ISO 27001 and GDPR are two of the most frequently mentioned compliance frameworks in the UK — and they’re often confused with one another, or assumed to be interchangeable. They’re not.
This guide explains what each one is, how they differ, where they overlap, and what the practical implications are for organisations that need to address both.
A Quick Summary
ISO 27001 is an international standard for building and managing an Information Security Management System (ISMS). It’s about how you manage the security of all your information assets — not just personal data. Certification is voluntary in most cases.
GDPR (the UK General Data Protection Regulation, post-Brexit) is a legal obligation. It’s a data protection law that governs how organisations collect, process, store, and share personal data about individuals. Compliance is mandatory if you process personal data.
The key difference: GDPR is law, ISO 27001 is a standard. Non-compliance with GDPR can result in regulatory fines and enforcement action. Non-compliance with ISO 27001 has no direct legal consequence — but it may cost you business.
What Is GDPR?
UK GDPR (retained EU law, now sitting alongside the Data Protection Act 2018) applies to any organisation that processes personal data about individuals in the UK or EU. It establishes:
- Lawful bases for processing — you need a legitimate reason to process personal data (consent, legitimate interests, contract, legal obligation, vital interests, or public task)
- Data subject rights — individuals have the right to access their data, correct it, erase it, restrict processing, and port it
- Accountability obligations — you must be able to demonstrate compliance, including a records of processing activities (RoPA), data protection impact assessments (DPIAs), and appropriate technical/organisational measures
- Breach notification — you must notify the ICO within 72 hours of becoming aware of a reportable personal data breach
- Data transfers — special rules apply to transferring personal data outside the UK/EU
Enforcement is handled by the ICO (Information Commissioner’s Office), which has the power to issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches.
What ISO 27001 Covers That GDPR Doesn’t
ISO 27001 is broader than GDPR in scope. It applies to all information assets, not just personal data. Your financial records, intellectual property, trade secrets, technical systems, and operational data are all in scope for ISO 27001 — regardless of whether they contain personal data.
ISO 27001 also goes into considerably more detail on:
- Risk assessment methodology — how you systematically identify and evaluate risks
- Security controls — the 93 Annex A controls cover technical, physical, organisational, and people-related security measures in detail
- ISMS management — governance, management review, internal audit, continual improvement
- Security operations — vulnerability management, incident management, access control, secure development, supplier security
GDPR doesn’t prescribe how you manage information security — it simply requires you to have “appropriate technical and organisational measures.” ISO 27001 is one of the clearest ways to evidence what “appropriate” looks like.
What GDPR Covers That ISO 27001 Doesn’t
GDPR focuses on rights and obligations that go well beyond security:
- Lawful basis for processing — ISO 27001 doesn’t require you to justify why you hold data; GDPR does
- Data subject rights — handling access requests, erasure requests, objections — these are GDPR obligations with no ISO 27001 equivalent
- Privacy notices — informing individuals about how their data is used
- Records of processing activities (RoPA) — a register of all processing activities under Article 30
- Data Protection Officer (DPO) — certain organisations must appoint a DPO; ISO 27001 has no equivalent requirement
- Data transfers — cross-border transfer mechanisms (adequacy decisions, standard contractual clauses) are GDPR-specific
Achieving ISO 27001 certification does not make you GDPR compliant.
ISO 27001 vs GDPR: What Each Framework Covers
Two complementary frameworks — not competing alternatives
Where They Overlap
Despite the differences, there is significant overlap between ISO 27001 and GDPR — particularly in the area of security of personal data (GDPR Article 5(1)(f) and Article 32).
Article 32 requires organisations to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. The measures it suggests include:
- Pseudonymisation and encryption of personal data
- Ongoing confidentiality, integrity, availability, and resilience of systems
- The ability to restore access to personal data in a timely manner after an incident
- A process for regularly testing and evaluating security measures
These map almost directly to ISO 27001 controls:
| GDPR Article 32 requirement | ISO 27001 equivalent |
|---|---|
| Encryption and pseudonymisation | Control 8.24 (Use of cryptography) |
| Confidentiality, integrity, availability | Core ISMS principles + multiple controls |
| Ability to restore data | Controls 5.30, 8.13 (backup), 8.14 (redundancy) |
| Regular testing of measures | Control 5.35 (independent review), internal audit |
If you’ve implemented ISO 27001 properly, you’ve addressed the security requirements of Article 32 comprehensively. This is one of the most significant practical benefits of ISO 27001 for GDPR purposes.
There’s also overlap in:
- Incident management — GDPR breach notification requirements align with ISO 27001 incident management controls (5.24–5.28)
- Supplier management — GDPR requires data processing agreements with processors; ISO 27001 Controls 5.19–5.22 cover supplier security management
- Access control — GDPR’s principle of data minimisation reinforces ISO 27001’s least-privilege access controls
- Data retention — GDPR’s storage limitation principle aligns with ISO 27001’s approach to information lifecycle
GDPR Article 32 and ISO 27001: The Security Overlap Mapped
ISO 27001 controls address the security obligations in GDPR Article 32 comprehensively
FREE GDPR Training
Take my free interactive GDPR training
The Practical Relationship: Implementing Both Together
The most efficient approach for organisations that need to address both frameworks is to implement them together, using a shared foundation of documentation and controls.
