ISO Cybersecurity
ISO internal audit, ISO 27001, ISO 27017, ISO 27018
The Standards are designed to help organizations protect themselves against cyber attacks and manage the risks associated with the use of technology

ISO Internal Audit
The Kobalt.io team will gather and review your ISO compliance documentation to assess your compliance posture against the ISO standard. We will review your ISO controls as documented in Vanta, and provide specific and targeted recommendations on key gas. In the end of the engagement, you will receive an ISO Audit report that serves as an artifact for external auditors – a necessary step in compliance.
Deliverables
A written report in the form of a spreadsheet for auditor use
An Optional Executive Review Call to address any questions you may have
Recommendations for remediation efforts that can be supported by our team
The Standards
ISO 27001, is an information security standard created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS)
14 Domains:
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards.
Highlights of the ISO 27017 control list:
- Shared roles and responsibilities within a cloud computing environment
- Removal of cloud service customer assets
- Segregation in virtual computing environments
- Virtual machine hardening
- Administrator’s operational security
- Monitoring of cloud services
- Alignment of security management for virtual and physical networks
ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Additional requirements on 15 controls:
- Domain 5: Information Security Policies
- Domain 6: Information Security Organization
- Domain 7: Human Resources Security
- Domain 9: Access Control
- Domain 10: Cryptography
- Domain 11: Physical and environmental safety
- Domain 12: Operations security
- Domain 13: Communications security
- Domain 16: Incident Management
- Domain 18: Compliance
We Make Achieving ISO Easy

Kobalt.io and Vanta work together to provide our clients with value beyond compliance. With Kobalt.io cybersecurity, compliance and data privacy expertise, combined with Vanta’s best-in-class technology, our clients can quickly achieve their security compliance goals, proving trust and driving growth.
About Vanta
Vanta is the leading trust management platform that helps simplify and centralize security for organizations of all sizes. Over 4,000 companies rely on Vanta to build, maintain and demonstrate their trust—all in a way that’s real-time and transparent. Founded in 2018, Vanta is headquartered in San Francisco with offices in Dublin, New York and Sydney. For more information, visit www.vanta.com
We’re thrilled to partner with Kobalt.io and to continue building upon our partnership by continuously delivering best-of-breed compliance and security solutions to customers globally. The Kobalt.io team has true thought leadership and expertise in the cybersecurity space and delivering high-value solutions to their customers and our customers. Putting customers first and securing the internet is at the heart of what we do at Vanta. Together the Vanta and Kobalt.io partnership is deeply important for better security practices in organizations and we are excited for what’s next!
Elliot Goldwater, VP of Partnerships, Vanta
Track compliance in one place
Showcase your commitment to security and privacy
Guidance and expertise every step of the way
Benefits
Control of IT Risks
Reduce Security Breaches
Information Confidentiality
Competitive Edge
Build Trust in Partners & Customers
Systematic Vulnerability Detection
Lower Costs
Structured Approach
Fulfil an International Standard
"The Kobalt.io team is such a good team to work with. It didn't take long to recognize that they are extremely knowledgeable about the requirements of an ISO audit. We were very happy with the detailed report, and informative sessions we received."
– Nathan Taylor, Chief Operating Officer at Partly
ISO Audit Process
Complete Agreement
by siging off proposal and completing paymet
Provide Auditor Access to Kobalt.io team
Grant access to Kobalt.io team within Vanta, and Kobalt.io team gathers and reviews ISO compliance documentation
Report
Kobalt.io delivers spreadsheet report for auditor, provides specific, targeted recommendations, and address client’s request for specific areas of guidance
Executive Review
Review results, answer questions and identify future advisory and/or service engagement options
Remediation
Available as further service option
Why work with Kobalt.io?

- Extensive experience with ISO standard and helping clients to successful audit completion
- Experts with Vanta platform
- Background supporting hundreds of high tech companies globally
- Can provide ongoing advisory and compliance support post-engagement if desired
Chat with us now
Fquently asked questions
Cybersecurity is a very broad domain and ISO 27001 is usually referred to as an information security standard, which is very hard to separate from cybersecurity.
Currently there is nothing like a public register that lists out all the certified companies, but companies who have achieved ISO 27001 will be issued a certificate.
- Confidentiality: Only authorized persons have the right to access information.
- Integrity: Only authorized persons can change the information.
- Availability: The information must be accessible to authorized persons whenever it is needed.
Organizational controls are implemented by defining the rules to be followed, as well as expected behavior from users, equipment, software, and systems. e.g., Access Control Policy, BYOD Policy, etc.
People controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g., ISO 27001 awareness training, ISO 27001 internal auditor training, etc.
Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g., CCTV cameras, alarm systems, locks, etc.
Technological controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g., backup, antivirus software, etc.
Some countries have published regulations that require certain industries to implement ISO 27001. If you want to know if it is mandatory for your business, book a time and check with us.
ISO 27017 is not a regulatory framework, so no one is legally compelled to follow it. However, it’s a highly regarded standard for cloud service providers. If you offer any service or product that is stored in the cloud, being ISO 27017 compliant will give your customers peace of mind.
ISO 27017 and ISO 27018 are similar controls within the ISO 27000 family, but they do have slight differences. ISO 27017 is a general, overall standard for cloud security. ISO 27018, on the other hand, specifically focuses on protecting personally identifiable information (PII) in cloud environments.
- Consent and choice
- Purpose of legitimacy and specification
- Data minimisation
- Limit of use, retention and disclosure
- Opening, transparency and notification
- Responsibility
- Information Security
- Privacy compliance