Many countries around the world have begun to pass legislation that regulates how businesses can collect and use consumer data, and that imposes certain standards of privacy and security that companies must meet while in possession of that data.

One landmark piece of legislation arrived in 2018 when the European Union’s General Data Protection Regulation (GDPR) went into effect. The GDPR applies to all member states of the EU and the European Economic Area (EEA).

Additional privacy regulations have emerged since then, and understanding what each one requires and whom it affects can be cumbersome. Today we want to bring some clarity to the discussion by explaining the difference between GDPR and ISO 27001.

What Is GDPR?

The GDPR mandates that all companies doing business within the EU or that collect the data of EU citizens must comply with strict rules to protect that personal data. It encourages organizations to manage their data security in line with prescriptive best practices and requires compliance of data controllers (businesses that collect the data) and data processors (companies that process data on behalf of others).

What Is ISO 27001?

ISO 27001, or ISO/IEC 27001, is an international standard for information security management systems (ISMS) that organizations can adopt.

ISO 27001 was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and later revised in 2013 and 2017.

The standard includes requirements for creating, executing, managing, and improving a company’s information security management system. This ensures that organizations will secure their information assets and protect against data breaches.

All organizations that can meet the ISO 27001 specifications can seek certification from an accredited institution that will conduct an audit to ensure the organization’s compliance.

How Are ISO 27001 and GDPR Different?

ISO 27001 is a voluntary certification that requires organizations to take a risk-based approach to how they manage sensitive data. In contrast, the GDPR aims to protect the personal data of EU citizens, and compliance with the GDPR is mandatory for most organizations working in Europe or with EU citizens.

Both ISO 27001 and the GDPR do revolve around risk, and both direct organizations to identify certain risks and controls that can bring those risks to an acceptable level.

Regarding personal data, ISO 27001 incorporates encryption as part of business continuity management as well as the capability to restore data when necessary, in a timely manner. Along similar lines, the GDPR views personal data as something that all organizations must strive to protect.

Where the two regulations differ are in their requirements. For example, the GDPR includes the right of a consumer to have his or her data removed, as well as the right to control how the data is shared with third parties (also known as data portability). ISO 27001 doesn’t directly include such provisions.

Does ISO 27001 Cover GDPR?

The two are similar, but not identical. Here are a few examples of where ISO 27001 and the GDPR overlap, where compliance with ISO 27001 can help an organization to meet GDPR standards.

ISO 27001 and GDPR both require breach notification, but at different levels.

Under both ISO 27001 and the GDPR, companies must notify supervisory authorities of a breach of personal data within 72 hours of discovering it. ISO 27001 also contains standards designed to assure that information security incidents are handled in a consistent way.

The main difference, however, is that the GDPR stipulates that consumers (or data subjects) be notified when the breach poses a high risk of infringing upon their individual rights.

Incident management and infosec solutions like those offered by ZenGRC help organizations be better equipped to detect, report, and manage personal data incidents; and to maintain compliance with the GDPR.

GDPR and ISO 27001 BOTH mandate all regulatory and contractual requirements to be laid out.

To obtain an ISO 27001 certification, organizations must make all legislative and contractual requirements related to their business and their customers available to auditors, so that the audit team can confirm compliance.

GDPR similarly mandates that all statutory and contractual requirements be made available to ensure compliance.

ISO 27001 risk assessment can help organizations avoid GDPR fines

The monetary penalties associated with violating the cybersecurity and data processing requirements outlined in the GDPR can be up to 4 percent of an organization’s global revenue. With consequences so painfully high, companies can’t afford to neglect appropriate risk assessment.

In fact, the GDPR mandates data protection impact assessments, which require organizations to assess privacy risks and vulnerabilities. ISO 27001 requires that same sort of risk assessment too. Therefore, by gaining ISO 27001 certification, an organization can simultaneously assure compliance with GDPR and reduce the chance of costly fines.

The asset management requirements of ISO 27001 help to ensure compliance with GDPR

ISO 27001 treats personal data as information security assets. As such, those assets are subject to constraints around storage, length of storage, collection, and access. Those are also requirements of the GDPR.

The future of GDPR requirements indicate that privacy will be built into business processes in alignment with ISO 27001

Data privacy regulation is getting more complex, not less; with additional provisions and protections being added every year. Looking forward, businesses that want a strategic advantage over competitors will have to incorporate security standards into all aspects of their business.

Companies aiming to comply with ISO 27001 (and other ISO standards like ISO 27701 and ISO 27000) will be well prepared to meet those future expectations since the ISO standard is all about how to protect information assets-personal data or otherwise.


The GDPR mainly revolves around how personal data is collected, where ISO 27001 provides guidance about how data that has been collected can remain confidential and secure.

Furthermore, GDPR’s main directive is to protect the right to privacy for individuals and gives consumers certain rights to see how data of theirs is collected, stored, and shared. ISO 27001, on the other hand, is concerned more with the security controls around data.

If you’d like to learn more about how you can ensure compliance with GDPR or ISO 27001 in your organization, contact us for a demo to see how we can help guide your organization to confidence in infosec risk and compliance.