© GDPR EU 2026. All rights reserved.
ISO 27001 lists 93 controls. SOC 2 rests on five Trust Services Criteria. GDPR runs to 99 articles. Lay them side by side and a large share of the work repeats itself: access control, encryption, risk assessment, incident response, vendor oversight. That overlap is real, and it is the reason a company chasing all three at once can save months of effort by building once and reusing the evidence.
The trap is assuming overlap means equivalence. It does not. A clean ISO 27001 certificate does not make you GDPR compliant, and a SOC 2 report says nothing about whether you honour a data subject’s right to erasure. This article maps out where the three frameworks genuinely align, where they diverge, and how to build a single control set that feeds all of them without doing the same work three times.
Table of Contents
Before mapping anything, it helps to be precise about what each framework actually is. They are not three versions of the same thing. One is a law, one is an audit report, and one is a certifiable management system.
The General Data Protection Regulation is an EU law that took effect in May 2018. It governs how organisations collect, process, store, and transfer the personal data of people in the EU and EEA, and it applies to any organisation worldwide that handles that data, regardless of where the business sits. GDPR is built around core principles: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. It grants individuals a set of enforceable rights and obliges organisations to demonstrate compliance, not merely claim it.
SOC 2 is an attestation report, not a certification. It is produced by a licensed CPA firm against the AICPA’s Trust Services Criteria, and it tells customers how a service organisation protects the data it handles. There are two types. A SOC 2 Type I assesses whether controls are suitably designed at a single point in time. A SOC 2 Type II goes further, testing whether those controls actually operated effectively over a period, usually three to twelve months.
ISO 27001 is the international standard for an Information Security Management System (ISMS). Unlike SOC 2, it results in a formal certification issued by an accredited body, valid for three years with annual surveillance audits. The current version, ISO 27001:2022, restructured Annex A from 114 controls across 14 domains into 93 controls grouped under four themes: organisational, people, physical, and technological.
The heart of ISO 27001 is not the control list but the management system itself: a documented, risk-based process for identifying threats, selecting controls to treat them, and continually improving. Organisations record which Annex A controls apply in a Statement of Applicability (SoA), the document auditors use to check that decisions were deliberate rather than accidental.
GDPR Article 32 requires organisations to implement appropriate technical and organisational measures to secure personal data. It does not say what those measures are. ISO 27001 fills exactly that gap. An ISMS gives you the documented security controls, the risk methodology, and the governance structure that Article 32 demands but never specifies. This is why the two are so often pursued together: ISO 27001 supplies the operational backbone for the security obligations GDPR leaves abstract.
ISO published a dedicated bridge between the two. ISO 27701, the privacy information management standard, extends an ISMS with privacy-specific controls and includes a direct mapping to GDPR articles in its Annex D. Notably, the 2025 edition turned ISO 27701 into a standalone standard, so a Privacy Information Management System no longer strictly requires a full ISMS underneath it, though running both together remains the most efficient path.
Most GDPR security obligations have a clear Annex A counterpart. The strongest alignments that auditors and data protection officers rely on when building a unified control set are as follows.
Article 32 (Security of processing) maps directly to ISO 27001 Annex A controls on access management, encryption, and physical security. The GDPR obligation to implement “appropriate technical and organisational measures” is essentially a blank canvas that an ISMS is designed to fill.
Article 33 and 34 (Breach notification) align with ISO 27001’s incident management controls, which require a documented process for detecting, reporting, and responding to information security events. The GDPR adds a hard 72-hour clock that ISO 27001 does not impose, but the underlying capability, detection and structured response, is identical.
Article 28 (Processor obligations) maps onto ISO 27001’s supplier relationship controls. Both require due diligence on third parties handling sensitive data and contractual obligations to maintain appropriate security standards.
Article 35 (Data Protection Impact Assessments) aligns with ISO 27001’s risk assessment methodology. A DPIA is essentially a privacy-focused risk assessment, and organisations with a mature ISMS risk process can adapt it to DPIA requirements without building a separate methodology from scratch.
Control overlap is only half the value. The deeper saving comes from evidence reuse. The same artefact frequently satisfies both frameworks simultaneously. An asset inventory built for ISO 27001 doubles as the foundation of a GDPR record of processing activities. Access reviews, encryption configurations, and incident logs collected for an ISMS audit are the same records a data protection authority would expect to see after a breach. A well-structured ISO 27001 evidence library is, in large part, a GDPR documentation library, provided it is deliberately scoped to capture personal data flows alongside information assets.
