ISO 27001 and ISO 27701 and the GDPR — How Information Security Standards Support Data Protection Compliance

An increasing number of organisations ask themselves: will implementing an information security management system (ISO 27001) or a privacy information management system (ISO 27701) help them achieve GDPR compliance? The answer is yes — but with important caveats.

ISO 27001 and ISO 27701 are international standards that provide a framework approach to managing information security and privacy. The GDPR is a legal act imposing specific obligations. These three elements do not replace one another but are complementary — and their combination gives an organisation the most comprehensive data protection system.

This article explains what ISO 27001 and ISO 27701 are, how their requirements map to the GDPR, what benefits certification offers, and what the implementation process looks like.

What Is ISO 27001?

ISO/IEC 27001 is an international standard specifying the requirements for an Information Security Management System (ISMS). First published in 2005, its current version dates from 2022 (ISO/IEC 27001:2022).

ISO 27001 is not limited to personal data protection — it covers the security of all information within an organisation: customer data, trade secrets, intellectual property, financial data, and internal documentation. Its scope is therefore broader than the GDPR.

Structure of ISO 27001:

The standard consists of two main parts:

Clauses 4–10 — management system requirements: context of the organisation (clause 4), leadership (5), planning (6), support (7), operation (8), performance evaluation (9), improvement (10). These clauses define how to establish, implement, maintain, and continually improve the ISMS.

Annex A — a catalogue of 93 controls grouped into 4 categories: organisational (37 controls), people (8), physical (14), technological (34). These are specific security measures that the organisation implements based on identified risks — e.g., access control policy, encryption, vulnerability management, network security, incident response.

The key principle of ISO 27001 is the risk-based approach — the organisation does not need to implement all controls but must conduct a risk assessment and select appropriate measures on that basis. Controls that are not applicable may be excluded, but the exclusion must be justified.

What Is ISO 27701?

ISO/IEC 27701:2019 is an extension of ISO 27001 and ISO 27002 that adds requirements specific to a Privacy Information Management System (PIMS). In other words, ISO 27701 is a “privacy overlay” on ISO 27001.

ISO 27701 cannot function independently — it requires ISO 27001 to be implemented first. The organisation first builds an information security management system (ISMS) and then extends it with privacy management elements (PIMS).

Structure of ISO 27701:

Clauses 5–8 — extensions to the ISO 27001 requirements (clauses 4–10) with privacy aspects. For example: clause 5.2 extends ISO 27001 clause 4 to require consideration of the personal data protection context; clause 6 extends planning requirements to include the identification of privacy risks.

Annex A — additional controls for data controllers — 31 controls specific to the controller role.

Annex B — additional controls for data processors — 18 controls specific to the processor role.

Annex D — mapping of ISO 27701 requirements to the GDPR. This is the key annex — it shows which requirements of the standard correspond to which GDPR articles.

How ISO 27001 Maps to the GDPR

ISO 27001 was not created specifically for the GDPR, but many of its requirements directly support compliance with the regulation. The most important connections:

Risk assessment (clause 6.1.2 ISO 27001) → DPIA (Article 35 GDPR) ISO 27001 requires a systematic risk assessment for information security. The GDPR requires a DPIA for high-risk processing. The ISO 27001 risk assessment methodology can serve as the foundation for a DPIA — it simply needs to be extended to cover risks to the rights and freedoms of natural persons.

Access control (Annex A, controls A.5.15–A.5.18, A.8.2–A.8.5) → Integrity and confidentiality (Article 5(1)(f) GDPR) ISO 27001 requires the implementation of access control policies, identity management, and privileged access management. This directly fulfils the GDPR’s integrity and confidentiality principle.

Incident management (Annex A, controls A.5.24–A.5.28) → Data breaches (Articles 33–34 GDPR) ISO 27001 requires the implementation of a security incident response procedure. The GDPR requires breach notification to the supervisory authority within 72 hours. The ISO 27001 incident procedure can be extended to include the GDPR’s notification requirements.

Encryption (Annex A, control A.8.24) → Technical measures (Article 32 GDPR) ISO 27001 requires the use of cryptography to protect information. Article 32 of the GDPR requires the implementation of appropriate technical measures, including encryption.

Training and awareness (clauses 7.2–7.3, Annex A, control A.6.3) → Accountability (Article 5(2) GDPR) ISO 27001 requires ensuring staff competence and security awareness programmes. This supports the GDPR’s accountability principle — documented training serves as evidence that the controller is taking steps to protect data.

