If your business handles personal data and you are working toward ISO 27001 certification, you have probably wondered how much overlap there is with GDPR. The short answer is: quite a lot. But the overlap is not a perfect match, and assuming it is will leave gaps that could cost you dearly. Mapping ISO 27001 controls to GDPR requirements is one of the smartest things you can do to reduce duplication of effort, satisfy auditors, and demonstrate accountability to regulators at the same time.
On this page
This guide walks you through how to do that mapping practically, where the two frameworks genuinely align, where they diverge, and what you need to do to cover both without building two entirely separate compliance programmes.
Why Mapping ISO 27001 to GDPR Makes Sense
ISO 27001 is an information security standard. GDPR is a privacy regulation. They are not the same thing, but they share a significant amount of common ground because both are fundamentally concerned with protecting information from unauthorised access, misuse, and loss.
Businesses that treat them as entirely separate programmes end up with duplicated policies, confused staff, and wasted resources. Businesses that map them together get a leaner system that satisfies both requirements with less overhead.
There is also a practical compliance argument. Under GDPR, you are required to implement “appropriate technical and organisational measures” to protect personal data. ISO 27001 is widely recognised by data protection authorities as strong evidence that you have done exactly that. It does not automatically make you GDPR compliant, but it gives you a documented, audited framework that regulators take seriously.
For Australian businesses that handle data from EU residents or operate in markets where GDPR applies, this matters directly. Even for businesses operating purely domestically, the Privacy Act 1988 and the Australian Privacy Principles share enough DNA with GDPR that the mapping exercise is still worthwhile.
Understanding the Frameworks Before You Map Them
What ISO 27001 Actually Covers
ISO 27001 is structured around an Information Security Management System, or ISMS. It requires you to identify information security risks, select controls from Annex A to treat those risks, and operate, monitor, and continually improve the system. If you are new to the standard, a good starting point is understanding what an ISMS actually involves before diving into the mapping exercise.
The current version, ISO 27001:2022, restructured Annex A into four themes containing 93 controls. Those themes are organisational controls, people controls, physical controls, and technological controls. Each control addresses a specific aspect of information security risk.
What GDPR Actually Requires
GDPR is built around seven core principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. It also imposes specific obligations around data subject rights, data breach notification, data protection impact assessments, and third-party processor management.
Article 32 of GDPR is the most directly relevant to ISO 27001. It requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymisation, ongoing confidentiality, integrity, availability, and resilience of processing systems.
The Core Mapping: Where ISO 27001 Controls Align With GDPR
The mapping below is not exhaustive, but it covers the most important connections. Use this as the foundation for your own gap analysis.
Article 5 and Article 32: Security of Processing
This is the heart of the overlap. GDPR Article 32 requires technical and organisational security measures. ISO 27001 Annex A is essentially a catalogue of exactly those measures. Controls such as A.8.24 (use of cryptography), A.8.9 (configuration management), A.8.7 (protection against malware), and A.8.12 (data leakage prevention) all directly support the Article 32 obligation.
When you document your Statement of Applicability under ISO 27001, you can add a column that maps each selected control to the relevant GDPR article. This single document then serves as evidence for both your certification auditor and any data protection authority that asks how you are meeting your security obligations.
Article 30: Records of Processing Activities
GDPR requires you to maintain a record of processing activities. ISO 27001 Annex A control A.5.9 requires you to maintain an inventory of information assets. These are not identical, but they are close enough that a well-designed asset register can satisfy both requirements with minimal additional work.
Your asset register under ISO 27001 should already capture what information you hold, where it is stored, who is responsible for it, and how it is classified. To satisfy Article 30, you need to add the legal basis for processing, the categories of data subjects, and any third-party transfers. Extending the same register to cover these fields is far more efficient than building a separate GDPR record of processing activities from scratch.
Article 33 and 34: Data Breach Notification
GDPR requires you to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, and to notify affected individuals in high-risk situations. ISO 27001 control A.5.24 (information security incident management planning and preparation) and A.5.26 (response to information security incidents) directly support this obligation.
Your ISO 27001 incident response procedure should already define how incidents are detected, classified, escalated, and responded to. To align it with GDPR, you need to add a classification step that identifies whether an incident involves personal data, a decision tree for whether it crosses the notification threshold, and documented timelines for notification. This is an extension of your existing procedure, not a new one.
Article 28: Processor Agreements
GDPR requires you to have written contracts with any third party that processes personal data on your behalf. ISO 27001 control A.5.19 (information security in supplier relationships) and A.5.20 (addressing information security within supplier agreements) require you to manage information security requirements in supplier contracts.
Again, these are not identical, but you can design your supplier security requirements to incorporate the GDPR processor agreement clauses. One supplier assessment process, one contract template, two compliance obligations met.
Article 25: Data Protection by Design and by Default
This GDPR principle requires you to build privacy into your systems from the outset rather than bolting it on afterwards. ISO 27001 control A.8.27 (secure system architecture and engineering principles) and A.8.25 (secure development life cycle) support this requirement. If you are documenting your secure development practices for ISO 27001, you can explicitly reference data minimisation and privacy-by-design principles within those procedures.
Article 35: Data Protection Impact Assessments
GDPR requires a DPIA for high-risk processing activities. ISO 27001 requires a risk assessment for information security risks. These are different in scope, but the methodology is similar. Your ISO 27001 risk assessment process, particularly the identification and evaluation of risks to personal data, can feed directly into your DPIA process. Many organisations use a single risk framework that captures both information security and privacy risks, with separate outputs for each obligation.
