International Organization for Standardization
Smartsheet achieved certifications for internationally recognized information security and data privacy standards, developed by the International Organization for Standardization (ISO):
- ISO/IEC 27001:2013 - Information Security Management
- ISO/IEC 27017:2015 - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2019 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27701:2019 - Privacy Information Management
These certification audits were performed by an accredited third-party auditor and reviewed by a certification body. These certifications demonstrate Smartsheet’s compliance to industry-leading security and privacy best practices and commitment to providing customers with the best enterprise-grade security and privacy features. Conformance to these standards is evidence that Smartsheet has done the following:
- Established and continually improves the Information Security Management System (ISMS) as per the requirements of the ISO 27001:2013 standard
- Implemented information security controls and systematically evaluates and treats information security risks
- Secures and protects Personally Identifiable Information (PII) in our cloud environment
- Built a strong privacy program by establishing and maintaining a Privacy Information Management System (PIMS) by implementing data privacy specific requirements and controls in accordance with the requirements of both ISO 27018:2019 and ISO 27701:2019 standards
Questions about ISO/IEC Certifications
What is ISO/IEC 27001:2013?
ISO/IEC 27001:2013 from the International Organization for Standardization focuses on information security and aligns with the guidance provided in ISO/IEC 27002 for implementing security controls. It outlines requirements for establishing, implementing, maintaining, and continually improving an ISMS. The ISMS protects the confidentiality, integrity, and availability of information in an organization by applying a risk management process.
What is ISO/IEC 27017:2017?
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.
What is ISO/IEC 27018:2019?
ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. This international standard leverages ISO/IEC 27001:2013 as guidance for implementing PII protection controls for organizations acting as public cloud PII processors and expands on the ISO/IEC 27002 controls to address public cloud PII protection requirements.
What is ISO/IEC 27701:2019?
ISO/IEC 27701:2019 is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS. This data privacy standard provides guidance for PII controllers and PII processors that are responsible and accountable for PII processing. The requirements of this standard can be mapped to and help comply with data privacy laws and regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)
How can I get copies of the ISO Certifications?
Click on the links below to obtain a copy of Smartsheet's ISO/IEC Certifications:
● ISO/IEC 27001:2013 - Information Security Management
● ISO/IEC 27017:2015 - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
● ISO/IEC 27018:2019 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
● ISO/IEC 27701:2019 - Privacy Information Management
If you have additional questions not answered above, please complete this form and a Smartsheet Security Engineer will reach out to you.