Does ISO 27001 Cover GDPR?
Though not directly related, being compliant with the ISO 27001 standard means that a lot of the base principles and practices required for GDPR compliance should already be in place within an organisation.
GDPR is essentially all about protecting personal data – identifying the areas at risk and putting in the technical and operational measures in place to mitigate it, with the auditability to demonstrate good practice and compliance.
If an organisation has already implemented Information Security controls in line with ISO 27001 standards, they will already be compliant with the sorts of controls and practices required for GDPR.
Although GDPR mandates what level of security and data protection should be in place, it does not go further to provide any guidance on how this could or should be achieved. Many organisations then look to the ISO 27001 standard for recommendations or best practices for both a technical and operational path to GDPR compliance.
Even if your business is not ready for full ISO 27001 compliance, it could make sense for an ISO 27001-aligned response to the GDPR requirements. Not only would this provide a lot of the base Information Security policies and practices needed, implementing the sorts of operational processes and controls at the heart of ISO 27001 will stand your organisation in good stead if ever compliance with the standard becomes part of your Business strategy.