Understanding how to structure your ISO 27001 risk assessment is essential before you try to extend it to cover DPIA requirements.
Where ISO 27001 Does Not Cover GDPR
This is the part that catches people out. ISO 27001 is a security standard. It does not address privacy rights, lawful basis for processing, or consent management. If you rely solely on ISO 27001 controls to claim GDPR compliance, you will have significant gaps.
Data Subject Rights
GDPR gives individuals rights including access, rectification, erasure, portability, and objection. None of these are addressed by ISO 27001 controls. You need separate procedures for handling data subject requests, with defined response timelines and escalation paths.
Lawful Basis for Processing
ISO 27001 says nothing about whether you have a legal right to process data in the first place. GDPR requires you to identify and document a lawful basis for every processing activity. This is a privacy governance requirement, not a security one.
Consent Management
Where your lawful basis is consent, GDPR imposes specific requirements around how consent is obtained, recorded, and withdrawn. This is entirely outside the scope of ISO 27001.
Cross-Border Data Transfers
GDPR restricts transfers of personal data to countries outside the EU without adequate protections. ISO 27001 does not address this directly, although controls around supplier management and data classification can support your transfer impact assessments.
This is precisely why ISO 27001 is often implemented alongside ISO 27701, the Privacy Information Management System standard, which extends ISO 27001 to cover privacy management requirements and maps directly to GDPR obligations including data subject rights and lawful basis documentation.
Building Your Mapping Document
A practical mapping document does not need to be complicated. A well-structured spreadsheet or table works perfectly well. Here is how to build one that will actually be useful.
Step 1: List Your GDPR Obligations
Start with the GDPR articles that apply to your business. For most organisations, this will include Articles 5, 6, 7, 12 to 23 (data subject rights), 25, 28, 30, 32, 33, 34, and 35. If you use processors or transfer data internationally, add Articles 44 to 49.
Step 2: List Your ISO 27001 Controls
Pull your Statement of Applicability. This lists every Annex A control you have selected as applicable, along with your justification for inclusion or exclusion. This is your starting inventory of ISO 27001 controls.
Step 3: Create the Mapping
For each GDPR article, identify which ISO 27001 controls contribute to meeting that requirement. Be honest about partial coverage. A control that contributes to a GDPR requirement but does not fully satisfy it should be flagged as partial, not ticked off as complete.
Step 4: Identify the Gaps
Every GDPR obligation that has no corresponding ISO 27001 control, or only partial coverage, is a gap. These gaps need to be addressed through additional policies, procedures, or technical measures that sit outside your ISMS but should be referenced from it.
Step 5: Assign Ownership
For each gap, assign a responsible person and a target date. Without ownership, gap analysis exercises produce documents that nobody acts on. The mapping document should be a living tool, not a one-time exercise.
Practical Tips for Businesses Doing This for the First Time
A few things that will save you time and frustration.
First, do not start from scratch. The European Union Agency for Cybersecurity has published guidance on security measures for personal data processing that directly references ISO 27001 controls. Use this as a reference point when building your mapping.
Second, involve your privacy and legal teams early. The mapping exercise will surface questions about lawful basis and data subject rights that your information security team cannot answer alone. The sooner those conversations happen, the better.
Third, use your ISMS documentation as the primary record. Do not build a separate GDPR compliance system if you can avoid it. Extend your existing ISMS policies and procedures to cover GDPR requirements where possible. This reduces document sprawl and makes audits easier.
Fourth, review the mapping annually. Both ISO 27001 and your GDPR obligations change over time as your business processes change, new systems are introduced, and regulatory guidance evolves. Build the review into your existing management review process under ISO 27001 Clause 9.3.
Fifth, consider ISO 27701 if privacy is a significant part of your business. ISO 27018 is also worth understanding if you process personal data in cloud environments, as it provides specific controls for cloud-based personal data handling that complement both ISO 27001 and GDPR.
What Auditors and Regulators Actually Look For
When a GDPR supervisory authority investigates a data breach or complaint, they are not looking for a perfect mapping document. They are looking for evidence that you took privacy seriously, that you had documented processes, that you trained your staff, and that you responded appropriately when things went wrong.
ISO 27001 certification gives you a strong foundation for that evidence. Your audit reports, corrective action records, risk assessments, and management review minutes all demonstrate a functioning system. But you also need to show that your system specifically addresses personal data, not just information security in general.
The practical way to do this is to ensure that personal data appears explicitly in your asset register, your risk assessment, your incident response procedures, and your supplier agreements. It should not be implied or assumed. It should be documented.
For ISO 27001 certification auditors, the mapping exercise demonstrates that you have thought carefully about the context of your ISMS and the legal obligations that apply to your organisation, which is exactly what Clause 4.1 and 4.2 of the standard require.
Getting Help With the Mapping Exercise
Mapping ISO 27001 controls to GDPR is genuinely useful work, but it does require someone who understands both frameworks. Many businesses find that their IT team understands ISO 27001 but not GDPR, while their legal team understands GDPR but not ISO 27001. The gap between those two knowledge bases is where compliance failures tend to live.
If you are building this capability for the first time, working with a consultant who has experience in both information security and privacy management will get you to a defensible position faster than trying to piece it together from separate workstreams.
If you are looking for an ISO 27001 consultant who understands the privacy dimension of information security, CertBetter can connect you with verified consultants who have relevant experience. You submit one form, receive up to three competing quotes from vetted providers, and the service costs you nothing. It is a practical starting point if you are not sure where to begin.
