Despite the speed and the growing commercial impact of security breaches, most institutions still control digital security in a manner designed to meet yesterday’s attacks by using burdensome restrictions that hinder innovation.


ISO 27001 sets up a framework to protect the organization’s valuable information – including personal data – in a safe and credible way. The standard defines the requirements for an information security management system (ISMS) aimed at protecting against inter alia deletion, leak or loss of access to data. At the same time, it ensures that companies maintain ongoing safety efforts, where risk assessment and handling of events create a contemporary protection of information. It is in line with the GDPR legislative text, which inter alia Calls for organizations to implement appropriate technical and organizational measures to ensure a level of security that corresponds to the risk. Below are listed 5 areas where ISO 27001 directly meets GDPR requirements:

First documentation

The transition to GDPR means that companies must now be able to document their compliance with the law. This is also a prerequisite for compliance with the requirements of ISO 27001 – if it can not be documented, the requirements are not considered to be met. Ergo: There must be an overview of personal data, a report regarding risk assessment, a log of events, etc.

2nd Overview of personal data

An overview of the company’s critical and sensitive data is in ISO 27001 the key to designating relevant safety measures. This is also a requirement for personal data in GDPR in order to control where, how and how long data is stored, who can access them, etc.

Third Risk assessment

GDPR requires companies to carry out risk assessments to identify risks for compromising the personal data of EU citizens. This also applies to the implementation of new systems or the establishment of new business processes. Similarly, ISO 27001 requires companies to establish a relevant security response through risk management, ie. assess the probability of different events and identify the corresponding consequence for the data subjects’ data.

4th Breaks

GDPR requires companies to inform the authorities within 72 hours of a possible data break. It may also include notification to the data subjects. Similarly, ISO 27001 sets requirements for handling deviation and proposes event handling processes.

5th Evaluation and ongoing improvements

It is an underlying precedent for compliance with GDPR, that organizations establish some workflows that ensure continued personal data protection, regardless of the threat picture, new treatments or changes in business processes. Here, the ISO 27001 provides a toolbox of activities that will ensure adequate protection of information even when the context changes. Evaluation of security controls, internal audits and management evaluation are key components for maintaining and continuously improving data protection.


Enterprises are able to establish the strictest defense mechanisms against key information assets. We help customers decide what to protect and how much they need through a combination of ISO27000 that helps companies prioritize their business risks and assets as well as strategies and tactical plans that adjust the company’s risk capabilities.