GDPR and ISO 27001: How They Overlap and Where They Don't

Tech companies selling into European markets and enterprise buyers often face requests for both GDPR compliance and ISO 27001 certification. The two are different categories of compliance with substantial overlap in some areas and almost none in others. Understanding the difference saves real money and avoids the trap of treating them as one project.

This page covers what each framework requires, where the work overlaps, and how to sequence the two efficiently.

What each framework is

GDPR is EU privacy law applicable from 2018. It is a binding regulation enforced by EU member state supervisory authorities, with maximum fines of 20 million euros or 4 percent of global annual turnover. It applies to any organization processing personal data of EU residents, regardless of where the organization is based.

ISO/IEC 27001 is an international information security management standard. The current version is ISO/IEC 27001:2022. It is not a law. ISO 27001 certification is issued by accredited certification bodies after an audit demonstrating that an organization has implemented an Information Security Management System meeting the standard's requirements. Enterprise buyers, particularly in Europe and increasingly in Asia, frequently require ISO 27001 certification before purchasing.

The two are different categories of compliance: GDPR is a legal obligation, ISO 27001 is a market requirement and voluntary certification.

What each framework covers

GDPR covers the lawful processing of personal data. The core obligations include having a lawful basis for processing, providing transparent notices to data subjects, honoring data subject rights (access, rectification, erasure, portability, objection), maintaining Records of Processing Activities, conducting Data Protection Impact Assessments for high-risk processing, appointing a DPO where required, implementing appropriate technical and organizational security measures, managing international data transfers, notifying breaches within 72 hours, and managing relationships with processors via Data Processing Agreements.

ISO 27001 covers the establishment, implementation, maintenance, and continual improvement of an Information Security Management System. The standard requires a documented ISMS, leadership commitment, risk assessment and treatment processes, security objectives and planning, support functions (resources, competence, awareness, communication, documentation), operational planning and control, performance evaluation, and continual improvement. Annex A of the 2022 version contains 93 controls organized into 4 themes: organizational controls, people controls, physical controls, and technological controls.

Where they overlap

The overlap between GDPR and ISO 27001 is significant on the security side. Both frameworks expect:

  • Information security policy. Documented information security policies covering access, encryption, monitoring, and incident response. ISO 27001 Annex A 5.1 (Policies for information security) aligns with GDPR Article 32.

  • Risk management. Documented risk assessment and treatment processes. ISO 27001 clauses 6.1 and 8 align with GDPR Article 32 (security of processing) and Article 35 (DPIA where applicable).

  • Access controls. Limiting access to personal data and information systems to authorized personnel, with role-based access, authentication, and regular access reviews. ISO 27001 Annex A 5.15 through 5.18 align with GDPR Article 32.

  • Cryptography. Encryption of data in transit and at rest with appropriate key management. ISO 27001 Annex A 8.24 aligns with GDPR Article 32.

  • Incident response. Documented incident response procedures with detection, response, and learning capabilities. ISO 27001 Annex A 5.24 through 5.27 align with GDPR Article 33 (breach notification).

  • Supplier and third-party management. Risk assessment of suppliers handling personal data and information, with contractual controls. ISO 27001 Annex A 5.19 through 5.23 align with GDPR Article 28 (processor obligations) and Article 32.

  • Physical security. Protection of facilities housing personal data and information systems. ISO 27001 Annex A 7.x align with GDPR Article 32.

  • Asset management. Inventory and classification of information assets including personal data. ISO 27001 Annex A 5.9 through 5.13 align with GDPR Article 30 (RoPA) and Article 32.

If you build an ISO 27001-compliant ISMS, you address most of the security expectations of GDPR Article 32. The Annex A 2022 controls cover a substantial portion of the technical and organizational measures GDPR requires.

Where they do not overlap

The non-overlapping parts of GDPR are the privacy-specific obligations that ISO 27001 does not address:

  • Lawful basis for processing. ISO 27001 does not require you to have or document a lawful basis. GDPR requires this for every processing activity.

  • Privacy notices and transparency. ISO 27001 does not require GDPR-compliant privacy notices. GDPR Articles 13 and 14 have specific content requirements.

