Comparison · Vietnam

ISO 27001 vs PDPD

Decree 13/2023 (PDPD) and ISO 27001 are the two most important compliance requirements Vietnamese businesses face. Significant overlap between both frameworks allows effort optimization when implementing together.

By pTrackly Compliance Team · Updated July 2026 · ISO 27001:2022 & Decree 13/2023
💡
Key insight: ISO 27001 is an information security framework, PDPD is a personal data protection law. These are two different dimensions — ISO 27001 does not replace PDPD and vice versa. But implementing ISO 27001 builds approximately 60–70% of the technical foundation needed for PDPD (based on cross-mapping analysis of ISO 27001:2022 Annex A against Decree 13/2023 obligations).

Fundamental comparison

Aspect ISO 27001 PDPD (Nghị định 13/2023)
Nature Voluntary international standard (can certify) Mandatory Vietnamese law
Goal Protect confidentiality, integrity, availability of information Protect privacy and personal data of individuals
Scope All information types (not just personal data) Only personal data of Vietnamese nationals
Authority Independent certification body (CB) Department A05, Vietnam Ministry of Public Security
Consent & Data Rights Not directly required (but Privacy policy is in Annex A) Mandatory: consent, DSR workflow, DPIA
Sensitive data registration No requirement Mandatory registration with MPS
Output ISO 27001 certificate (commercial value) Legal compliance (avoid legal risk)

Control overlap: ISO 27001 Annex A → PDPD

When implementing ISO 27001, many Annex A controls simultaneously satisfy PDPD's technical and organizational obligations:

ISO 27001 Annex A Control Satisfies PDPD obligation
A.5.34, Privacy & PII protection Overall personal data protection obligation
A.5.13, Labeling of information Classification of basic vs sensitive data
A.8.11, Data masking Technical protection of sensitive personal data
A.5.36, Compliance with policies Data protection policy compliance
A.6.3, Information security awareness & training Staff PDPD training
A.5.33, Protection of records Evidence and DPIA record retention
A.5.19/5.20, Supplier relationships Data Processing Agreement with vendors
A.5.24-5.28, Incident management Data breach detection and notification (72h)
A.8.3, Information access restriction Access control for personal data

What ISO 27001 does NOT cover (additional work for PDPD):

  • Consent mechanism and consent withdrawal
  • Data Subject Request (DSR) workflow
  • DPIA documentation for sensitive data
  • Registration with Ministry of Public Security (sensitive data)
  • Cross-border data transfer agreement per PDPD

Strategy: ISO 27001 + PDPD in parallel

If your company is implementing ISO 27001 for international markets, this is the ideal time to simultaneously build PDPD compliance. The additional cost is much lower than doing each separately.

1
Start in parallel from day one

When scoping ISO 27001, simultaneously map personal data per PDPD. One gap analysis, two outputs.

2
Reuse ISO 27001 policies

Information Security Policy, Incident Response Policy, Supplier Management Policy → adjust to cover PDPD obligations, don't rewrite.

3
Add PDPD-specific layer

Additionally build: consent flow, DSR workflow, DPIA template, and MPS registration if handling sensitive data.

4
ISO 27001 audit → leads to PDPD readiness

When external auditors assess ISO 27001, your evidence collection process simultaneously creates PDPD documentation.

Frequently asked questions

Does ISO 27001 satisfy PDPD requirements?

No. ISO 27001 builds approximately 60–70% of the technical foundation needed for PDPD, but does not replace it. You still need to add: consent mechanisms, DSR workflows, DPIA documentation, Ministry of Public Security registration for sensitive data, and cross-border data transfer agreements.

What does ISO 27001 not cover for PDPD compliance?

5 areas ISO 27001 doesn't cover: (1) Consent mechanism and consent withdrawal; (2) Data Subject Request (DSR) workflow; (3) DPIA documentation for sensitive data; (4) Registration with Department A05, Ministry of Public Security; (5) Cross-border data transfer agreements per PDPD. These must be added even if you already have ISO 27001.

How long to implement ISO 27001 and PDPD in parallel?

Parallel implementation typically takes 6–12 months depending on organization size, compared to 12–18 months if done separately. Savings come from shared gap analysis, policies, and evidence collection. A compliance platform like pTrackly can significantly reduce this timeline through unified control mapping.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo