Implementation of ISO 27001 as part of the GDPR compliance journey


Hello everyone,

I currently work for a start-up company who develops a class IIa active monitoring medical device. The system will process sensitive personal data concerning health from patients at the hospital, hence we fall under the scope of the GDPR.
It is not yet on the market, which leaves us some time. We are currently working on getting the device CE-marked.

I recently became aware that implementing the ISO 27001 standard (“Information security management”) would be an interesting start in our GDPR compliance path, since it would give us a framework and help us comply with about 75-80% of the GDPR.
I have been learning a lot on the subject ever since, but I still have a few questions in mind, and was hoping that we could start a discussion around the topic.

- First of all, any general experience feedback would be appreciated on the question. If your company implemented ISO 27001 as part of GDPR compliance, or on its own, any impression or piece of advice would be very welcome.
- I am mainly trying to assess the effort needed to get ISO 27001 certified right now, but I understand it might depend on several parameters such as the size of our company (we’re only 7 employees), our budget, the time we have to comply, and simply what is the gap between where we stand right now with our Information Security Management System (ISMS; which is basically inexistent at the moment).
- The budget is quite a concern of mine, since I didn’t find two sources mentioning the same range of investment; it went from 5000€ to 100,000€. Once again it might depend on the factors mentioned above, but any feedback on the external costs would be welcome (consultancy + certification), especially for a small company.
- Then we can also wonder if going for the certification itself would be really necessary. From my perspective, it would be “too bad” to go through these efforts and not get certified, since it could be quite a compliance and competitive advantage.
- The time spent on such a project is also something I fail at assessing in an accurate manner right now, but I get the idea that this will be naturally quite a big project, not something that takes a few weeks.
- I was wondering if anybody did use the ISO 27002 (“Security techniques – Code of practice for information security controls”; which as I understand it is more of a detailed guidance on the ISO 27001 Annex A controls) and BS 10012 (“Personal Information Management”). Although I understand the relevance of the ISO 27002 in this context, would the BS 10012 be redundant if we are already looking at ISO 27001?
- Finally, I’ve even been wondering about the relevance of such a project for a small company like ours. If we have a Data Protection Officer (DPO) for example, would that guide us enough on our compliance journey? Or would you still advise a small structure to go for ISO 27001 anyway (since the framework would be very concrete then)? It can get quite confusing.

I am looking forward some feedbacks on your experience with this topic. Thanks a lot!


Rajesh Satam

Hi Laura, as per information you have provided , it seems implementing ISMS or ISO 27001 may not be that difficult assuming the size of your organisation. ISMS is the first step you need to take if you want to get your organisation certified.
I don't have any practical experience in GDPR implementation but can certainly help you with ISO 27001 implementation.


Moved On
Hi Laura:

I am currently engaged in ISO 27001 implementation. You don't say where you are located, but ITG have a good white paper called "9 Steps to Success". It's a little heavyweight for small businesses, but has some good advice.

On the budget side, it's going to cost whatever you need to pay for. It's going to be very dependent upon what your "scope" is - what information you need to keep secure (it's not always just electronic form info) and what controls are necessary from the Annex A list. How you determine those is by creating a "statement of applicability". Do a Gap Analysis (I used a free form from and also using ISO 27002.
Top Bottom