ISO 27001 vs. AVG

Let's start with the difference. ISO 27001 is an international standard for information security. The AVG (or GDPR) is legislation focused on privacy. They each have their own role, but actually reinforce each other and have a lot to do with each other.

The AVG sets requirements for how you process and protect personal data. ISO 27001 helps you implement this in a structured way. The AVG says what you have to do it, the ISO says how you have to do it.

Where does it often go wrong?

We encounter the same bottlenecks in many organizations. Do you recognize one (or more)?

‍

❌ Uncertainty about the scope: what personal data do we actually process?

❌ Processor agreements are incomplete or out of date.

❌ No clear method of safeguarding privacy rights in daily practice.

❌ DPIAs? Yes, once done... but not recorded.

❌ The privacy policy is in writing but has not actually been implemented.

❌ Data breaches are reported “when we remember”.

❌ Relying on suppliers without clear agreements or due diligence (thorough investigation).

❌ International processing without a clear view of legislation (EU vs. US).

❌ Insufficient awareness in the organization (“that's what the FG right?”).

❌ No clear insight into legal obligations (legal register is missing).

And perhaps the biggest pitfall: privacy is seen 'separately' from information security. But privacy is actually part of information security.

How ISO 27001 helps with privacy

The ISO 27001:2022 provides tools for integrating privacy into your information security. Below, we discuss a few concrete controls (control measures) from Annex A that directly address this:

- A.5.31: Legal, legal, contractual obligations

Make sure you know what laws and regulations apply to your organization, including privacy laws. This is the basis for compliance.

‍

Practical example:

• In your ISMS, specify which privacy laws are relevant (for example, the GDPR, but also industry rules or international laws, such as the California Consumer Privacy Act (CCPA) when doing business with the U.S.).
• Use a legal register that briefly describes: what is the obligation, on whom does it apply, and how do you comply?
• Add the processing register as a mandatory attachment or document type within your ISMS.
• Appoint someone responsible (e.g. the PO or CISO) and schedule at least annual updates.

- A.5.34: Privacy and Protection of Personally Identifiable Information (PII)

Obligate your organization to take measures to process personal data lawfully and securely.

‍

Practical example:

• Make sure you have a privacy policy that is in line with your information security policy.
• For example, document how to record consent, how to process data subject rights (such as requests for access), and what principles you use.
• Ensure that there is a register of processing operations that contains information about the basis, retention periods, recipients, and systems involved.

‍

- A.6.3: Information security awareness, education and training

Make sure that employees are aware of privacy risks and know how to handle personal data safely and correctly.

‍

Practical example:

• Organize regular mandatory training courses on privacy and data protection, such as recognizing privacy-sensitive information, properly applying the GDPR, and reporting a data breach. Make sure that new employees attend introductory training on privacy immediately upon employment.
• Raise privacy awareness within the organization by structurally training employees to handle personal data safely and carefully. This includes recognizing sensitive data, preventing data leaks and complying with the GDPR. Integrate this knowledge into onboarding and repeat it regularly via e-learnings or classroom sessions.

- A.6.6: Confidentiality Agreements

Ensure that employees and suppliers are contractually committed to confidentiality.

‍

Practical example:

• Have new employees sign a confidentiality agreement upon employment. Please also refer to your privacy policy.
• Make sure that your contracts with suppliers include a standard processing agreement with agreements on confidentiality and security.

Need help with privacy issues? We are happy to help you out. Read more.

- A.8.10: Deleting information

Control when and how personal data is securely deleted.

‍

Practical example:

• Set up a process where customer data is automatically deleted after a certain period of time (for example, 2 years after the last contact).
• Let IT keep a deletion log, or build a workflow in your CRM that happens automatically.

Please note: some personal data must be kept for a minimum period of time, for example due to tax or legal obligations. Therefore, think carefully about the correct storage period for each type of data.

We previously wrote a blog about how to carefully deal with retention periods. You'll find it here!

- A.8.11: Data masking

A technique to protect sensitive data during testing or training, for example.

‍

Practical example:

• Are you working with real customer data in your test environment? Don't do it. Instead, use masked data, such as fictitious names and addresses.
• Support agents can only see the last part of a social security number or account number unless they get explicit access.

- A.8.12: Data leakage prevention

Prevent personal data from unintentionally leaking out through technical measures.

‍

Practical example:

• Restrict the sending of personal data via email by setting technical limits, such as file size limits, allowed file types, or blocking attachments to external email addresses. In addition, use a Data Loss Prevention (DLP) solution that automatically prevents employees from sending personal data to a private email address.
• Implement automatic disk encryption on laptops (such as BitLocker for Windows or FileVault for macOS) so that if the device is lost or stolen, personal data is not accessible.

➡️ These controls are not a “checklist”, but they do help you translate AVG obligations into practical measures.

What can you do without a lawyer or a privacy team?

You don't have to be a specialist to take action. With a good basis in your ISMS, you can go a long way. For example, consider:

‍

• Processing register in order: start simple, identify what personal data you process and why.
• Test data breach procedure: does everyone know when there is a data breach? And what to do then? Make it negotiable.
• Creating awareness: not only with e-learnings, but also through team discussions or incident discussions.
• Assess Processors: actively ask your suppliers (such as software suppliers or cloud services) to demonstrate how they deal with privacy and security. Examples include documents such as a processing agreement, a recent security statement, DPIA, or information about how they address data breaches and risks.
• Linking Privacy Policy to Your ISMS: Make sure that the privacy policy is not a separate document that is somewhere in a folder, but is actively applied within your organization. For example, by linking it to your risk analysis or referring to the privacy policy.

And perhaps most importantly: record decisions. A DPIA doesn't have to be a thick book, as long as you show that you've thought about risks and measures.

Structurally including privacy: how?

A few concrete recommendations for an effective approach:

‍

1. Start with your processes: see where personal data is processed and who can access it.‍
2. Link privacy to risk analysis: add privacy risks to your regular ISO 27001 risk analysis.‍
3. Insure AVG requirements in your ISMS: for example, in your change management, supplier management or awareness program.‍
4. Don't forget your privacy statement: make sure that what you write down is also in line with practice.‍
5. Keep it alive: writing down policies alone is not enough. Let it come back in behavior, awareness and audits.

Privacy doesn't have to be a headache. ISO 27001 actually helps you bring order to the maze of rules, processes and documentation. You don't have to be a lawyer to take privacy seriously, as long as you know where to start. And that is exactly what we can help you with.

Do you want more control over privacy in your ISO approach? Feel free to contact us for practical support (such as a AVG scan) or a free check on your privacy processes.

‍