UnixTime

Research Note

GDPR to ISO 27001 Engineering Crosswalk

A responsibility-aware map from GDPR obligations to ISO 27001 governance and Annex A controls without treating ISO certification as proof of GDPR compliance.

On this page

Boundary

ISO 27001 certification does not prove GDPR compliance. ISO controls can support security and accountability, but GDPR scope, lawful bases, transparency, rights, DPIAs, breach decisions, and transfer law require separate legal and operational analysis.

Working map

GDPR obligation ISO 27001 support Additional GDPR evidence still required
Accountability and policies, Articles 5(2) and 24 A.5.1 Policies for Information Security, roles, internal audit, management review Processing inventory, lawful-basis decisions, privacy ownership, rights and DPIA records
Privacy by design/default, Article 25 Secure architecture, change management, access control, secure development Data minimization, default settings, purpose compatibility, rights and deletion design
Processor governance, Article 28 A.5.19 Supplier Relationships, A.5.20-A.5.23 Article 28 terms, subprocessor authorization, transfer safeguards, return/deletion, rights assistance
Records of processing, Article 30 Asset inventory, documented procedures, records protection Purposes, data subjects, personal-data categories, recipients, transfers, erasure limits, privacy-specific ownership
Security of processing, Article 32 Annex A organizational, people, physical, and technological controls Risk-to-people analysis, processing-specific proportionality, controller/processor allocation
Breach notification, Articles 33-34 A.5.24-A.5.28 incident and evidence controls Awareness timestamp, risk/high-risk decision, regulator timeline, data-subject communication
Privacy and PII requirements A.5.34 Privacy and Protection of PII Applicable-law mapping, lawful bases, notices, rights, DPIAs, transfers, supervisory engagement
Data-subject rights, Articles 12-22 Access control, information deletion, records and procedure controls Request intake, identity verification, search coverage, exemptions, response deadlines, completion evidence

Use the crosswalk correctly

  1. Start from a GDPR processing obligation, not an ISO control catalog.
  2. Identify the processing activity and risk to people.
  3. Select ISO controls that support implementation.
  4. Add GDPR-specific decisions and evidence that ISO does not supply.
  5. Test both technical operation and legal/rights workflow.
  6. Record gaps explicitly; do not translate a partial mapping into a compliance claim.

Primary references

  • Gdpr
  • Iso27001
  • Crosswalk
  • Privacy
  • Engineering

Note Metadata

Aliases: GDPR ISO 27001 Crosswalk

Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.