Supplier management (Annex A, controls A.5.19–A.5.23) → Processing agreements (Article 28 GDPR) ISO 27001 requires managing security in supplier relationships. The GDPR requires data processing agreements. The ISO 27001 supplier verification processes support fulfilment of Article 28 obligations.

Continual improvement (clause 10, Annex A, control A.5.36) → Accountability (Article 5(2) GDPR) ISO 27001 requires regular internal audits and management reviews. This builds a culture of continual improvement that is fundamental to the GDPR’s accountability principle.

How ISO 27701 Maps to the GDPR — Detailed Connections

ISO 27701 was designed with data protection regulations in mind, including the GDPR. Annex D of the standard contains detailed mapping. The most important connections:

Role determination (clause 5.2.1) → Controller/Processor (Article 4(7)–(8) GDPR) ISO 27701 requires the organisation to formally determine whether it acts as a controller, processor, or both. The scope of obligations depends on this determination.

Legal bases for processing (control A.7.2.2) → Article 6 GDPR ISO 27701 requires documentation of the legal bases for each processing purpose — exactly as the GDPR requires.

Information obligation (control A.7.3.2) → Articles 13–14 GDPR ISO 27701 requires providing individuals with information about the processing of their data — in a scope corresponding to Articles 13 and 14 of the GDPR.

Consent (controls A.7.2.3–A.7.2.4) → Article 7 GDPR ISO 27701 requires the implementation of mechanisms for obtaining, documenting, and withdrawing consent — in accordance with GDPR requirements.

Data subject rights (controls A.7.3.3–A.7.3.9) → Articles 15–22 GDPR ISO 27701 requires the implementation of procedures for exercising data subject rights: access, rectification, erasure, restriction, portability, and objection. Each right has a separate control in the standard.

Privacy by design and by default (control A.7.4.1) → Article 25 GDPR ISO 27701 requires that privacy be considered at the design stage of systems and processes.

DPIA (control A.7.2.5) → Article 35 GDPR ISO 27701 requires conducting privacy impact assessments — the equivalent of a DPIA under the GDPR.

Agreements with processors (controls A.7.2.6, B.8.1–B.8.5) → Article 28 GDPR ISO 27701 requires the formalisation of relationships with processors — in a scope corresponding to Article 28 of the GDPR.

Breach management (control A.7.3.10) → Articles 33–34 GDPR ISO 27701 requires the implementation of data breach notification procedures.

Data transfers (controls A.7.5.1–A.7.5.2) → Articles 44–50 GDPR ISO 27701 requires the identification of third-country transfers and the implementation of appropriate safeguards.

Does ISO Certification Replace GDPR Compliance?

No. This is one of the most common misconceptions. ISO 27001 and/or ISO 27701 certification is not equivalent to GDPR compliance. Here is why:

ISO is a management standard; the GDPR is law. ISO 27001/27701 define how to build a security and privacy management system. The GDPR imposes specific legal obligations and provides for fines. An organisation can hold an ISO certificate and still violate the GDPR — for example, if the system is implemented but not followed in practice.

ISO does not cover all GDPR requirements. Certain aspects of the GDPR go beyond the scope of ISO — e.g., the detailed rules on consent (Article 7), the right to data portability (Article 20), administrative fines (Article 83), and the relationship with national data protection legislation.

Certification is a snapshot; compliance is a process. A certification audit assesses the state at a given point in time. GDPR compliance must be maintained continuously.

However, ISO 27001/27701 certification constitutes strong evidence that the organisation has taken serious steps towards data protection — which may be relevant during a UODO audit, due diligence by business partners, or in the context of claims.

Article 42 of the GDPR explicitly provides for the establishment of data protection certification mechanisms. While ISO 27701 is not formally a certification mechanism under Article 42, it is the closest existing standard that implements this concept.

Benefits of Implementing ISO 27001/27701

For GDPR compliance:

Systematic approach to data security — instead of ad hoc reactions to problems, the organisation has a planned, implemented, and monitored system.

Documentation — ISO requires extensive documentation that simultaneously fulfils the GDPR’s accountability requirement.

Regular audits — internal and external audits ensure continual improvement and gap detection.

Risk management — the ISO risk assessment methodology is directly useful for DPIAs.

