📚 Free GDPR guide with every booking — Book now
Genroks
Back to blog

ISO 27001 Is Not the Law. GDPR Is Not a Certificate.

2026-03-10 · Blazo Sokic
ISO 27001 Is Not the Law. GDPR Is Not a Certificate.

The mix-up that keeps happening

ISO 27001 is not the law. GDPR is not a certificate. Yet companies treat them as interchangeable every single day.

The most common version sounds like this: "We're ISO certified, so we're GDPR compliant."

That sentence contains a real mistake. And it is an expensive one.

What each one actually is

GDPR is a law. If it applies to your organisation, you do not get to decide whether you like it. You comply, or you deal with the consequences. There is no opt-out, no alternative framework, no substitution.

ISO 27001 is a standard. Nobody forces you to certify. You choose it because you want structure, credibility, and a way to demonstrate to clients that your information security is organised and managed. It is voluntary.

Both deal with data and security. That is where the similarity ends.

Where they overlap, and where they do not

ISO 27001 can help you build controls that support GDPR compliance. A documented access control policy, a risk register, an incident response process: all of these are things ISO 27001 requires, and all of them are things GDPR auditors want to see.

But having ISO 27001 certified does not automatically make you legally compliant with GDPR. And saying "we follow GDPR" does not mean you have a certified information security management system.

One is a legal obligation. The other is a management framework.

If you treat them as the same thing, you create a false sense of security. And false security is expensive.

The actual cost of confusion

Failing an ISO audit: Reputational damage. You lose the certificate and may lose the contracts that required it.

Breaching GDPR: Fines reach six to seven figures, and that is before you count the cost of investigation, remediation, and client notification requirements.

The ceiling for GDPR fines is €20 million or 4% of global annual turnover, whichever is higher. No ISO status changes that.

What to do instead

  • Treat ISO 27001 and GDPR as complementary, not interchangeable
  • Use ISO 27001 to build the controls that make GDPR compliance easier to evidence
  • Get legal advice on your GDPR obligations separately from your certification work
  • Never use certification status as a substitute for legal compliance analysis

The short version

ISO 27001 tells clients your security is managed. GDPR tells regulators you handle personal data lawfully. You need both, for different reasons, and one does not replace the other.

Understand the difference. It matters more than most companies realise.

Back to blogGet your free ISO resource