Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online FormsUse CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI DataPartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel PartnersResourcesResource CenterDevelopersCustomersCompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact UsRequest Demo
Mouseover to personalize your Kiteworks website experience

ISO 27001, 27017, 27018

Achieve and maintain ISO certification with comprehensive information security controls, cloud security measures, and personal data protection in cloud environments.

ISO 27001 Content

How Kiteworks Supports ISO 27001, 27017, and 27018 Compliance

The ISO 27000 family of standards provides internationally recognized frameworks for information security management. ISO 27001 establishes requirements for an Information Security Management System (ISMS), ISO 27017 extends these controls to cloud services, and ISO 27018 addresses the protection of personally identifiable information (PII) in public cloud environments. Kiteworks provides comprehensive capabilities that support organizations in achieving and maintaining certification across all three standards.

ISMS Implementation Support

ISO 27001 requires organizations to establish, implement, maintain, and continually improve an Information Security Management System. Kiteworks supports ISMS implementation through:

  • Policy enforcement: Centralized security policies that govern how sensitive content is accessed, shared, and protected across the organization
  • Asset management: Comprehensive inventory and classification of information assets processed through the platform
  • Process documentation: Standardized workflows for data handling that align with documented ISMS procedures
  • Management review support: Dashboard reporting and analytics that provide the data needed for management reviews of ISMS effectiveness
  • Continual improvement: Monitoring and metrics that identify opportunities to strengthen security controls over time

Annex A Controls Implementation

ISO 27001 Annex A contains 93 controls organized across four themes. Kiteworks addresses critical controls including:

  • A.5 Organizational Controls: Security policies, roles and responsibilities, segregation of duties, and contact with authorities
  • A.6 People Controls: Screening, awareness training, and disciplinary processes supported through access management and user activity monitoring
  • A.7 Physical Controls: Deployment flexibility ensures data center physical security requirements are met through on-premises or certified cloud hosting
  • A.8 Technological Controls: Encryption (AES-256 at rest, TLS 1.3 in transit), access controls, secure authentication, logging and monitoring, network security, and data masking

Cloud Security Controls (ISO 27017)

ISO 27017 provides additional guidance for cloud service providers and customers. Kiteworks supports 27017 compliance through:

  • Shared responsibility clarity: Clear delineation between provider and customer security responsibilities
  • Virtual machine hardening: Hardened virtual appliance architecture with minimal attack surface
  • Multi-tenancy isolation: Single-tenant architecture eliminates the risks associated with shared cloud environments
  • Cloud asset management: Complete visibility into cloud-hosted data and configurations
  • Secure decommissioning: Verified data removal when services are terminated
  • Activity monitoring: Comprehensive logging of all cloud service activities for customer visibility

PII Protection in Cloud (ISO 27018)

ISO 27018 establishes controls for protecting personally identifiable information processed by cloud service providers. Kiteworks supports 27018 compliance through:

  • Consent management: Enforce data processing limitations based on customer consent and contractual agreements
  • Purpose limitation: Process PII only for the purposes specified by the data controller
  • Data minimization: Collect and retain only the PII necessary for specified processing activities
  • Transparency: Provide customers with clear visibility into how and where their PII is processed
  • Data portability: Enable customers to retrieve their PII in standard, machine-readable formats
  • Secure deletion: Verified deletion of PII when no longer needed or when requested by the data controller
  • Sub-processor management: Controls and transparency regarding any third parties that may access PII

Risk Assessment and Management

All three ISO standards require systematic risk assessment and treatment. Kiteworks supports risk management through:

  • Threat identification: Built-in security monitoring identifies potential threats to information assets
  • Vulnerability management: Regular security assessments, penetration testing, and vulnerability scanning
  • Risk treatment: Configurable security controls that implement risk treatment decisions
  • Residual risk monitoring: Continuous monitoring of accepted risks through dashboards and alerting

ISO Compliance Coverage Matrix

ISO Standard Focus Area Kiteworks Capability
ISO 27001 ISMS Framework Policy enforcement, access controls, audit trails, incident management
ISO 27001 Annex A Controls Encryption, authentication, network security, logging, asset management
ISO 27017 Cloud Security Single-tenant isolation, hardened appliance, cloud activity monitoring
ISO 27017 Shared Responsibility Clear documentation of provider vs. customer security obligations
ISO 27018 PII in Cloud Consent management, data minimization, purpose limitation, portability
ISO 27018 Data Subject Rights Access, rectification, deletion, and portability of personal data

Continuous Monitoring and Improvement

ISO certification requires ongoing monitoring and improvement of security controls. Kiteworks enables continuous compliance through:

  • CISO Dashboard: Real-time visibility into all security events, data flows, and user activities
  • SIEM integration: Feed comprehensive logs into security information and event management systems for centralized analysis
  • Automated alerting: Real-time notifications for security events, policy violations, and anomalous activities
  • Compliance reporting: Generate evidence packages for internal audits and certification assessments

Incident Management and Business Continuity

ISO 27001 requires formal incident management and business continuity processes. Kiteworks supports these requirements through:

  • Incident detection: Automated monitoring identifies potential security incidents in real time
  • Incident response: Audit trails and forensic logging support rapid investigation and containment
  • Business continuity: High availability architecture, automated failover, and disaster recovery capabilities
  • Backup and recovery: Automated backup processes with tested recovery procedures

Why Choose Kiteworks for ISO Certification

Kiteworks provides the technical controls, documentation support, and operational capabilities organizations need to achieve and maintain ISO certification:

  • Comprehensive control coverage: Address Annex A controls with a single unified platform
  • Certification-ready evidence: Generate audit evidence packages that satisfy certification body requirements
  • Cloud-native security: Purpose-built for secure cloud operations with ISO 27017 and 27018 considerations
  • Deployment flexibility: On-premises, private cloud, or hybrid options to match your ISMS scope
  • Zero-breach track record: Proven security across 3,800+ enterprise customers worldwide

Whether you are pursuing initial ISO certification or maintaining existing certifications, Kiteworks provides the robust security infrastructure and comprehensive evidence generation capabilities needed to demonstrate compliance with ISO 27001, 27017, and 27018 standards.