DSGVO Content Hub
ISO 27001 and GDPR: Cross-Mapping
Which ISO controls cover GDPR requirements? Overlap analysis and dual compliance strategy.
ISO 27001 and GDPR: Cross-Mapping
ISO 27001:2022 and the GDPR share a common objective: protecting information and ensuring appropriate security measures. Organisations with an existing ISO 27001-certified Information Security Management System (ISMS) have a significant head start on GDPR compliance, as many Annex A controls directly address GDPR requirements.
However, ISO 27001 certification does not equal GDPR compliance. The GDPR addresses data subject rights, legal bases, and regulatory obligations that go beyond what an ISMS covers. Understanding the overlap and the gaps is essential for a dual-compliance strategy.
Cross-Mapping: ISO 27001 Annex A to GDPR
The following table maps key GDPR requirements to the corresponding ISO 27001:2022 Annex A controls. Coverage is rated as high, medium, or low.
| GDPR Requirement | ISO 27001 Annex A Controls | Coverage |
|---|---|---|
| Art. 5 - Processing principles | A.5.1-5.4 (Policies, roles), A.5.10 (Acceptable use) | Medium |
| Art. 6 - Legal bases | No direct equivalent | Low |
| Art. 15-22 - Data subject rights | No direct equivalent | Low |
| Art. 25 - Privacy by Design | A.8.25-8.27 (Secure development), A.8.28 (Secure coding) | Medium |
| Art. 28 - Processor obligations | A.5.19-5.22 (Supplier relationships) | Medium |
| Art. 30 - Records of processing | A.5.9 (Inventory), A.5.12-5.13 (Classification, labelling) | Medium |
| Art. 32 - Security of processing | A.8.1-8.34 (Technology controls), A.7.1-7.14 (Physical) | High |
| Art. 33-34 - Breach notification | A.5.24-5.28 (Incident management), A.6.8 (Reporting) | Medium |
| Art. 35 - DPIA | Clause 6.1 (Risk assessment), A.5.8 (InfoSec in PM) | Medium |
| Art. 37-39 - DPO | A.5.2 (Roles), A.5.4 (Management responsibilities) | Low |
| Art. 44-49 - International transfers | A.5.19-5.22 (Supplier), partial | Low |
Where ISO 27001 Provides Strong Coverage
ISO 27001 excels in the areas that overlap with information security:
- Art. 32 - Security of processing: The Annex A technology controls (A.8) provide comprehensive coverage for encryption, access controls, network security, and system hardening. See our TOMs guide for the GDPR perspective.
- Risk management: ISO 27001's risk assessment methodology (Clause 6.1) provides a solid foundation for GDPR risk assessments.
- Asset management and classification: The information asset inventory (A.5.9) and classification scheme (A.5.12) support GDPR records of processing.
- Incident management: ISO 27001's incident management controls (A.5.24-5.28) provide a framework that can be extended for GDPR breach notification.
- Supplier management: Controls A.5.19-5.22 cover supplier information security, which supports GDPR processor management.
Where GDPR Goes Beyond ISO 27001
Several GDPR requirements have no direct equivalent in ISO 27001 and must be addressed separately:
- Legal bases (Art. 6): ISO 27001 does not address the concept of legal bases for processing. You must independently determine and document the legal basis for each processing activity.
- Data subject rights (Art. 15-22): The rights of access, rectification, erasure, portability, and objection require dedicated processes that go beyond information security. See our data subject rights guide.
- Consent management: Obtaining, documenting, and managing consent is a GDPR-specific requirement with no ISO 27001 equivalent.
- 72-hour breach notification: While ISO 27001 covers incident management, the specific 72-hour reporting deadline and mandatory notification content are GDPR-specific. See our breach notification guide.
- DPIA requirement: The specific DPIA process under Art. 35 extends beyond ISO 27001's general risk assessment. See our DPIA guide.
- DPO requirements: The appointment, independence, and duties of a DPO are entirely GDPR-specific. See our DPO guide.
- International transfer mechanisms: SCCs, adequacy decisions, BCRs, and TIAs are GDPR-specific. See our international data transfers guide.
Dual Compliance Strategy
The most efficient approach is to pursue ISO 27001 and GDPR compliance as an integrated programme:
- Extend your ISMS scope: Include all personal data processing activities in your ISMS scope. This ensures that security controls automatically cover GDPR requirements where overlap exists.
- Augment your risk assessment: Add data protection risks (impact on data subjects) to your existing risk assessment methodology. ISO 27001 focuses on business impact; GDPR requires assessing impact on individuals.
- Extend your SoA: Add GDPR-specific requirements to your Statement of Applicability to create a single compliance matrix.
- Unified documentation: Use a single documentation system for both ISO 27001 and GDPR. This reduces duplication and ensures consistency.
- Combined audits: Where possible, align internal audit schedules to cover both ISO 27001 and GDPR requirements simultaneously.
Gap Analysis Approach
If you already hold ISO 27001 certification, conduct a targeted gap analysis:
- Review your existing SoA against the GDPR requirements listed above
- Identify controls rated as "Low" coverage and create dedicated implementation plans
- Assess whether your incident management process meets the 72-hour notification deadline
- Verify that your supplier management covers DPA requirements under Art. 28
- Build data subject rights processes from scratch, as ISO 27001 does not cover these
Work through our GDPR Checklist to systematically identify and close all remaining gaps.
Manage ISO 27001 and GDPR in a Single Platform
Kopexa provides pre-built frameworks for both ISO 27001:2022 and GDPR with automated cross-mapping. See at a glance which controls cover both standards and where gaps remain. Eliminate redundancy and achieve dual compliance efficiently.
Request a free initial consultationMore GDPR Topics
GDPR Overview
Pillar page and complete overview
Requirements
All GDPR requirements at a glance
Data Subject Rights
Rights of data subjects under Art. 15–22
Data Processing
Obligations for data processing (Art. 28)
Data Protection Officer
Requirement, duties, and position of the DPO
Technical Measures
Technical and organizational measures (Art. 32)
Records of Processing
Records of processing activities (Art. 30)
DPIA
Data Protection Impact Assessment (Art. 35)
Breach Notification
Breach notification obligations (Art. 33–34)
Fines & Penalties
GDPR fines and enforcement (Art. 83–84)
International Transfers
Third-country transfers, SCCs, and adequacy (Art. 44–49)
GDPR Checklist
10 steps to GDPR compliance
Let’s assess where you stand together
Free & non-binding