In many SMEs, ISO 27001 and GDPR are mentioned in the same sentence, even though they address different areas. This often shows in practice as a company preparing a privacy statement and thinking they have covered information security, or building an information security management system but overlooking the specific requirements related to personal data processing.
In this article, we clarify what ISO 27001 and GDPR mean, where they differ, and where they support each other. You'll also get a practical roadmap on how to build an effective overall solution for your company without duplicating efforts.
ISO 27001 and GDPR are not the same thing
ISO 27001 is an international standard that helps organizations establish a systematic information security management model. It defines how a company identifies risks, selects security measures, assigns responsibilities, and monitors that information security works in daily operations.
GDPR, the EU's General Data Protection Regulation, is legislation. It governs how an organization may process personal data, the legal bases for processing, the rights of data subjects, and what a company must do in case personal data is compromised.
Practically, the difference often looks like this:
| Aspect | ISO 27001 | GDPR |
|---|---|---|
| Nature | Standard | Law and regulation |
| Primary focus | Information security management | Protection of personal data |
| Scope | All data and information assets | Personal data |
| Mandatory | Voluntary unless client or contract requires it | Mandatory if you process personal data |
| Certification | Possible certification | No equivalent certification |
| Approach | Risk-based management model | Legal bases, obligations, and data subject rights |
If you want to summarize it with one question, ask this: are you protecting all your company’s data or ensuring lawful processing of personal data? Usually, the answer is that you need both.
Note
ISO 27001 does not replace GDPR, nor does GDPR alone create comprehensive information security. They solve different problems, even if they partly use the same practical methods.
What do they have in common in practice?
Although ISO 27001 and GDPR come from different frameworks, they intersect in many practical areas. Both require the company to know what data it processes, where the data is located, who can access it, and what happens if data is lost, altered, or leaked.
Common themes include:
- risk management
- access rights management
- staff guidance and training
- incident handling
- supplier management
- documentation and evidence of measures taken
- continuous improvement
Take, for example, a human resources system. If it processes employee personal data, GDPR defines the rules for that processing. ISO 27001 helps ensure system access rights are restricted, backups work, logs are recorded, and incidents are managed in a controlled way.
A good rule of thumb is:
- GDPR answers the question: "Are we allowed to process this data?"
- ISO 27001 answers the question: "How do we securely manage this data?"
The biggest difference: privacy vs. security
Many use the terms privacy (tietosuoja) and security (tietoturva) interchangeably. However, understanding the difference is important, as it directly impacts what needs to be done in the company.
Privacy means the lawful and appropriate processing of personal data. This includes legal bases for processing, obligation to inform, retention periods, and the rights of data subjects, such as the right to access their own data.
Information security means protecting information so that its confidentiality, integrity, and availability are maintained. In practice, this means only authorized personnel can view data, data cannot be altered accidentally, and data is available when needed.
The table below helps illustrate the difference:
| Question | Mainly related to GDPR | Mainly related to ISO 27001 |
|---|---|---|
| What legal basis governs personal data processing? | Yes | Not directly |
| How long is data retained? | Yes | Partly |
| Who gets access to the system? | Partly | Yes |
| How are risks assessed and managed? | Partly | Yes |
| How is an information security incident handled? | Yes, if involving personal data | Yes |
| How do you demonstrate the level of control to management and clients? | Partly | Yes |
If your company processes customer registers, employee data, or user data from online services, GDPR inevitably applies. If you want to manage your entire organization's security consistently, ISO 27001 provides that structure.
Where does ISO 27001 help directly with GDPR requirements?
Though ISO 27001 is not a privacy law, it supports many practical obligations of GDPR. This is especially important for SMEs, as it’s better to do the work once well than twice in different silos.
ISO 27001 particularly helps with:
- identification and classification of information assets
- risk assessment starting from 3–5 key risks
- access rights management and regular review, e.g. quarterly
- incident management and reporting
- supplier assessment and contract requirements
- staff training, e.g. 1–2 times a year
- documented responsibilities
For example: when an employee leaves the company, GDPR requires personal data processing to remain controlled. ISO 27001 practices help define that user accounts are removed within 24 hours, devices returned, access rights reviewed, and the event documented.
Another example is a security breach. GDPR may require notifying the supervisory authority about a personal data breach within 72 hours. ISO 27001 helps in building a process to detect, assess, escalate, and document incidents promptly.
Tip
Create one unified incident process that separately identifies whether the case involves personal data. This way the same process serves both ISO 27001 and GDPR needs.
