GDPR & ISO 27001 Compliance Self-Assessment Tool

Comprehensive evaluation for security leaders to assess compliance posture and prioritize remediation efforts

Last updated: April 23, 2025

Assessment Overview

This enhanced self-assessment tool helps CISOs, CCOs, and security professionals evaluate their organization's compliance with both GDPR and ISO 27001 frameworks.

By completing this assessment, you will:

Identify gaps in your current compliance program across both frameworks
Determine your risk exposure for each framework with weighted scoring
Understand which framework may be more appropriate to prioritize based on your current posture
Receive a detailed action plan with prioritized remediation steps
Get recommendations for leveraging synergies between the frameworks to optimize resources

Framework Comparison

Aspect	GDPR	ISO 27001
Focus	Data privacy and protection of personal data	Information security management across all data types
Scope	EU residents' personal data regardless of where processing occurs	All information assets for the defined scope
Approach	Principle-based regulatory requirements	Risk-based management system
Compliance	Legal requirement for organizations processing EU residents' data	Voluntary certification, but often required by contracts/customers
Key Components	Data subject rights, consent, breach notification, DPIAs, data protection principles	Risk assessment, security controls, ISMS, continuous improvement, leadership commitment
Penalties for Non-Compliance	Up to €20 million or 4% of global annual turnover	No direct regulatory penalties, but potential business/contractual impacts

Understanding the Benefits of Synergy

While GDPR and ISO 27001 have different focuses, they share many common elements. By implementing both frameworks strategically, you can:

Use ISO 27001 as the foundation for your overall security program
Leverage the ISMS structure to address GDPR's security requirements
Ensure GDPR's data protection principles are embedded in your security controls
Create unified policies, procedures, and training programs
Streamline audits and evidence collection for both frameworks

Assessment Instructions

To complete the enhanced assessment:

Click the "Assessment" tab to begin
Answer each question honestly based on your organization's current state
For each question, select the most appropriate response:
- Fully Implemented (3 points) - The requirement is completely satisfied
- Partially Implemented (1 point) - Some elements are in place but incomplete
- Not Implemented (0 points) - No meaningful implementation has occurred
- Not Applicable - The requirement does not apply to your organization
Add notes for context if needed
Critical questions that have higher weight in the assessment are marked with an asterisk (*)
After completing all sections, click "Calculate Results" to view your assessment

Assessment Progress 0%

Auto-saving enabled

Section 1: Organizational Context and Governance

ISO 27001

1.1 Has your organization established and documented the context of internal and external factors that affect its information security and data protection objectives? i Consider regulatory, technological, competitive, market, cultural, social, and economic factors that may impact your information security and data protection posture.

Applicable to: Both GDPR (Art. 24) and ISO 27001 (Clause 4.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.2* Has your organization identified and documented all interested parties and their requirements relevant to information security and data protection? i Interested parties may include customers, suppliers, regulators, shareholders, employees, and other stakeholders with requirements or expectations related to security and privacy.

Applicable to: Both GDPR (Art. 24, 28) and ISO 27001 (Clause 4.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.4* Has your organization established and documented the scope of your Information Security Management System (ISMS)? i This should define the boundaries of your ISMS including locations, functions, assets, technology, and interfaces with external entities.

Applicable to: ISO 27001 (Clause 4.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.5* Does your organization have documented evidence of executive leadership commitment for both data protection and information security? i This should include formal policy approval, resource allocation, defined roles and responsibilities, and active oversight by top management.

Applicable to: Both GDPR (Art. 24) and ISO 27001 (Clause 5.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.7 Has your organization assigned information security responsibilities to specific roles with clear authority and accountability? i This includes roles like Chief Information Security Officer (CISO), security managers, and others with specific security responsibilities across the organization.

Applicable to: ISO 27001 (Clause 5.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.8* Does your organization have documented information security and data protection policies approved by management? i Policies should be comprehensive, formally approved, communicated to all relevant parties, and regularly reviewed and updated.

Applicable to: Both GDPR (Art. 24) and ISO 27001 (Clause 5.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 2: Risk Assessment and Management

ISO 27001

2.2* Does your organization have a documented information security risk assessment methodology? i The methodology should define criteria for risk acceptance, assessment methods, and how to evaluate likelihood and impact.

Applicable to: ISO 27001 (Clause 6.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.3* Has your organization conducted a comprehensive risk assessment covering both security and privacy risks? i This should identify, analyze and evaluate risks to information confidentiality, integrity, availability as well as privacy-specific risks related to personal data.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 6.1.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.4 Do you have a risk treatment plan with defined controls for identified risks? i The plan should outline how each identified risk will be treated (mitigated, transferred, avoided, or accepted) with specific control measures.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 6.1.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.5 Is your risk assessment process repeated at planned intervals or when significant changes occur? i Regular risk assessments should be scheduled (typically annually) and also triggered by significant changes to systems, processes, or the threat landscape.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Clause 6.1, 8.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.6 Has your organization created a Statement of Applicability (SoA) documenting relevant ISO 27001 controls? i The SoA should list all controls from Annex A, indicating whether each is applicable or not, with justification for exclusions.

