Expert Advice Community


Compliance with ISO 27001 and GDPR

Guest user Created:   Mar 13, 2019 Last commented:   Mar 14, 2019

Compliance with ISO 27001 and GDPR

„This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.“ - requirement in the Information Security Policy.
0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Mar 13, 2019

1. So if we have GDPR requirements as regulatory requirement, does our ISMS have to be also fully compliant with GDPR?

Answer: If the information you want the ISMS to protect includes information under GDPR your ISMS has to be compliant with GDPR Article 32 (information security requirements in GDPR). For example, if the information included in your ISMS scope does not include personal data from EU citizens your ISMS does not need to be compliant with GDPR.

This article can provide your further information about ISMS requirements:
- How to identify ISMS requirements of interested parties in ISO 27001

2. How does it reflect in the audit?

Answer: If GDPR is a require ment for your ISMS, during certification and surveillance audits the auditor will check if controls deemed necessary to ensure compliance with GDPR Article 32 are implemented and working properly.

3. Can we exclude the GDPR from the requirements list. How to manage this?

Answer: As mentioned in answer 1, if the information you want the ISMS to protect does not include personal data from EU citizens, you can exclude the GDPR from the ISMS requirements list.

4. What if an auditor sees that we conform to the ISO 27001 requirements but not to the GDPR? I mean that the GDPR involves more requirements than ISO 27001 so it extends the ISO 27001 scope, I suppose it shouldn't be like that.

Answer: If the GDPR is a requirement for the ISMS and you are not fully compliant with Article 32, then the certification auditor cannot proceed with the recommendation for certification until you are fully compliant with the article's requirements.

To see how documents of ISO 27001 compliant with GDPR look like see the free demo of this EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link:

These materials will provide you further explanation about the relation between ISO 27001 and GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements?
- What is EU GDPR and how can ISO 27001 help?

0 0
mariusc Mar 14, 2019

Could you please provide an example of ISMS scope when requirements of GDPR are not obligatory? I can hardly imagine this when talking about ISMS for the whole company as far as any data of employee is considered as personal.
So do I understand correct that these could only be some exclusive cases when ISMS does not include employees? Is it someway possible?

Thank You.

0 0
Rhand Leal Mar 16, 2019

Answer: If you are an organization operating inside EU, and your scope is the whole organization, then indeed you will not be able to exclude GDPR (as you said, at least the personal data from your employees will have to be protected considering Article 32).

As for an example where you can exclude GDPR of your ISMS list of requirements, even if you operate inside EU, I can mention a scope limited to Research and Development process/department, provided that it does not use EU citizens personal data on test databases.

0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 13, 2019

Mar 16, 2019

Suggested Topics