ISO 27001

ISO 27001 is the international standard for Information Security Management Systems. Certification requires a formal risk assessment, a documented management system, a defined set of implemented controls, and an audit by an accredited third-party registrar. It is renewed through annual surveillance and full recertification every three years.

The standard

What ISO 27001 certification means

ISO/IEC 27001 is published jointly by the International Organization for Standardization and the International Electrotechnical Commission. It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System within the context of the organization. The 2022 revision (ISO/IEC 27001:2022) is the current edition. Zeal is certified against ISO/IEC 27001:2022.

Certification is not self-declared. It requires an independent audit by an accredited certification body -- a registrar that has itself been accredited by a national accreditation body such as UKAS (UK), DAkkS (Germany), or ANAB (USA). The audit proceeds in two stages: a Stage 1 documentation review followed by a Stage 2 on-site assessment of control implementation and effectiveness. Only after both stages are satisfactorily completed does the registrar issue a certificate.

Certification covers a defined scope. Zeal's certificate scope includes the production infrastructure, the software development environment, corporate IT systems, and the organizational processes that support information security across all of these environments.

Structure

Information Security Management System

ISO 27001 certification requires more than a set of implemented security controls. It requires a management system: a structured, documented, and auditable framework that governs how information security is managed as an ongoing organizational function.

Risk assessment and treatment

Zeal conducts a formal information security risk assessment on an annual basis and when significant changes occur to the environment or threat landscape. The risk assessment identifies information assets, evaluates threats and vulnerabilities, estimates likelihood and impact, and calculates a risk rating. Each identified risk is assigned a treatment: accept, mitigate, transfer, or avoid. Mitigation treatments are tracked to completion with defined owners and timelines. The risk register is a living document reviewed by senior leadership quarterly.

Information security policy and objectives

The ISMS is governed by an Information Security Policy approved by senior leadership and reviewed annually. Supporting policies cover access control, cryptography, physical and environmental security, supplier relationships, incident management, business continuity, and compliance. Measurable information security objectives are set annually, tracked against defined metrics, and reported to leadership as part of the management review.

Annex A controls

ISO 27001:2022 Annex A defines 93 controls across four domains: Organizational, People, Physical, and Technological. For each control, Zeal documents whether it is applicable to the scope of the ISMS and, if applicable, how it is implemented. The Statement of Applicability (SoA) is the formal record of these decisions and is available to enterprise customers and prospects upon request under NDA.

Internal audit

Zeal conducts internal ISMS audits on a planned schedule. Internal audits are performed by personnel independent of the areas being audited and use defined audit criteria, scope, and methods. Audit findings are documented, reported to management, and tracked to closure. Internal audit results are an input to the management review process.

Management review

Senior leadership conducts a formal management review of the ISMS at least annually. The review evaluates the results of internal audits, corrective actions, risk treatment progress, performance against objectives, changes to internal and external context, and opportunities for improvement. Outputs of the management review include decisions on ISMS changes and resource allocation for improvement initiatives.

Corrective action and continual improvement

When a nonconformity is identified -- through an audit, incident, management review, or other source -- Zeal follows a defined corrective action process: identifying the root cause, determining and implementing corrective action, and verifying the effectiveness of the action taken. The ISMS is designed for continual improvement, not static compliance. Each management review cycle identifies at least one documented improvement initiative for the next period.

Ongoing assurance

Annual surveillance audits and recertification

An ISO 27001 certificate is valid for three years but is not a one-time event. Maintaining certification requires passing an annual surveillance audit in years one and two after initial certification. The surveillance audit verifies that the ISMS continues to operate effectively, that nonconformities identified in previous audits have been corrected, and that the ISMS remains aligned with the certified scope. A full recertification audit is conducted in year three.

Surveillance audits are conducted by the same accredited registrar that performed the initial certification audit. The registrar may conduct unannounced audits if required by the accreditation body. If a significant change to the ISMS scope occurs between scheduled audits -- such as the addition of a new product line or a material change to infrastructure -- Zeal notifies the registrar and schedules a scope extension audit as required.

Three-year certification cycle

Year 0Stage 1 documentation review and Stage 2 on-site certification audit. Certificate issued upon successful completion.
Year 1Surveillance audit 1. Verifies continued ISMS operation and closure of any prior findings.
Year 2Surveillance audit 2. Additional verification of continual improvement activities.
Year 3Full recertification audit. Complete re-examination of the ISMS against ISO 27001:2022 requirements.

Verification

How to verify Zeal's ISO 27001 certification

ISO 27001 certificates can be verified independently through the certifying registrar's public certificate registry. Accredited registrars maintain searchable databases of current certificates, allowing any party to confirm certificate validity, scope, and expiry date without relying on documentation provided by the certified organization.

Zeal's certificate details -- including the registrar name, certificate number, scope statement, and expiry date -- are provided in Zeal's security documentation package available to enterprise customers. To obtain a copy of the certificate directly, or to confirm registrar identity for verification purposes, contact security@zeal.us.

Zeal can also provide a copy of the Statement of Applicability (SoA) under NDA. The SoA documents every Annex A control, whether it is applicable to Zeal's ISMS scope, and the justification for any controls deemed not applicable. It is a more granular reference than the certificate itself and is commonly requested during vendor due diligence by security teams evaluating enterprise software.

Request certificate documentationBack to security overview