The Hard Truth: Your Certificate ≠ Legal Compliance
Why ISO/IEC 27001 does not prove you are compliant with the law.
There is a dangerous misunderstanding in the business world. It usually happens during a vendor review. A prospect asks, “Are you compliant with privacy laws like GDPR or regulations like NIS2?”
The response is often a confident, “Yes, we are ISO 27001 certified.”
That answer is misleading.
This edition of GRC Lab is brought to you by … Kertos (Advertisement)
Europes #1 Compliance Platform Kertos, automates your compliance standards, such as ISO 27001, GDPR, SOC 2, or the EU AI Act – from the initial analysis to the audit and as a sustainable solution far beyond.
An ISO 27001 certificate proves exactly one thing: you have a management system that meets the ISO standard. It does not prove you are compliant with the law. It certainly doesn’t prove you are immune to regulatory fines.
Here is why you need to stop treating a security certificate as proof of legal compliance.
1. The Auditor Is Not Checking the Law
To understand the certificate, you have to understand the rules the auditors follow. They don’t just make things up; they follow a strict standard called ISO/IEC 17021-1.
This document contains a specific note that ends the debate immediately:
ISO 17021-1 9.2.1.2 b)
“A management system certification audit is not a legal compliance audit.”
When an auditor visits your company, they are auditing your management system, not the applicable legal, regulatory and contractual requirements. They shall only look for evidence that you meet requirements of the ISO/IEC 27001 standard. Not more, not less.
Furthermore, the standard for bodies providing ISMS audits, ISO/IEC 27006-1, explicitly states that while auditors need to know the general legal landscape, this “does not imply a profound legal background.”
ISO/IEC 27006-1, 7.1.3.1.5
Each auditor in an ISMS audit team shall have knowledge of:
a) the legal and regulatory requirements in the particular information security field, geography and jurisdiction(s);
NOTE Knowledge of legal and regulatory requirements does NOT imply a profound legal background.
Auditors are not lawyers. They do not have the authority or the training to interpret complex regulations like NIS2. If an auditor tries to certify that you are legally compliant, they are breaking their own rules.
2. They Audit the “Approach,” Not the Outcome
So, what are they actually checking?
Under Control 5.31, the auditor verifies that you have identified legal requirements and documented your “approach to meet these requirements.”
The key word is “approach.”
The auditor checks if your procedure for identifying laws is sound. They verify that you have a list of laws and a plan to address them. They do not check if that plan would hold up in court.
If you have a procedure to review compliance, and you follow that procedure, you pass the audit. You can technically pass an ISO 27001 audit while being in breach of a specific regulation, simply because the auditor’s job is to verify you have a mechanism to manage the risk, not to confirm you have solved it.
3. The Standard Allows You to “Opt-Out” of Laws
This is the most surprising reality for many business leaders. ISO/IEC 27001 gives you the option to choose which requirements you address.
Clause 4.2 requires you to identify interested parties (like regulators) and their requirements. But it then asks you to decide “which of these requirements will be addressed through the information security management system.”
This implies a choice. You identify the requirements, and you determine which ones fall within the scope of your system.
If you list a regulation like NIS2 in your Statement of Applicability (SoA), the auditor checks it for “relevance,” not conformity. The standards clarify that these references are not used for conformity assessment. You are showing you considered the law, not proving you obey it.
The Takeaway
An ISO 27001 certificate is a valuable asset. It builds trust and proves you have a rigorous framework for managing risk.
But it is not a legal shield. If a vendor claims their ISO badge makes them compliant with GDPR or CCPA, they are incorrect. The certificate verifies the system, not the legal result. Keep that distinction clear to maintain a realistic view of your security posture.
Make yourself irreplaceable, even to AI.
Watching videos is a great start, but implementing an entire ISMS requires a structured approach combined with advice from those who already did it.
If you are ready to master the standard and get certified, I invite you to enrol in my ISO/IEC 27001 Lead Implementer Course.
New Update: I have recently upgraded the program. You now have the unique opportunity to work directly with me inside the course. Whether you are stuck on risk methodology or need a second pair of eyes on your scope, I’m here to help you cross the finish line.
*Affiliate Link: If you purchase a license through this link, we receive a commission at no additional cost to you.