SOC 2 and GDPR overlap most strongly on security and least on privacy rights. The AICPA’s common criteria, the mandatory Security category, line up well with GDPR Article 32: access control, change management, monitoring, and incident response all appear in both. The gap opens when you reach GDPR’s rights-based obligations, which SOC 2 was never designed to cover.
There is a structured way to close part of that gap. A SOC 2+ report extends a standard SOC 2 with additional subject matter, and GDPR is a recognised add-on. A SOC 2+ for GDPR lets a service organisation demonstrate alignment with specific GDPR requirements inside the same audit, which is particularly useful for vendors trying to satisfy enterprise customers in a single document.
The practical overlap is concentrated in a handful of control families. Logical access management, encryption in transit and at rest, vulnerability and change management, system monitoring, and incident response procedures all serve both frameworks. If the Security TSC has been properly implemented, most of the technical groundwork GDPR Article 32 expects is already in place. The work that remains is largely about lawful basis, transparency, and individual rights, none of which a SOC 2 auditor evaluates.
Choosing the Privacy TSC narrows the gap meaningfully. The AICPA organises privacy controls around notice, choice and consent, collection, use and retention, access, disclosure, quality, and monitoring. Those themes echo GDPR principles closely. A company that scopes in the Privacy criterion will find itself addressing consent, retention limits, and data subject access in ways that map onto GDPR articles, even if the legal definitions and enforcement mechanisms differ.
Important caveat: The SOC 2 Privacy criterion is not a GDPR substitute. It tests whether you follow your own stated privacy commitments, not whether those commitments satisfy EU law. You can pass the Privacy TSC with a privacy notice that would still fail a GDPR lawful-basis analysis. The criterion is a useful alignment tool, not a compliance shortcut.
Run the three together and a shared core emerges. Roughly half to two-thirds of the technical and organisational controls a mid-sized SaaS company needs will serve all three frameworks simultaneously. Access control, encryption, logging, risk management, vendor due diligence, security awareness training, and incident response sit at the intersection. Build that core once as a single common control set, then layer the framework-specific requirements on top: data subject rights for GDPR, elective TSCs for SOC 2, the Statement of Applicability for ISO 27001.
All three demand risk assessment, though they frame it differently. ISO 27001 makes a documented, repeatable risk methodology the centrepiece of the entire ISMS. SOC 2 expects risk assessment as part of the common criteria, drawing on the COSO internal control framework. GDPR requires a Data Protection Impact Assessment for high-risk processing under Article 35. A single, well-built risk register can feed all three, provided it captures both information security risk and risk to the rights and freedoms of individuals, which GDPR uniquely requires.
Vendor management is one of the cleanest overlaps across all three frameworks. ISO 27001 covers supplier relationships in its organisational controls. SOC 2 examines how you manage subservice organisations. GDPR Article 28 imposes specific contractual requirements on processors, including the obligation to flow data protection terms down the supply chain. A unified vendor management programme, with a single risk-tiered onboarding process and a contract template carrying GDPR’s mandatory processor clauses, satisfies the substance of all three simultaneously.
Here the frameworks converge on the need for an incident response capability but diverge sharply on deadlines. GDPR sets the hardest clock. Under Article 33, a controller must notify the relevant supervisory authority of a qualifying personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. That window starts when you have enough awareness that a breach has likely occurred, not when the investigation is complete.
ISO 27001 and SOC 2 both require incident management processes but impose no statutory notification deadline. The European Data Protection Board’s breach notification guidelines stress that the ability to detect, assess, and report a breach quickly is itself part of the Article 32 security obligation. In practice, an ISO 27001 incident process tuned to hit GDPR’s 72-hour deadline will comfortably satisfy SOC 2 as well.
The overlaps are seductive. The differences are where compliance programmes actually fail, because a control that satisfies one framework can leave a significant gap in another.
GDPR applies by law to anyone processing the personal data of people in the EU, whether or not the organisation has any European presence. SOC 2 applies to service organisations that store, process, or transmit customer data and want to demonstrate that to buyers, most commonly in the North American market. ISO 27001 applies to any organisation, anywhere, that wants a recognised security credential. Scope is also defined differently inside each framework: ISO 27001 lets you define the ISMS boundary, SOC 2 scopes around a system and chosen criteria, and GDPR scopes around personal data wherever it flows.
This distinction drives everything. GDPR is not optional. If you handle qualifying data, the law applies whether or not you have ever heard of it. SOC 2 and ISO 27001 are both voluntary, pursued because customers demand them or because they improve security posture. The consequence is straightforward: you can choose when and whether to pursue SOC 2 or ISO 27001, but GDPR obligations are live from the moment you touch EU personal data.
