Boundary
ISO 27001 certification does not prove GDPR compliance. ISO controls can support security and accountability, but GDPR scope, lawful bases, transparency, rights, DPIAs, breach decisions, and transfer law require separate legal and operational analysis.
Working map
| GDPR obligation | ISO 27001 support | Additional GDPR evidence still required |
|---|---|---|
| Accountability and policies, Articles 5(2) and 24 | A.5.1 Policies for Information Security, roles, internal audit, management review | Processing inventory, lawful-basis decisions, privacy ownership, rights and DPIA records |
| Privacy by design/default, Article 25 | Secure architecture, change management, access control, secure development | Data minimization, default settings, purpose compatibility, rights and deletion design |
| Processor governance, Article 28 | A.5.19 Supplier Relationships, A.5.20-A.5.23 | Article 28 terms, subprocessor authorization, transfer safeguards, return/deletion, rights assistance |
| Records of processing, Article 30 | Asset inventory, documented procedures, records protection | Purposes, data subjects, personal-data categories, recipients, transfers, erasure limits, privacy-specific ownership |
| Security of processing, Article 32 | Annex A organizational, people, physical, and technological controls | Risk-to-people analysis, processing-specific proportionality, controller/processor allocation |
| Breach notification, Articles 33-34 | A.5.24-A.5.28 incident and evidence controls | Awareness timestamp, risk/high-risk decision, regulator timeline, data-subject communication |
| Privacy and PII requirements | A.5.34 Privacy and Protection of PII | Applicable-law mapping, lawful bases, notices, rights, DPIAs, transfers, supervisory engagement |
| Data-subject rights, Articles 12-22 | Access control, information deletion, records and procedure controls | Request intake, identity verification, search coverage, exemptions, response deadlines, completion evidence |
Use the crosswalk correctly
- Start from a GDPR processing obligation, not an ISO control catalog.
- Identify the processing activity and risk to people.
- Select ISO controls that support implementation.
- Add GDPR-specific decisions and evidence that ISO does not supply.
- Test both technical operation and legal/rights workflow.
- Record gaps explicitly; do not translate a partial mapping into a compliance claim.
Related resources
- PII Inventory and Privacy Requirements Matrix
- Privacy Breach Notification Readiness Checklist
- A.5.34 Audit Question
Primary references
- Gdpr
- Iso27001
- Crosswalk
- Privacy
- Engineering
Note Metadata
Aliases: GDPR ISO 27001 Crosswalk
Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.34 - Privacy and Protection of PII
- AQ-ISO27001-A.5.34 Privacy and Protection of PII
- PII Inventory and Privacy Requirements Matrix
- Privacy Breach Notification Readiness Checklist