I’m pleased to announce that Digital Shadows has recently achieved an important compliance milestone for our customers. After a concerted effort across the organization, we have earned the ISO/IEC 27001:2013 certification. You can find our certificate here.


So what is ISO27001? This is my first experience working directly with ISO27001. It is an international standard that provides requirements for establishing and maintaining an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

ISO 27001 information security management


The standard includes 114 controls across the following clauses:

  • 5: Information security policies
  • 6: Organization of information security
  • 7: Human resource security
  • 8: Asset management
  • 9: Access control
  • 10: Cryptography
  • 11: Physical and environmental security
  • 12: Operations security
  • 13: Communications security
  • 14: System acquisition, development and maintenance
  • 15: Supplier relationships
  • 16: Information security incident management
  • 17: Information security aspects of business continuity management
  • 18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws


What ISO27001 isn’t. ISO27001 isn’t a magical checkbox that wards off adversaries. It won’t defeat attackers like Valyrian steel on a white walker. When we started this journey, I was skeptical, having flashbacks of the Payment Card Industry Data Security Standard (PCI DSS) and all the debate around checkbox security.


Why does it matter? For me, ISO27001 matters because it forced us to mature our overall program. Over the past eighteen months, we’ve implemented many new controls that help us to better protect our clients’ data and help to ensure the availability of SearchLight, our digital risk protection offering. I’m not saying these new controls will prevent intrusions and outages, but our resiliency certainly has matured, and our customers have benefited. ISO27001 has become a critical component of our overall risk management strategy.

I’m proud of the Digital Shadows team for accomplishing this milestone, but as you well know, there is no finish line. We have new offices to bring into the ISO27001 fold, and we have to maintain the certification.

We recently recorded an interview discussing the certification; you can check it out below.



To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.