For business:

Competitive advantage — an increasing number of clients (particularly corporate and international) require ISO 27001 certification from suppliers as a condition of doing business.

Streamlined due diligence — an ISO 27001/27701 certificate significantly simplifies verification processes by business partners and accelerates contract negotiations.

Reduced incident risk — an implemented ISMS genuinely reduces the likelihood of security breaches.

Fine mitigation — in the event of a GDPR violation, a certified management system may be a mitigating factor when determining the fine (Article 83(2)(d) GDPR).

Client and employee trust — a certificate is a visible signal that the organisation takes security and privacy seriously.

The Implementation and Certification Process — What It Looks Like in Practice

Stage 1: Gap Analysis

Comparison of the current state of security and privacy with ISO 27001 (and optionally ISO 27701) requirements. Identification of gaps and priorities. Duration: 2–4 weeks.

Stage 2: ISMS/PIMS Design

Definition of the system scope, policies, roles, and responsibilities. Conducting a risk assessment. Preparing the Statement of Applicability (SoA), which indicates which Annex A controls are applicable and how they are implemented. Duration: 4–8 weeks.

Stage 3: Implementation

Implementation of technical and organisational controls. Preparation of documentation (policies, procedures, instructions). Staff training. Duration: 2–6 months (depending on the size of the organisation and the system scope).

Stage 4: Internal Audits and Management Review

Conducting at least one internal audit cycle. Management review by senior leadership. Implementing corrective actions. Duration: 2–4 weeks.

Stage 5: Certification Audit

The audit is conducted by an accredited certification body in two stages: Stage 1 (documentation review) and Stage 2 (on-site audit). Following a positive result, the organisation receives a certificate valid for 3 years, with annual surveillance audits. Duration: 2–4 weeks.

Total time from start to certification: Typically 6–12 months for a mid-sized organisation.

ISO 27001/27701 and CIPP/E — Different Perspectives, Shared Goal

It is worth mentioning the relationship between ISO certifications and the CIPP/E (Certified Information Privacy Professional/Europe) certification issued by the IAPP:

ISO 27001/27701 is an organisational certification — it confirms that the organisation’s management system meets the standard’s requirements.

CIPP/E is an individual certification — it confirms that a person possesses knowledge of European data protection law.

For an organisation, the optimal solution is a combination of both: a certified system (ISO) managed by competent individuals (CIPP/E, and optionally CIPM — Certified Information Privacy Manager).

Common Mistakes When Implementing ISO 27001/27701

Treating implementation as a one-off project — ISO requires continual improvement, not a one-time effort ending with a certificate.

Lack of management commitment — without board-level support, implementation has no chance of success. ISO 27001 explicitly requires top management involvement (clause 5).

Excessive documentation — creating hundreds of pages of procedures that no one reads or follows. ISO requires documentation, but it should be practical and proportionate.

Disconnection from reality — a system “on paper” that does not reflect the organisation’s actual processes.

Omitting ISO 27701 — implementing ISO 27001 alone without the ISO 27701 extension, despite the organisation processing personal data on a large scale.

Lack of GDPR integration — treating ISO and the GDPR as two separate projects rather than an integrated system.

Checklist — ISO 27001/27701 and the GDPR

1. Conduct a gap analysis — compare the current state with ISO 27001 and ISO 27701 requirements.
2. Secure management commitment — ISO requires top management involvement.
3. Define the ISMS/PIMS scope — which processes, locations, and systems the system covers.
4. Conduct a risk assessment — identify risks to information security and privacy.
5. Prepare the Statement of Applicability (SoA) — indicate which controls are applicable.
6. Implement technical and organisational controls — based on the risk assessment results.
7. Map ISO requirements to the GDPR — using ISO 27701 Annex D.
8. Prepare documentation — policies, procedures, registers, forms.
9. Train staff — on security awareness and data protection.
10. Conduct an internal audit — verify compliance before the certification audit.
11. Plan for continual improvement — regular reviews, audits, updates.

Need Support With ISO 27001/27701 and the GDPR?

Implementing an integrated ISO 27001/27701 and GDPR system is a project that requires both legal expertise and an understanding of information security management standards. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we combine both perspectives — helping organisations with the legal aspects of ISO 27701 implementation, mapping the standard’s requirements to the GDPR, preparing documentation that simultaneously meets ISO and GDPR requirements, and advising on audits and certification.