What you need for both:
- An information security policy (ISO 27001) / Privacy policy (GDPR)
- A risk assessment (ISO 27001) / Data protection impact assessments for high-risk processing (GDPR)
- Incident response procedure (both)
- Supplier management and data processing agreements (both)
- Staff training on information security and data protection (both)
- Access control and data minimisation (both)
What you need for ISO 27001 only:
- Statement of Applicability
- Full Annex A control implementation
- Internal audit programme
- Management review
- ISMS scope document
What you need for GDPR only:
- Records of processing activities (RoPA)
- Lawful basis documentation for each processing activity
- Privacy notices / fair processing information
- Subject access request procedure
- DPO appointment (if applicable)
- Cross-border transfer mechanisms (if applicable)
Implementing ISO 27001 and GDPR Together
Build on a shared foundation — then add the framework-specific layer on top
Can ISO 27001 Help With ICO Enforcement?
Yes, indirectly. The ICO takes into account the steps an organisation has taken to implement appropriate security measures when assessing penalty levels. ISO 27001 certification is strong evidence of a systematic, risk-based approach to security — and auditors for the ICO understand what it involves.
The Capita ICO fine case is a useful reference point: the decision specifically noted security shortcomings that ISO 27001 controls would have addressed. Conversely, an organisation that is ISO 27001 certified is in a materially stronger position if it faces an ICO investigation.
ISO 27001 is not a shield — certification doesn’t guarantee you’ll never suffer a breach or face regulatory action. But it demonstrates that you took your obligations seriously, which matters when regulators are determining accountability.
Summary
| Area | ISO 27001 | GDPR |
|---|---|---|
| Nature | Voluntary standard | Legal obligation |
| Scope | All information assets | Personal data |
| Focus | Security management system | Rights and obligations around personal data |
| Enforcement | No direct regulatory enforcement | ICO fines up to £17.5m |
| Certification | Third-party certification | No certification — self-assessed compliance |
| Overlap | Article 32 security requirements | Supported by ISO 27001 controls |
The two frameworks are complementary, not competing. Most organisations that need to address both will find that a good ISO 27001 implementation does most of the security heavy lifting for GDPR — with a focused layer of GDPR-specific work on top.
Does ISO 27001 certification mean we’re GDPR compliant?
No — and this is one of the most common misconceptions. ISO 27001 certification means you have a structured, audited information security management system in place. It addresses the security obligations under GDPR Article 32 comprehensively, but GDPR requires additional work that falls entirely outside ISO 27001’s scope: documenting your lawful basis for processing, maintaining a Record of Processing Activities, handling data subject rights requests, and publishing privacy notices. Think of ISO 27001 as doing the security heavy lifting for GDPR — not replacing it.
If GDPR is mandatory, why would we also pursue ISO 27001?
GDPR tells you thatyou must have appropriate technical and organisational security measures in place — it doesn’t tell you how to do it. ISO 27001 gives you the structured framework to actually implement those measures, and third-party certification gives you auditable evidence that you’ve done so. That evidence matters: the ICO takes it into account when assessing penalty levels, and enterprise customers increasingly require it. GDPR compliance alone rarely satisfies a client security questionnaire; ISO 27001 certification usually does.
We’re a small UK business that doesn’t deal with the EU — does GDPR still apply to us?
Yes. UK GDPR (retained in domestic law alongside the Data Protection Act 2018) applies to any organisation processing personal data about individuals in the UK, regardless of size or whether you have EU customers. If you have employees, customers, or website visitors whose personal data you collect and process, UK GDPR applies to you. There is no small business exemption, though the practical compliance burden is lighter for organisations with lower-risk, smaller-scale processing.
Is it more efficient to implement ISO 27001 and GDPR at the same time?
Generally yes. The two frameworks share a substantial common foundation — risk assessment, incident response, supplier management, access controls, and staff training all satisfy requirements under both. Building that foundation once is significantly more efficient than treating them as separate projects. The ISO 27001-specific work (Statement of Applicability, internal audit, management review) and GDPR-specific work (RoPA, privacy notices, data subject rights procedures) can then be layered on top with relatively little duplication.
Could ISO 27001 certification help us if we face an ICO investigation?
Yes, indirectly but meaningfully. The ICO considers the steps an organisation took to implement appropriate security when determining penalty levels. ISO 27001 certification is strong, independently verified evidence of a systematic, risk-based approach to security — which is precisely what the ICO is looking for. It won’t prevent an investigation if a breach occurs, and it’s not a guarantee of immunity from fines. But an organisation that is certified is in a materially stronger position than one with no documented security framework, both in terms of the penalty level and in demonstrating it took its obligations seriously.
Look up the Capita fine from ICO (spoiler alert: £14m) and how the ICO said 27001 would have helped.
