ISO 27001:2022 for Virtual Data Room Providers

ISO 27001:2022 is the international information-security management system (ISMS) standard. It is the de-facto baseline that every professional virtual data room provider should hold. The 2022 revision rebuilt Annex A around 93 controls organised into four themes (organisational, people, physical, technological).

For European VDR procurement: a current ISO 27001:2022 certificate from an accredited certification body is the minimum entry ticket. It is not, by itself, sufficient — combine with sector-specific frameworks (BSI C5, SOC 2, ISO 27018, ISO 27701) where required.

Last updated: May 2026.

What ISO 27001 Actually Tests

ISO 27001 certifies that the provider has built and operated an ISMS — a management system, not a single product feature. The certificate confirms that risk management, control selection, monitoring, and continual improvement are running.

Annex A — 93 Controls in Four Themes

  • Organisational (37 controls) — policies, roles, supplier relationships, threat intelligence, cloud-services management.
  • People (8 controls) — screening, terms, awareness, disciplinary, post-employment.
  • Physical (14 controls) — security perimeters, equipment, secure disposal, clear desk.
  • Technological (34 controls) — access control, cryptography, secure development, vulnerability management, network security, monitoring.

What to Verify in a Vendor's Certificate

  1. Certificate is current — typically valid for three years with annual surveillance audits.
  2. Issuing body is accredited (UKAS, DAkkS, ENAC, etc.).
  3. Scope statement matches the VDR service (not just "corporate IT").
  4. Statement of applicability documents which Annex A controls are implemented.
  5. Sub-processors are within scope where they handle controlled data.

ISO 27001 vs Other Frameworks

  • ISO 27001 vs ISO 27018. 27001 is the ISMS baseline; 27018 adds public-cloud PII processor controls.
  • ISO 27001 vs SOC 2. ISO is process-focused; SOC 2 is operationally evidenced over a period.
  • ISO 27001 vs BSI C5. C5 is the German cloud-specific catalogue; demanded by German regulated industries.
  • ISO 27001 vs ISO 27701. 27701 extends 27001 with PIMS (Privacy Information Management System) controls aligned to GDPR.

Frequently Asked Questions

Is ISO 27001 enough on its own?

For non-regulated mid-market deals, often yes. For BaFin / FINMA / FCA-regulated counterparties, layer with BSI C5 or SOC 2.

How do I verify a certificate is real?

Check the issuing body's certificate registry. UKAS, DAkkS, and many other accreditation bodies publish lookup tools.

Does Papermark hold ISO 27001?

Papermark holds SOC 2 + GDPR alignment and operates ISO 27001-aligned controls; the formal ISO 27001 certificate roadmap is published on Papermark's security page.

Further Reading