ISO 27001 and GDPR are related but fundamentally different. They interact, but one does not replace or guarantee the other.
Core difference
ISO 27001 is an international information security management standard. It describes how to set up and run an Information Security Management System (ISMS) to manage risks to information assets.
GDPR is a law (the EU General Data Protection Regulation). It defines legal requirements for how organizations process, store, transfer, and protect personal data of individuals in the EU/EEA.
Scope and focus
- ISO 27001 scope:
- Covers all information assets in scope (not just personal data): engineering data, process recipes, machine logs, MES/ERP databases, supplier documents, etc.
- Focuses on risk management, controls, and continuous improvement of information security.
- In a plant context, this includes OT networks, historian data, backups, remote access to equipment, vendor connectivity, and cloud services tied into MES/ERP/QMS.
- GDPR scope:
- Only covers personal data of identified or identifiable natural persons in the EU/EEA (employees, suppliers’ staff, customers, visitors, candidates).
- Focuses on lawful basis, transparency, data subject rights, and cross-border transfers, in addition to security.
- In industrial environments, this is often HR systems, access control logs, training records, QMS deviations linked to individuals, system audit logs, and support tickets.
Legal status vs management standard
- ISO 27001:
- Voluntary standard (unless made mandatory by contracts or regulators).
- You can be certified by an accredited body to show that your ISMS conforms to the standard within a defined scope.
- Certification is based on an audit of your documented system and implemented controls.
- GDPR:
- Legal requirement in the EU/EEA for organizations that process personal data of individuals in that region.
- No simple “GDPR certificate” that proves full compliance. Some schemes or codes of conduct exist, but regulators evaluate compliance case by case.
- Non-compliance can lead to enforcement actions, including fines and mandatory remediation.
How they relate in practice
ISO 27001 can support GDPR, but it does not make you GDPR-compliant by itself.
- ISO 27001 helps you systematically manage confidentiality, integrity, and availability of information, including personal data.
- Its controls (e.g. access control, logging, encryption, secure development, supplier management) are useful for meeting GDPR’s requirement to implement “appropriate technical and organisational measures”.
- However, GDPR includes many areas that ISO 27001 does not fully cover, such as:
- Lawful basis for processing (consent, contract, legal obligation, etc.).
- Data subject rights (access, deletion, portability, objection, restriction).
- Data minimisation, purpose limitation, and storage limitation.
- Data Protection Impact Assessments (DPIAs) for high-risk processing.
- Rules for international data transfers.
Because of this, you can have a well-implemented ISO 27001 ISMS and still be non-compliant with GDPR on topics like retention schedules, HR data handling, or response to subject access requests.
Implications for industrial and regulated environments
In brownfield manufacturing environments, both ISO 27001 and GDPR run into the same practical constraints:
- Legacy systems: Old MES, historians, SCADA, access control systems, and data loggers often have limited security and data protection controls. Retrofitting them for least-privilege access, proper logging, or granular data retention can be complex and may require vendor cooperation and re-validation.
- Long equipment lifecycles: Production equipment and control systems may remain in use for decades. Achieving ISO 27001-aligned controls and GDPR-aligned retention or pseudonymisation often involves compensating controls rather than full replacement.
- Integration debt: Personal data may be replicated across HR, training, QMS, MES, and physical security systems. Mapping data flows and implementing GDPR requirements (like right to erasure or restriction) often requires significant integration work and change control.
- Validation and qualification burden: In regulated industries, changing security controls, identity management, or logging in validated systems may trigger re-validation. This slows the rollout of ISO 27001 controls and GDPR-related changes and must be planned into the change control process.
Misconceptions to avoid
- “If we get ISO 27001 certified, we are GDPR compliant”: No. Certification can be evidence of a structured approach to security, but GDPR compliance depends on how you manage personal data specifically, across technical and legal dimensions.
- “GDPR is only an IT issue”: No. GDPR affects HR policies, supplier contracts, shop-floor CCTV, badge access logs, training records, and paper records just as much as cloud or IT systems.
- “We can fix GDPR with a new system”: Replacing legacy systems might help, but in regulated, long-lifecycle environments full replacement often fails or overruns due to downtime risk, integration complexity, and qualification/validation cost. A more realistic approach is usually incremental hardening, better governance, and precise scoping of personal data flows.
How to use ISO 27001 to strengthen GDPR posture
If you operate in a regulated manufacturing environment, a practical approach is:
- Define ISMS scope carefully: Include key systems that process personal data (HR, QMS, access control, service desk, MES user accounts, remote access gateways) and critical OT interfaces.
- Map personal data flows: As part of risk assessment, identify which systems hold personal data, how it moves between them, and where it is logged or backed up.
- Align controls with GDPR risks: Prioritise ISO 27001 controls that directly reduce GDPR risk, such as identity and access management, logging and monitoring, backup protection, and supplier security requirements.
- Integrate with change control and validation: Ensure ISMS-driven changes (e.g. new logging, network segmentation, or encryption) go through existing change control, qualification, and validation processes to avoid unintended compliance or availability impacts.
- Close non-security gaps separately: Address GDPR topics not covered by ISO 27001 (lawful basis, notices, DPIAs, data subject rights) through privacy governance, not just technical controls.
In summary, ISO 27001 is a structured framework to manage information security risks, while GDPR is a binding legal regime for personal data protection. In industrial settings, combining both requires pragmatic integration with legacy systems, validation constraints, and existing governance processes.