ISO 27001 vs. AVG
Let's start with the difference. ISO 27001 is an international standard for information security. The AVG (or GDPR) is legislation focused on privacy. Each has its own role, but they actually reinforce each other and have a lot in common.
The AVG imposes requirements on how you process and secure personal data. ISO 27001 helps you implement this in a structured way. The AVG tells you what to do, the ISO tells you how to do it.
Where do things often go wrong?
We encounter the same bottlenecks in many organizations. Do you recognize one (or more)?
❌ Uncertainty about scope: what personal data are we actually processing?
❌ Processor agreements are incomplete or outdated.
❌ The privacy rights of data subjects are known, but there is no clear process to actually ensure them in daily practice.
❌ DPIAs? Yes, done once ... but not recorded.
❌ The privacy policy is on paper but not actually implemented.
❌ Data breaches are reported "when we think about it."
❌ Rely on suppliers without clear agreements or due diligence (thorough investigation).
❌ International processing without clear view of legislation (EU vs. US).
❌ Insufficient awareness in the organization ("that's what the FG does, right?").
❌ No clear view of legal obligations (legal register missing).
And perhaps the biggest pitfall: privacy is seen "separately" from information security. But privacy is precisely part of information security.
How ISO 27001 helps with privacy
The ISO 27001:2022 provides guidance for integrating privacy into your information security. Below we discuss a few concrete controls (management measures) from Annex A that address this directly:
- A.5.31: Legal, statutory, contractual obligations
Make sure you know what laws and regulations apply to your organization, including privacy laws. This is the basis for compliance.
Case example:
- Document in your ISMS which privacy laws are relevant (for example, the AVG, but also industry rules or international laws, such as the California Consumer Privacy Act (CCPA) if you do business with the U.S.).
- Use a legal register in which you briefly describe: what is the obligation, to whom does it apply, and how do you comply?
- Add the processing register as a mandatory attachment or document type within your ISMS.
- Appoint a responsible person (e.g., the PO or CISO) and schedule at least annual updates.
- A.5.34: Privacy and Protection of Personally Identifiable Information (PII)
Require your organization to take measures to process personal data lawfully and securely.
Case example:
- Make sure you have a privacy policy that aligns with your information security policy.
- For example, document how you record consent, how you process data subjects' rights (such as access requests), and what bases you use.
- Have a register of processing operations that includes information on basis, retention periods, recipients, and systems involved.
- A.6.3: Information security awareness, education and training
Make sure employees are aware of privacy risks and know how to handle personal data securely and properly.
Case example:
- Organize regular mandatory training on privacy and data protection, such as how to recognize privacy-sensitive information, how to properly apply the AVG, and how to report a data breach. Ensure that new employees receive introductory training on privacy immediately upon joining the company.
- Increase privacy awareness within the organization by structurally training employees in the safe and careful handling of personal data. Think about recognizing sensitive data, preventing data breaches and complying with the AVG. Integrate this knowledge into onboarding and repeat it regularly via e-learnings or classroom sessions.
- A.6.6: Confidentiality statements.
Make sure employees as well as suppliers are contractually committed to confidentiality.
Case example:
- Have new employees sign a confidentiality agreement upon hiring. In it, also refer to your privacy policy.
- Make sure your contracts with suppliers include a standard processor agreement with agreements on confidentiality and security.
Need help with privacy issues? We're happy to help. Read more.
- A.8.10: Removal of information.
Regulate when and how personal data is securely deleted.
Case example:
- Set up a process where customer data is automatically deleted after a certain period of time (for example, 2 years after the last contact).
- Have IT keep a deletion log, or build a workflow in your CRM in which that happens automatically.
Please note that some personal data must actually be kept for a minimum time, for example because of tax or legal obligations. Therefore, think carefully about the appropriate retention period for each type of data.
We previously wrote a blog on how to carefully manage retention periods. You can find that one here!
- A.8.11: Data masking
A technique to protect sensitive data in testing or training, for example.
Case example:
- In your test environment working with real customer data? Don't. Instead, use masked data, such as fictitious names and addresses.
- Support staff can only see the last part of a BSN or account number unless given explicit access.
- A.8.12: Data leakage prevention.
Prevent inadvertent leakage of personal data through technical measures.
Case example:
- Restrict the sending of personal data via e-mail by setting technical limits, such as maximum file size, allowed file types or blocking attachments to external e-mail addresses. In addition, use a Data Loss Prevention (DLP) solution that automatically prevents employees from sending personal data to a private e-mail address.
- Implement automatic disk encryption on laptops (such as BitLocker for Windows or FileVault for macOS) so that if the device is lost or stolen, the personal data stored cannot be accessed.
➡️ These controls are not a "checklist," but they will help you translate AVG obligations into practical measures.
What can you do without a lawyer or privacy team?
You don't have to be a specialist to make strides. A good foundation in your ISMS will get you a long way. Consider, for example:
- Processing register in order: start simple, map out what personal data you process and why.
- Testing data breach procedure: does everyone know when there is a data breach? And what to do then? Make it negotiable.
- Create awareness: not only with e-learnings, but also through team meetings or incident reviews.
- Review processors: actively ask your vendors (such as software providers or cloud services) to demonstrate how they handle privacy and security. Consider documents such as a processor agreement, a recent security statement, DPIA, or information on how they address data breaches and risks.
- Link privacy policy to your ISMS: make sure the privacy policy is not a separate document sitting in a folder somewhere, but is actively applied within your organization. For example, by linking it to your risk analysis or referring to the privacy policy.
And perhaps most importantly, document decisions. A DPIA need not be a thick tome, as long as you show that you have considered risks and measures.
Incorporating privacy structurally: how?
Some concrete advice on how to be effective:
- Start with your processes: look at where personal data is processed and who can access it.
- Link privacy to risk analysis: add privacy risks to your regular ISO 27001 risk analysis.
- Embed AVG requirements in your ISMS: for example, in your change management, vendor management or awareness program.
- Don't forget your privacy statement: make sure what you write down is true to practice.
- Make sure it lives: just writing down policy is not enough. Let it be reflected in behavior, awareness and audits.
Privacy doesn't have to be a headache. Instead, ISO 27001 helps you bring order to the maze of rules, processes and documentation. You don't have to be a lawyer to take privacy seriously, as long as you know where to start. And that's exactly where we can help you.
Do you want more grip on privacy in your ISO approach? Feel free to contact us for practical support (such as an AVG scan) or a no-obligation check on your privacy processes.
