New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
ProductPricingEnterpriseAbout
Back to Koji
Koji Compliance

ISO 27001 status

Where Koji stands on ISO/IEC 27001 certification, the controls in place today, and the upstream certifications we inherit from our platforms.

Last updated: May 2026Applies to: Koji B.V. information security management system
Current status: Koji operates an Information Security Management System aligned with ISO/IEC 27001's clauses and Annex A controls. Formal certification with an accredited body is on the compliance roadmap and typically scoped alongside our SOC 2 Type II engagement. The controls that will be in audit scope are operational today.

What ISO 27001 is

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS, plus a set of Annex A controls across organizational, people, physical, and technological domains. The 2022 revision of the standard restructured Annex A into ninety-three controls across four themes.

Certification is performed by an accredited third-party certification body and is valid for three years with annual surveillance audits.

Koji's path to formal ISO 27001 certification

ISO 27001 is commonly paired with SOC 2 Type II in enterprise security questionnaires. Koji's path:

  1. Today: Annex A controls operational; internal ISMS documentation maintained; control posture reviewed against the standard on a defined cadence.
  2. Step 1 (scoped alongside SOC 2): Engage an accredited certification body; complete Stage 1 (documentation review) and Stage 2 (implementation audit).
  3. Step 2: Achieve initial certification. Publish certificate scope; report available under NDA.
  4. Ongoing: Annual surveillance audits; three-year recertification cycle.

Target dates will be published on this page once the audit engagement is scheduled. Subscribe to updates at [email protected] with the subject "ISO 27001 update subscription".

Annex A control coverage today

The same controls described in our security overview, technical and organizational measures, and SOC 2 status map to ISO 27001 Annex A. Highlights by theme:

Organizational controls

  • Documented information security policies and procedures
  • Defined information security roles and responsibilities
  • Segregation of duties for production access
  • Supplier and sub-processor risk management
  • Incident management procedures

People controls

  • Background checks where lawful
  • Confidentiality obligations for all personnel
  • Information security awareness training, annually
  • Disciplinary process for policy violations

Physical controls

  • Inherited from upstream cloud providers (AWS, Google Cloud)
  • No Koji-operated data centers
  • Workstation and clear-desk policies for Koji personnel

Technological controls

  • Access control (SAML SSO, MFA, RBAC, least privilege)
  • Cryptography (TLS 1.2+, AES-256)
  • Secure development lifecycle
  • Logging and monitoring
  • Network security (cloud-provider managed)
  • Vulnerability management and patch management
  • Information backup and business continuity
  • Endpoint protection on managed devices

Upstream certifications we inherit

The platforms Koji runs on are independently certified to ISO 27001 and related cloud-specific standards. This does not substitute for our own certification, but it documents the underlying infrastructure layer:

  • AWS (underlying Supabase): ISO 27001, ISO 27017 (cloud-specific), ISO 27018 (cloud-specific privacy), plus SOC 2 Type II, PCI DSS, and many more. aws.amazon.com/compliance/iso-certified
  • Google Cloud (underlying Supabase regional options): ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, plus comprehensive sector and regional certifications.
  • Vercel (application, edge): SOC 2 Type II; ISO 27001 certification timeline available on Vercel's security page.
  • Supabase (database, authentication): SOC 2 Type II; ISO 27001 in progress.

Related ISO standards Koji aligns with

  • ISO/IEC 27017 — cloud-specific security controls. Aligned via our upstream providers and our own cloud-deployment posture.
  • ISO/IEC 27018 — protection of personal data in public clouds. Aligned via our GDPR program and DPA.
  • ISO/IEC 27701 — privacy information management extension to ISO 27001. Aligned with GDPR and our DPA, formal certification on the longer-term roadmap.
  • ISO/IEC 42001 — AI management systems. See AI governance for alignment status.

What to do if your procurement requires ISO 27001 today

  • Risk-acceptance with delivery commitment: Add a contractual clause requiring Koji to deliver certification by an agreed date. We sign these for enterprise customers.
  • Substitute with documented control evidence: The combination of our security overview, TOM, pre-filled CAIQ Lite, upstream-provider ISO certificates, and SOC 2 Type II mitigation plan covers the substantive ISO 27001 control requirements.
  • Pilot first, then enterprise contract on certification: Run a scoped pilot under limited- scope NDA while the audit progresses; full enterprise rollout on certification.

Email [email protected] to discuss which approach fits your procurement process.

Questions about this document? Contact compliance.Back to compliance hub