ISO/IEC 27000 Certification

International Organization for Standardization

Smartsheet achieved certifications for internationally recognized information security and data privacy standards, developed by the International Organization for Standardization (ISO):

ISO/IEC 27001:2013 - Information Security Management
ISO/IEC 27017:2015 - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2019 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC 27701:2019 - Privacy Information Management

These certification audits were performed by an accredited third-party auditor and reviewed by a certification body. These certifications demonstrate Smartsheet’s compliance to industry-leading security and privacy best practices and commitment to providing customers with the best enterprise-grade security and privacy features. Conformance to these standards is evidence that Smartsheet has done the following:

Established and continually improves the Information Security Management System (ISMS) as per the requirements of the ISO 27001:2013 standard
Implemented information security controls and systematically evaluates and treats information security risks
Secures and protects Personally Identifiable Information (PII) in our cloud environment
Built a strong privacy program by establishing and maintaining a Privacy Information Management System (PIMS) by implementing data privacy specific requirements and controls in accordance with the requirements of both ISO 27018:2019 and ISO 27701:2019 standards

Questions about ISO/IEC Certifications

ISO/IEC 27001:2013 from the International Organization for Standardization focuses on information security and aligns with the guidance provided in ISO/IEC 27002 for implementing security controls. It outlines requirements for establishing, implementing, maintaining, and continually improving an ISMS. The ISMS protects the confidentiality, integrity, and availability of information in an organization by applying a risk management process.

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

- additional implementation guidance for relevant controls specified in ISO/IEC 27002;

- additional controls with implementation guidance that specifically relate to cloud services.

This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. This international standard leverages ISO/IEC 27001:2013 as guidance for implementing PII protection controls for organizations acting as public cloud PII processors and expands on the ISO/IEC 27002 controls to address public cloud PII protection requirements.

ISO/IEC 27701:2019 is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS. This data privacy standard provides guidance for PII controllers and PII processors that are responsible and accountable for PII processing. The requirements of this standard can be mapped to and help comply with data privacy laws and regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)

Click on the links below to obtain a copy of Smartsheet's ISO/IEC Certifications: