Why ISO 27001 helps to comply with GDPR data protection rules?

The ISO 27001 standard deals with information security. All sensitive data in digital and non-digital form (e.g. on paper, metal signs, microfilm, slides, memory chips, index cards, punch cards) should be taken into account here. The data referred to here can be trade secrets (e.g. recipes, source code, manufacturing process), personal data (e.g. date of birth, bank details) and other types of information (e.g. member lists, order history).

Data protection, on the other hand, primarily considers personal data, such as date of birth, name, home address, email address, telephone numbers and other critical data of a natural person. This sensitive data also includes information about creditworthiness, sexual preferences, religious affiliation, a voter’s political decisions or a person’s health status.

Since the update of the ISO 27001 standard, ISO27001:2022 now also takes data protection aspects into account. However, since each country has different legal requirements regarding data protection rights, an international standard cannot take individual national jurisdiction into account. Data protection laws in Canada are not 100% consistent with the GDPR or other laws abroad.

How does GDPR differ from ISO27001?

The two differ from each other in their definition: the GDPR is a European law with national ratification. Companies in Europe are legally obliged to follow the GDPR and implement the legal requirements. On the other hand, ISO27001-2022 is an international standard that companies can adhere to voluntarily. A norm is a kind of guideline without criminal consequences if a company deviates from this norm.

Can a management system comply with GDPR and ISO27001 at the same time?

An integrated management system can take ISO27001:2022 and GDPR into account. The relevant documents must be created in the operational regulations with reference to the standard and data protection. Here the certification bodies can check the management system according to ISO27001 and issue an ISO27001 certificate. In addition, the ISMS can be assessed for its data protection compliance. However, such an assessment is not a legal statement or legal advice. It should therefore be clear that ISO and data protection can be combined but are never identical to one another.

The international standard ISO 27701 is required for companies (department stores, airlines, health insurance) with a lot of critical personality data.

Is ISO27701 an alternative to ISO27001?

The international standard ISO27701 deals with the protection of personal data. A “Personal Information Management System” (PIMS) is set up and certified here. A PIMS is not the same as the ISMS according to ISO 27001. Therefore, ISO27701 can be a good supplement to ISO27001. PIMS certifications are important for companies with a lot of personal data. In Europe, insurance companies, hospitals, e-commerce companies and airlines use the ISO27701 certification to demonstrate their compliance with common data protection guidelines to supervisory authorities.