Applicable to: ISO 27001 (Clause 6.1.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 3: Data Protection Principles and Requirements

Section 4: Data Subject Rights and Transparency

Section 5: Information Security Controls

ISO 27001

5.1* Has your organization implemented appropriate technical and organizational security measures? i These should include measures such as encryption, pseudonymization, access controls, backup procedures, and regular testing of security measures, based on risk.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Clauses 6.1.3, 8.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.2* Do you have an information classification scheme implemented? i Information should be classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification, with corresponding handling procedures.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.3* Have you implemented access control policies and procedures? i This should include formal user registration/deregistration, privilege management, regular review of access rights, and password management.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.4 Do you have cryptographic controls in place to protect sensitive information? i This includes encryption for data at rest and in transit, with proper key management procedures and policies on the use of cryptographic controls.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.5 Do you have physical and environmental security controls? i This includes secure areas, equipment security, and protection against environmental threats to prevent unauthorized physical access, damage, and interference.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.6 Do you have secure development practices for systems that process sensitive data? i This includes security in development processes, secure coding guidelines, testing, and separation of development, testing, and operational environments.

Applicable to: Both GDPR (Art. 25, 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.7* Do you have logging and monitoring capabilities for security-relevant events? i This includes event logging, protection of log information, administrator/operator logs, clock synchronization, and monitoring of system use.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.8 Do you have backup and recovery procedures for critical information? i This includes regular backups, testing of restoration procedures, and secure storage of backup media in accordance with a backup policy.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 6: Incident and Breach Management

ISO 27001

6.1* Do you have a documented data breach/incident response plan? i The plan should define roles and responsibilities, steps for identification, containment, eradication, recovery, and lessons learned for security incidents.

Applicable to: Both GDPR (Art. 33-34) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

6.4 Do you maintain documentation of all data breaches/security incidents? i Documentation should include the facts, effects, and remedial actions taken for all breaches, regardless of whether they require notification.

Applicable to: Both GDPR (Art. 33(5)) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

6.5 Do you conduct regular testing of your incident response procedures? i This should include periodic tabletop exercises, simulations, or other forms of testing to ensure the effectiveness of incident response procedures.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

6.6 Do you conduct post-incident reviews to identify improvements? i After incidents are resolved, you should have a formal process to review what happened, identify lessons learned, and implement improvements to prevent similar incidents.

Applicable to: ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 7: Third-Party Management

ISO 27001

7.2* Do you perform security assessments of vendors/suppliers? i This should include due diligence before engaging vendors and regular security assessments based on the sensitivity of the information they handle.

Applicable to: Both GDPR (Art. 28) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.3 Do you monitor vendor/supplier compliance with security requirements? i This should include regular reviews, obtaining security attestations, and enforcing contractual obligations for ongoing compliance.

Applicable to: Both GDPR (Art. 28) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.5 Do you have processes to manage changes to supplier services? i This should include monitoring and reviewing changes in supplier relationships, services, or circumstances that could affect information security.

Applicable to: ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 8: Monitoring, Measurement, and Improvement

ISO 27001

8.1* Do you conduct regular internal audits of your security and privacy controls? i Internal audits should be planned and conducted at regular intervals to verify compliance with policies, procedures, and requirements.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 9.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.2 Have you established key performance indicators (KPIs) for information security? i KPIs should be defined to measure the effectiveness of security controls, processes, and the ISMS as a whole.

Applicable to: ISO 27001 (Clause 9.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.3* Do you have a process for handling nonconformities and implementing corrective actions? i When nonconformities are identified, you should react promptly, evaluate the need for corrective action, implement appropriate actions, and review their effectiveness.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 10.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.4 Does top management conduct regular reviews of the ISMS? i Management reviews should assess the ISMS's continued suitability, adequacy, and effectiveness, including the status of actions from previous reviews and changes in internal/external issues.

Applicable to: ISO 27001 (Clause 9.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.6 Is there a continuous improvement process for your security and privacy programs? i This should include ongoing assessment and improvement of the suitability, adequacy, and effectiveness of your security and privacy controls.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 10.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Assessment Results

ISO 27001 Compliance Score

Risk Level: Calculating...

Overall Maturity Score

Risk Level: Calculating...

GDPR & ISO 27001 Compliance Self-Assessment Tool

Assessment Overview

Framework Comparison

Understanding the Benefits of Synergy

Assessment Instructions

Section 1: Organizational Context and Governance

Section 2: Risk Assessment and Management

Section 3: Data Protection Principles and Requirements

Section 4: Data Subject Rights and Transparency

Section 5: Information Security Controls

Section 6: Incident and Breach Management

Section 7: Third-Party Management

Section 8: Monitoring, Measurement, and Improvement

Assessment Results

Framework Compliance by Section

Key Findings

Section Scores

Recommended Focus Areas

Framework Prioritization Guidance

Recommended Action Plan

Assessment Overview

Framework Comparison

Understanding the Benefits of Synergy

Assessment Instructions

Section 1: Organizational Context and Governance

Section 2: Risk Assessment and Management

Section 3: Data Protection Principles and Requirements

Section 4: Data Subject Rights and Transparency

Section 5: Information Security Controls

Section 6: Incident and Breach Management

Section 7: Third-Party Management

Section 8: Monitoring, Measurement, and Improvement

Assessment Results

Framework Compliance by Section

Key Findings

Section Scores

Recommended Focus Areas

Framework Prioritization Guidance

Recommended Action Plan

Help & Guidance