From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance controls Vasiliki Diamantopoulou Department of Information and Communication Systems Engineering, School of Engineering, University of the Aegean, Samos, Greece Aggeliki Tsohou Department of Informatics, Ionian University, Corfu, Greece, and Maria Karyda Department of Information and Communication Systems Engineering, School of Engineering, University of the Aegean, Chios, Greece Abstract Purpose – This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation. Design/methodology/approach – This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings – The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value – This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR. Keywords Compliance, General data protection regulation, Data protection controls, Security controls, ISO/IEC 270013A2013, ISO/IEC 270023A2013 Paper type Research paper 1. Introduction The ubiquitous presence of information technology in people’s daily routine poses challenges regarding the protection of the information they share. Social media, fora, instant messaging, mobile applications and e-commerce activities are some of the most popular technologies that heavily rely on personal data being collected and exchanged, for the provision of respective services. Personal data that people share online, exchanged on a GDPR compliance controls Received 10 January 2020 Revised 22 March 2020 Accepted 26 March 2020 Information & Computer Security © Emerald Publishing Limited 2056-4961 DOI 10.1108/ICS-01-2020-0004 The current issue and full text archive of this journal is available on Emerald Insight at: https://www.emerald.com/insight/2056-4961.htm