GDPR and ISO 27001 work best as one story: processors, DPIAs, breaches and demonstrable controls in your ISMS.
What to document
- Lawful basis, registers and processor agreements.
- DPIAs linked to risk treatment.
- Breach playbooks aligned with SOC timelines.
- Evidence that matches your privacy notice and technical reality.
Deep dive: GDPR and ISO 27001, EU hosting and data residency, ISO 27001 certification.