ISO 27001 ends in certification by an accredited body. SOC 2 ends in attestation, a licensed CPA’s opinion on your controls, delivered as a report rather than a badge. GDPR ends in nothing you can frame on a wall: compliance is a continuous legal state, demonstrated through documentation and defensible decisions if a regulator ever asks. Buyers sometimes ask for a “GDPR certificate.” There is no such thing.
This is the gap no security framework closes. GDPR grants individuals rights that have no equivalent in ISO 27001 or standard SOC 2: the right of access, rectification, erasure (the right to be forgotten), restriction of processing, data portability, and the right to object. Honouring these requires processes neither security framework asks for, such as a workflow to locate and delete every copy of one person’s data within a statutory deadline. You can be flawlessly certified and attested and still be in breach because you cannot fulfil a deletion request.
Because they reinforce each other almost perfectly. ISO 27001 gives GDPR Article 32 its missing operational detail, and the discipline of an ISMS produces exactly the accountability evidence GDPR’s Article 5(2) demands. Adding ISO 27701 on top turns the ISMS into a privacy management system with a built-in GDPR article mapping. For organisations that already process EU data, ISO 27001 is the most direct way to make security obligations concrete and auditable.
Yes, partially, and it is important to be honest about the limit. SOC 2’s Security criterion does real work toward GDPR Article 32, and the Privacy criterion or a SOC 2+ for GDPR pushes further into privacy territory. But SOC 2 will never deliver lawful basis, consent management, or data subject rights fulfilment. Treat SOC 2 as a strong head start on GDPR’s security half, not as a path to full compliance.
The savings are substantial and they compound. When controls and evidence are shared, the second framework costs a fraction of the first because the bulk of the work is already done. A company that earns ISO 27001 first can typically add a privacy management layer in three to six months rather than starting from zero. The expensive duplication, three separate control sets, three evidence collections, three teams, is entirely avoidable with a common framework approach. Gartner’s security research consistently identifies framework harmonisation as one of the highest-value investments a security team can make.
Sequence depends on what is driving you. If EU data is already in play, GDPR obligations are live and cannot wait, address the legal baseline immediately. If the goal is the broadest reusable foundation, ISO 27001 first is the common recommendation, because its risk-based ISMS becomes the scaffold everything else hangs on. If a specific enterprise customer is demanding proof to close a deal, SOC 2 first is often the pragmatic choice. Many organisations run GDPR groundwork in parallel with whichever security framework their market demands, rather than treating them as strictly sequential.
Start by inventorying every requirement across the three frameworks, then group requirements that demand the same underlying control. Define a single control to satisfy each group, assign a clear owner, and document precisely how it meets each framework’s requirement. Identify the controls that map to only one framework, the GDPR data subject rights processes and the elective SOC 2 criteria, and build those separately. Finally, link each control to the specific evidence that proves it operates, so a single artefact can be cited across every relevant audit. This last step is where most organisations under-invest, and where the practical time savings are actually realised.
The most damaging mistake is treating mapping as equivalence: assuming that because a control satisfies ISO 27001, it automatically satisfies GDPR. Overlap is not coverage. A second pitfall is mapping at too high a level, declaring that two requirements align without checking that your specific implementation meets both. A third is letting mappings go stale; when ISO 27001 moved from its 2013 to its 2022 control set, every mapping built against the old 114 controls needed revisiting against the new 93.
Never map frameworks once and file the result away. Standards revise, the law gets reinterpreted through enforcement decisions, and your own systems change. A mapping is a living document, not a one-time deliverable produced after the first audit and never touched again.
Maintenance is continuous, not annual. ISO 27001 requires surveillance audits each year and recertification every three. SOC 2 Type II demands evidence across the whole reporting period. GDPR compliance is a permanent legal state with no renewal date. The practical answer is continuous monitoring: automated control checks, a maintained risk register, regular internal audits, and management reviews that treat all three frameworks as one programme rather than three separate calendar events. The organisations that struggle are invariably those that treat each audit as a sprint rather than building the monitoring infrastructure that makes compliance a steady state.
GDPR, SOC 2, and ISO 27001 share a large security core and diverge on purpose, output, and the rights they protect. ISO 27001 gives GDPR’s security obligations their operational detail. SOC 2 proves those controls to customers. GDPR adds privacy rights that neither security framework touches. The organisations that handle all three well do not run three projects. They build one common control framework, collect evidence once, and map each control to every requirement it serves. Treat the overlap as a foundation and the differences as the parts that still need dedicated attention, and the combined compliance burden becomes far lighter than the sum of its parts.
