ISO27001 is a framework for information protection. The GDPR’s focus is personal data which is considered critical information and as a result it needs to be protected. Some of the GDPR requirements are not covered by ISO27001, but the standard can help with compliance to the regulation. For example, if in the implementation of the ISO standard you identify personal data as an asset, most of the GDPR requirements will be covered.
Some of the ISO27001 requirements will help you in your quest to be GDPR compliant regardless of how you identify personal data. For example, the risk assessment, an essential part of the standard, is similar to the Data Protection Impact Assessment which is required for GDPR compliance. Also, ISO27001 guides organizations through the implementation of a data policy and protection of personal information, bringing them one step closer to being compliant with the Regulation.
The asset management, or asset inventory is another critical step when implementing ISO27001. In doing so, most organization will find themselves in the need to clarify what personal data they use and where they store it, how long they store it for and who has access to it. Seeing as the GDPR requires organizations to clearly describe their use of personal data, implementing this step of the ISO standard will be helpful.
Breach notification, an extremely important part of the Regulation will be easier to manage if your organization has implemented ISO27001. The standard will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” As a result, implementing the incident management will bring the organization closer to compliance with the GDPR.
Another well known GDPR requirement, privacy by design and by default will be aided by the implementation of ISO27001 as the standard puts a strong emphasis on information security.
ISO27001 is a broad standard. Its implementation is not mandatory for those who want to be GDPR compliant. Those who do implement it will find the standard very helpful in their journey for compliance with the Regulation.