Quantar UK

ISO/IEC 27001:2013 Audit Service

Quantar ISO/IEC 27001:2013 External Audit for GDPR Compliance

Quantar is certified to undertake external audits for ISO/IEC 27001:2013 as lead auditors. Our prime objective in executing ISO 27001 audits is in determining whether your organization is correctly using the ISO standard as part of your GDPR compliance program.

In some instances, the standard conflicts or even creates anomalies in complying with GDPR. Knowledge of both GDPR and ISO27001 is therefore a key to ensuring ISO/IEC 27001 is maintained for certification every 3 year cycle, whilst also providing key evidential data for compliance with GDPR.

Why Do You Need ISO 27001 as part of your GDPR compliance program?

The GDPR Articles are very explicit in the text as to what forms of information security management system, best practice, codes of conduct that may be used as a form of proof of compliance with the regulation. Article 32, allied to Recitals 76, 77, 78 (risk assessment and appropriate technical and organizational measures, respectively) effectively direct organization to use recognised certified systems in their GDPR data privacy programs, although which ones are not stipulated. There are some national schemes such BS-10012  (https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/) that may also serve the same purpose as ISO 27001. The risk involved in replying solely upon a national scheme is that there may be components required under GDPR that are not included within such a scheme. BREXIT also poses a potential issue for a GB national PIMS scheme to be accepted under what is an E.U. law. In such circumstances, the costs of certifying for ISO/IEC 27001 versus BS-10012 would be a more risk averse approach to GDPR compliance.

Art. 32 GDPR Security of processing

3) Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article

GDPR and ISO 27001 have understandably become intertwined, with mapping between the two illustrating where ISO/IEC 27001 can provide compliance with the requirements of GDPR, as staed in Article 32; (3).

Illustration of Mapping GDPR Article 32 to ISO/IEC 27001 Appendix A Requirements (see Resources for Full Text)


ISO/IEC 27001:2013


Description Summary


Annex A Description Summary


b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;



+ Majority of Annex A

GDPR mentions a few control examples (such as encryption, anonymization and resilience) covering data confidentiality, integrity and availability aspects, plus testing/assurance measures and compliance by workers (implying policies and procedures, awareness/training and compliance enforcement/reinforcement).  An ISO27k ISMS provides a coherent, comprehensive and structured framework to manage privacy alongside other information risk and security controls, compliance etc

Where organizations have not become certified for ISO 27001, either for policy, procedural or financial reasons, alternative means of using the standard for the provision of proof of GDPR regulatory compliance is available and we are also able to assist those organizations falling into the category of no ISO certification, and also in the provision of alternative potential solutions to this particular GDPR compliance requirement.

Quantar professional service quality assurance is provided by the Global Association for Software Quality (GASQ), which is an independent, international association. GASQ maintains an international network and supports certification programs.

Recital 77: Risk Management

“Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications…..”