our Article 28 audit checklist.
8. Tooling
Legiscope maintains the GDPR overlay on ISO 27001 programs: maps Annex A controls to GDPR Article 32, identifies GDPR-specific gaps not covered by ISO 27001, generates DPIAs aligned with both standards, and audits vendor DPAs to verify the GDPR-specific clauses ISO 27001 doesn’t address.
For related deep-dives: GDPR audit methodology, Article 28 RGPD, Standard Contractual Clauses, data privacy compliance guide.
Conclusion
ISO 27001 and GDPR are complementary, not equivalent. A vendor or department citing ISO 27001 as proof of GDPR compliance has misunderstood both standards. The right path: maintain ISO 27001 for security, add ISO 27701 for privacy operations, and overlay the GDPR-specific legal work that no certification can replace.
FAQ
Does ISO 27001 certification mean my vendor is GDPR compliant?
No. ISO 27001 covers information security but not the GDPR-specific obligations: lawful basis, data subject rights, DPIA, breach notification to authority, international transfers, DPO designation, ROPA. A certified vendor can still violate GDPR.
Should I get ISO 27001 or focus on GDPR?
Both, but in the right order. If you’re an SMB with limited resources, GDPR compliance is legally mandatory; ISO 27001 is commercial. Start with GDPR (mandatory legal exposure), then add ISO 27001 if customers require it. Larger organizations typically pursue both in parallel.
What’s the difference between ISO 27001 and ISO 27701?
ISO 27001 covers information security management. ISO 27701 extends ISO 27001 with privacy-specific controls aligned with GDPR (and other privacy laws). ISO 27701 is the natural complement to ISO 27001 for organizations processing personal data.
Can ISO 27001 controls satisfy GDPR Article 32?
Yes, largely. Annex A controls in ISO 27001 (especially the 8.x technological controls) map well to GDPR Article 32 requirements (encryption, integrity, availability, restoration, testing). This is the primary overlap between the two standards.
How long does ISO 27001 certification take?
For a 50-200 employee company: 6-12 months from project kickoff to initial certification. Includes risk assessment, control implementation, internal audit, and Stage 1 + Stage 2 external audits. Annual surveillance audits and recertification every 3 years.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