  • Data subject rights. ISO 27001 does not require operational capability to handle DSARs, deletion requests, or other GDPR rights. GDPR Articles 15 through 22 require functional response capability.

  • Records of Processing Activities content. ISO 27001 expects asset inventory; GDPR Article 30 expects RoPA with specific privacy content (purposes, lawful bases, retention, transfers, recipients).

  • Data Protection Impact Assessments. ISO 27001 requires risk assessment generally; GDPR Article 35 requires DPIAs with specific content for high-risk processing.

  • DPO appointment. ISO 27001 does not address DPO requirements. GDPR Article 37 requires DPO appointment in specific circumstances.

  • International data transfers. ISO 27001 does not require Transfer Impact Assessments or Standard Contractual Clauses. GDPR Chapter V does.

  • Lawful processing of special category data. ISO 27001 does not require explicit consent or other Article 9 grounds for health, biometric, or other special category data. GDPR does.

  • Children's data. ISO 27001 has no specific children's data requirements. GDPR Article 8 has specific requirements for children.

  • Privacy by design. ISO 27001 has principles around security by design; GDPR Article 25 has specific privacy by design and by default requirements.

There is a related standard, ISO/IEC 27701, which extends ISO 27001 to privacy information management. ISO 27701 addresses some of the privacy-specific gaps but is a separate certification and is less commonly required by buyers than ISO 27001.

How to sequence the two

For most tech companies, the right order is:

Start with GDPR if you have EU customers or plan to. GDPR is a legal obligation; failing to comply can result in fines and enforcement action. Building a privacy program early is significantly cheaper than retrofitting one later.

Add ISO 27001 when enterprise sales requires it. ISO 27001 is typically driven by enterprise buyer demand, particularly from European and Asian buyers. Many SaaS companies hit the trigger when their first major European enterprise buyer asks for the certification.

Use GDPR work as foundation for ISO 27001. If your GDPR program includes solid Article 32 security measures (access controls, encryption, logging, incident response, vendor management), much of the ISO 27001 Annex A controls are already built. The remaining work is documentation, risk assessment formalization, and audit preparation.

Avoid the reverse path. Building ISO 27001 first and then trying to add GDPR usually means significant rework because privacy-specific requirements (consent, transparency, rights, DPO, transfers) were not designed into the program.

Consider ISO 27701 if you want a single certification covering both. ISO 27701 extends ISO 27001 to include privacy management. It is less commonly demanded by buyers than 27001 but does provide certification-level evidence of privacy program maturity.

Realistic timelines and costs

GDPR program build: 3 to 6 months for initial program, then ongoing maintenance. Fractional DPO costs 500 to 5,000 EUR per month depending on tier.

ISO 27001 certification: typically 9 to 15 months from kickoff to certification. Total cost typically 60,000 to 200,000 USD including platform (Vanta, Drata, Secureframe support ISO 27001), implementation consulting, auditor fees, and certification body fees. The certification audit is conducted in stages and is followed by annual surveillance audits with recertification every three years.

Combined GDPR plus ISO 27001 cost: typically 80,000 to 250,000 USD over 12 to 18 months for a mid-stage tech company, depending on size and complexity.

Who handles each

GDPR work is typically led by a DPO (full-time, fractional, or outsourced). Legal aspects may involve outside privacy counsel.

ISO 27001 work is typically led by a Head of Security, Head of Engineering, or a dedicated Compliance Manager, supported by an automation platform (Vanta, Drata, Secureframe) and a certification body for the audit.

The two can be coordinated by a single program manager or by combined privacy plus security consulting firms.

How Engage Compliance fits

Engage Compliance provides the GDPR and privacy compliance side. Most of our tech clients pair us with a compliance automation platform like Vanta or Drata for the ISO 27001 work.

We design the GDPR program to support ISO 27001 readiness, so the security and operational controls do not need to be redesigned when ISO 27001 work begins. We coordinate with your ISO 27001 implementation team and certification body during the audit cycle.

For clients who want privacy plus security bundled in one engagement, we recommend specialists in combined consulting. We are specifically focused on privacy.

Get started

If you are evaluating how to sequence GDPR and ISO 27001 for your company, book a consultation.