Where does GDPR require more than ISO 27001?
Here many companies stumble. ISO 27001 can be well-structured yet not cover all GDPR obligations alone.
GDPR entails requirements you cannot bypass with just an information security management model:
- defining legal bases for processing
- clear data subject information
- privacy statements and internal processing descriptions
- implementation of data subject rights within deadlines
- data minimization of personal data
- defining retention periods
- conducting Data Protection Impact Assessments when processing poses high risks
A concrete example: a company may have a well-secured CRM system following ISO 27001. Yet GDPR risk arises if the system collects more personal data than necessary or retains old leads without a defined deletion policy.
Ask yourself these three questions:
- What is the purpose for processing each personal data group?
- How long is the data retained, e.g., 12 months, 24 months, or until employment ends?
- Who is responsible for ensuring timely deletion?
How should an SME proceed in practice?
If your starting point is unclear, don't try to solve everything in one project. A more practical way is to build a shared foundation and complement it with specific privacy requirements.
First, define which data and processes to review
List the company's 5–10 most important data flows: for example, customer data, employee data, financial administration, support services, and cloud services. Note for each whether it contains personal data, who owns the process, and in which system the data resides.
Conduct a single unified risk assessment
Assess the likelihood and impact for each key data flow on a scale of 1–5. Bring forward those with both business risk and personal data risk first, like HR systems, customer registers, or Microsoft 365 environments.
Define baseline controls and privacy practices in parallel
Implement together measures such as multi-factor authentication, access role management, log monitoring, deletion policies, and supplier contract checks. This avoids having information security and privacy living in separate documents without practical connection.
Clearly assign responsibilities and deadlines
Identify at least a process owner, IT responsible person, and a privacy officer or role. Document, for example, that access rights are reviewed 4 times a year, removed accounts are closed within 24 hours, and incidents are assessed within the same business day.
Track progress monthly or quarterly
Choose 3–5 metrics for management to monitor regularly. Good metrics include open incidents, outdated user accounts, training completion rates, supplier assessment coverage, and deletion policy compliance.
Common mistakes causing unnecessary work
The biggest issue is usually not inactivity but duplicating the same tasks under different projects and names.
Common mistakes include:
- Treating GDPR only as legal text without practical processes
- Building ISO 27001 as documentation without real-world implementation
- Unclear responsibilities between IT, HR, and business units
- Ignoring supplier risks despite data being in cloud services
- Missing or uncontrolled data deletion policies
Below is a simple checklist for assessing your situation:
| Item to check | Good level | Warning sign |
|---|---|---|
| Information assets mapping | Updated within the last 12 months | No one knows where personal data is |
| Access rights management | Quarterly reviews | Accounts remain active after employment ends |
| Incident process | Responsibilities and reporting paths defined | Incidents handled ad hoc |
| Retention periods | Defined per data category | Data kept "just in case" |
| Supplier management | Contracts and assessments documented | Cloud services in use without evaluation |
Warning
A common mistake is thinking that a certificate or a privacy statement alone proves everything is in order. The true level is shown only by how access rights, incidents, deletions, and responsibilities operate in daily practice.
Which should be done first?
If neither is well managed in your company, start where the risk is greatest and where you’ll quickly see clear benefits. For most SMEs, the effective order is to build a basic structure according to ISO 27001 while ensuring mandatory GDPR privacy requirements.
Practically, this can look like the following progression over 60–90 days:
| Weeks | Goal | Output |
|---|---|---|
| 1–2 | Current state assessment | List of data flows, systems, and responsibilities |
| 3–4 | Risk evaluation | Prioritized risk list and actions |
| 5–8 | Baseline controls implementation | MFA, access model, incident process, supplier list |
| 9–10 | GDPR additions | Privacy statements, retention periods, legal bases |
| 11–12 | Management review | Metrics, decisions, and next steps |
This model works especially well when you want to reduce customer demands pressure, raise security levels, and get privacy under control without a separate heavy project.
Summary
- ISO 27001 is a standard for information security management, while GDPR is law regulating personal data processing.
- They share many practical themes like risk management, access rights, incident handling, and documentation.
- ISO 27001 strongly supports GDPR implementation but does not alone cover legal bases, retention periods, or data subject rights.
- The most efficient approach for SMEs is creating one unified operational model where information security and privacy support each other.
- Track progress with 3–5 metrics and agree concrete deadlines, such as account deletion within 24 hours.
Need help with information security management?
Our experts are here to assist you.