The complexity of the personal data processing in the entities of the National Health Service (NHS) creates challenges in the adoption of privacy and information security standards. The need for practical results in the short term due to the application of the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS Directive) leads organizations to seek new approaches to overcome the lack of competencies and available resources. The proposed approach consists of implementation of the Integrated Information Security and Privacy Management System (IISPMS). The master´s thesis which results are described in this article was developed in 2017 with the objective of defining a generic framework to be used by health sector entities to guide the implementation of the IISPMS. This article aims to describe the project and the controls that have been added to Annex A of ISO/IEC 27001:2013 to meet the requirements of the GDPR.