Please note that ISO 27001 was designed to be implemented by organizations of any size and industry, so it can be applicable to your organization. Freelancers/consultants can be viewed as outsourced services and treated accordingly.
Regarding GDPR, it depends on the activity of your organization. If your organization processes a high volume of personal data, or monitors behavior, or processes special categories of personal data like health data, political opinion, sex orientation, criminal convictions, so you require a Data Protection Officer (DPO). If your organization does not deal with this data, you do not require a DPO.
The DPO does not need to be an employee of the organization, this role can be outsourced, but you need to ensure that required roles and responsibilities are included in the contract or service agreement.
These articles will provide you a further explanation about ISO 27001 and DPO: