CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Carla Bouca

Does ISO 27001 implementation satisfy EU GDPR requirements?

Lately, I’ve been asked questions like: “If ISO 27001 is implemented in my organization, will it fully comply with European General Data Protection Regulation (EU GDPR) requirements?” and “Our company is ISO 27001 certified. Are we already compliant with EU GDPR?”

The new regulation introduces a set of rules that require organizations to implement controls to protect personal data. Implementation of ISO 27001 will help organizations respond to this requirement.

Does my organization need to be EU GDPR compliant?

As I wrote in my last article: What is the EU GDPR and why is it applicable to the whole world?, there are two types of responsibilities regarding the protection of personal data – data “controllers” and data “processors.”

Specifically, any business that determines the purposes and means of processing personal data is considered a “controller.” Any business that processes personal data on behalf of the controller is considered a “processor.”

So, the organizations that need to be EU GDPR compliant are companies (controllers and processors) whether established in the EU or not, offering goods or services within the EU or to EU individuals.

How are EU GDPR and ISO 27001 related?

ISO 27001 is a framework for information protection. According to GDPR, personal data is critical information that all organizations need to protect. Of course, there are some EU GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. But, if the implementation of ISO 27001 identifies personal data as an information security asset, most of the EU GDPR requirements will be covered.

ISO 27001 provides the means to ensure this protection. There are many points where the ISO 27001 standard can help companies achieve compliance with this regulation. Here are just a few of the most relevant ones:

  • Risk Assessment – Because of the high fines defined in EU GDPR and the major financial impact on organizations, it is only natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information): “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.” (Read the article ISO 27001 risk assessment & treatment – 6 basic steps to learn more.)
  • Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations through the implementation of a data policy and protection of personally identifiable Information.
  • Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” According to EU GDPR, data subjects (“The Data Subject is a living individual to whom personal data relates.”) will also have to be notified, but only if the data poses a “high risk to data subject’s rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
  • Asset Management – ISO 27001 control A.8 (Asset Management) leads to inclusion of personal data as information security assets and allows organizations to understand what personal data is involved and where to store it, how long, what is its origin, and who has access, which are all requirements of EU GDPR.
  • Privacy by Design – The adoption of Privacy by Design, another EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.”
  • Supplier Relationships – ISO 27001 control A.15.1 (Information security in supplier relationships) requires the “protection of the organization’s assets that are accessible by suppliers.” According to GDPR, the organization delegates suppliers’ processing and storage of personal data; it shall require compliance with the requirements of the regulation through formal agreements.

Is ISO 27001 enough?

In addition to the adopted technical controls, structured documentation, monitoring, and continuous improvement, the implementation of ISO 27001 promotes a culture and awareness of security incidents in organizations. The employees of these organizations are more aware and have more knowledge to be able to detect and report security incidents. Information security is not only about technology; it’s also about people and processes.

The ISO 27001 standard is an excellent framework for compliance with the EU GDPR. If the organization has already implemented the standard, it is at least halfway toward ensuring the protection of personal data and minimizing the risk of a leak, from which the financial impact and visibility could be catastrophic for the organization. The first thing an organization should do is conduct an EU GDPR GAP Analysis to determine what remains to be done to meet the EU GDPR requirements, and then these requirements can be easily added through the Information Security Management System that is already set by ISO 27001.

From the ISO 27000 family, ISO/IEC 27018 should also be consulted (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) if the organization stores/processes personal data in the cloud. See the article ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud to learn more.

To summarize, almost any company that is operating internationally will have to comply with this regulation. As ISO 27001 is internationally recognized and implemented all over the world, it may be the best option to facilitate immediate compliance with EU GDPR.

To learn more about this topic, download this free white paper: What is EU GDPR and how can ISO 27001 help?

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

6 responses to “Does ISO 27001 implementation satisfy EU GDPR requirements?”

  1. Dietmar says:

    Hi Carla, just read your blog and kind of disagree. Maybe you can add your comments. In my understanding ISO27001 is a intersection of GDPR. So compliance to ISO 27001 does not neccessarily mean you are compliant with GDPR. There are some additional asks like data minimization or a DPO which superseed what is asked in ISO.

    • Rhand Leal says:

      Hi, Dietmar. First of all, thanks for you feedback.

      Your understanding is right, ISO 27001 is not enough to ensure compliance with GDPR, as Carla mentioned in the second and third paragraphs of section “Is ISO 27001 enough?”, when she says that
      an EU GDPR GAP Analysis is needed to determine what remains to be done, and that recommendation from ISO/IEC 27018 can help fill these gaps.

      • JulesNzietchueng says:

        Hi Rhand. I agree, as Carla explained ISO 27001 is a good foundation but is not enough to be fully GDPR compliant.

  2. Dusan Jovanovic says:

    One can implement GDPR without any involvement or knowledge of ISO “anything” including ISO 27001.
    EU GDPR commission has been careful in not requiring any external technology or methodology so that one can “implement the GDPR herself”.

    ISO 27001 is definitely not a precursor or any kind of requirement to implement the GDPR.

    • Andrei Hanganu says:

      There is nothing in our materials to suggest that ISO 27001 or any other standard would be a mandatory requirement for being compliant with the EU GDPR.

      ISO 27001 is worldwide recognized standard that emphasizes the need to maintain “confidentiality, integrity, availability and resilience“ of data as well as the need to regularly test, assess and evaluate the effectiveness security controls similar to the requirements of EU GDPR article 32 ­ – “Security of processing” https://advisera.com/eugdpracademy/gdpr/security-of-processing/

      So, although not mandated by the EU GDPR, ISO 27001 would be a good starting point in terms of security controls.

      • EmEll says:

        Well, ISO 27001 is linked to the information flaws into the companies , it contains measures which lead more easily to manage the information flaws and more secure procedures.
        GDPR is linked basicaly to the subject of data rights about their privacy data.
        These are the main differences between IS027001 and GDPR

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.