What ISO 27001 is
ISO 27001 is the international standard for building and maintaining an information security management system, usually shortened to ISMS. That matters because the standard is not a product checklist. It asks whether an organization can define security scope, identify risk, choose controls intentionally, assign ownership, review effectiveness, and improve over time. Auditors look at policies, risk treatment, access governance, supplier management, incident handling, change records, and the evidence trail that proves those practices are alive.
For a tracking vendor, the practical question is not only “is traffic encrypted?” It is also whether event pipelines, destination routing, admin access, retention, and vendor dependencies are governed in a repeatable way. A mature setup turns a messy collection of scripts and credentials into a managed service with defined owners, logged actions, review cycles, and a record of how security decisions were made. That is why ISO 27001 often becomes relevant once tracking moves from a marketing experiment to an enterprise data path.
TrackLayer ISO status
TrackLayer's ISO 27001 program is currently in progress. As of April 24, 2026, the target certification window is Q4 2026. That means customers should treat the program as active but not yet complete. The correct procurement answer today is that TrackLayer is building toward certification and can discuss the controls and operating practices already in place, but should not be presented as already certified.
This distinction matters in security review. Enterprise buyers do not only ask for a future roadmap. They ask what exists now: access controls, logging, incident process, data handling boundaries, vendor governance, and retention behavior. A strong answer is a precise current-state explanation plus a concrete Q4 2026 certification target, not inflated language that creates an avoidable audit problem later.
Controls we help with
TrackLayer is not your whole ISMS, but it can reduce security sprawl inside the tracking layer. The table below shows control areas where customers usually map TrackLayer into their own ISO program.
| Control area | What auditors check | How TrackLayer helps |
|---|---|---|
| A.5 Information security policies | Policies exist, are approved, reviewed, and mapped to real operating practices. | A centralized tracking layer reduces ad hoc scripts and creates one place for governed event handling. |
| A.5 Supplier relationships | Vendors are assessed, contractually governed, and reviewed for risk and dependency. | TrackLayer can narrow the number of direct downstream integrations your team must manage in the browser. |
| A.8 Asset management | Systems, data flows, environments, and owners are identified and kept current. | Event schemas, destinations, and pipeline components are easier to inventory when routing runs through one service. |
| A.8 Access control | Least privilege, role assignment, joiner and leaver handling, and access review evidence. | Role-based access, narrower operational surfaces, and auditability help support access review workflows. |
| A.10 Cryptography | Sensitive data is protected in transit and at rest with defined key and encryption practices. | Encrypted transport, controlled storage, and hashing support for selected identifiers help reduce exposure. |
| A.12 Logging and monitoring | Security-relevant actions are logged, retained, reviewed, and available during investigation. | Delivery logs, admin actions, webhook traces, and event processing history can become usable evidence artifacts. |
| A.17 Information security incident management | Incidents are triaged, escalated, documented, and used to improve controls over time. | A governed event pipeline makes it easier to isolate affected destinations, scope data exposure, and preserve a timeline. |
| A.18 Compliance and records management | Retention, legal requirements, privacy obligations, and audit evidence are documented and followed. | Retention settings, deletion flows, and structured audit history help teams produce cleaner compliance records. |
Evidence artifacts
Auditors trust evidence more than architecture diagrams. When TrackLayer is inside scope, these are the artifacts teams usually want ready before the fieldwork starts.
Access review exports
A dated record showing who had TrackLayer access, which roles they held, who approved those roles, and what changed since the prior review cycle.
Destination inventory
A current register of active destinations, event types, owners, purposes, and whether personal data or consent-sensitive signals are involved.
Audit log samples
Examples of admin actions, webhook changes, token rotation, or routing edits that prove privileged operations are traceable.
Incident records
Tickets or postmortems that show how security issues were detected, classified, communicated, and closed with corrective action.
Retention and deletion evidence
Configured retention periods plus completed deletion or export requests demonstrating that data lifecycle controls actually operate.
ISO vs SOC 2
ISO 27001 and SOC 2 often appear in the same vendor review, but they answer different questions. ISO 27001 asks whether security governance is operating as a formal management system. SOC 2 asks whether a defined set of controls was independently described and tested against the Trust Services Criteria. Many enterprise teams want both because one helps with global procurement language while the other fits familiar North American assurance workflows.
| Area | ISO 27001 | SOC 2 |
|---|---|---|
| Primary output | A formal management-system certification issued by an accredited certification body. | An attestation report prepared by a CPA firm against Trust Services Criteria. |
| Core lens | Risk management, policy governance, control operation, and continuous improvement. | Control design and operating effectiveness for a service organization. |
| Global recognition | Common in procurement across Europe and internationally. | Especially common in North American B2B software procurement. |
| Audit rhythm | Initial certification plus recurring surveillance and recertification cycles. | Point-in-time Type I or period-based Type II reports renewed on the audit cadence you choose. |
| Scope style | Built around the declared ISMS scope, risk treatment plan, and Statement of Applicability. | Built around the system description and the auditor's testing of selected criteria. |
| Practical buying signal | Shows that security governance is structured and maintained as a management system. | Shows that a control set was independently tested and described in a report customers can review. |
Customer responsibilities
Even if a vendor has strong controls, the customer still owns the way that service is adopted, reviewed, and connected to real business data. These responsibilities do not disappear during procurement.
- Define your own ISO 27001 scope. If TrackLayer is part of your analytics, marketing, or customer-data boundary, document where it sits and who owns that relationship internally.
- Classify the data you send. TrackLayer can help with handling controls, but your team must still decide which identifiers, events, and destinations are appropriate under your policy and risk appetite.
- Review access and vendor dependencies regularly. Auditors will expect evidence that you approve users, remove stale access, and understand what third parties support the service.
- Retain local evidence. Your certificate depends on your policies, risk register, incident process, training, and change management records, not only on what a vendor can provide.
FAQ
Is TrackLayer ISO 27001 certified today?
Not yet. TrackLayer's ISO 27001 program is in progress as of April 24, 2026, and the target certification window is Q4 2026. Customers should evaluate the currently available controls and assurance materials until certification is complete.
Can we list TrackLayer inside our ISO scope before TrackLayer is certified?
Yes. Your ISO scope reflects the systems and vendors you use, not only vendors that already hold certificates. The key is to document the supplier relationship, risks, contractual controls, and the evidence you rely on.
Does ISO 27001 replace GDPR, PCI DSS, or SOC 2 work?
No. ISO 27001 provides the management system for security governance. Privacy, payment, and assurance obligations still need their own control mapping and evidence, even if some controls overlap.
What do auditors usually ask for from a vendor like TrackLayer?
Usually they want security documentation, architectural scope, access governance details, logging and incident practices, data retention behavior, and confirmation of how the vendor relationship is reviewed by your team.
If TrackLayer gets certified, does that mean our tracking stack is automatically compliant?
No. A vendor certificate helps, but your organization still owns scope, risk assessment, user access, downstream destination choices, data classification, and evidence for how your implementation is operated.
Related compliance guides
SOC 2 + server-side tracking
See how the assurance language in SOC 2 compares with a management-system approach and where the evidence overlaps.
Read guide →Data retention policy
Map retention windows, audit logs, and deletion behavior into a cleaner control narrative for compliance reviews.
Read guide →GDPR compliance
Understand how privacy duties intersect with information security when server-side tracking processes personal data.
Read guide →