Kinsta has always worked to safeguard the security of our hosting platform and our customers’ websites. Whether it’s protecting account information, providing tools to prevent external DDoS attacks, detecting and cleaning up malware, or alerting website owners to vulnerabilities in WordPress plugins, information security is one of our strengths.

But hosting companies can easily make that claim. Proving it is a challenge.

The best way to prove such claims is to develop information security practices and policies that meet widely recognized standards and then have compliance with those standards confirmed by independent experts.

That’s how Kinsta first earned compliance in 2023 with System and Organization Controls 2 (SOC 2) trust services criteria developed by the Association of International Certified Professional Accountants (AICPA).

Then, in August 2024, after completing a full year of SOC 2 monitoring, we received certification for data security and privacy controls specified by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC).

This article looks at Kinsta’s ISO/IEC certification under the standard ISO 27001 and two of its extensions, ISO 27017 and ISO 27018.

What is ISO 27001?

Erik Van Dijk, Kinsta’s Head of IT, led the ISO 27001 certification effort and said the framework is “the gold standard” in security compliance.

ISO 27001 specifies the controls required to safeguard the confidentiality, integrity, and availability of information in an organization. Here’s what that means:

  • Confidentiality — Ensure that only authorized persons can access information.
  • Integrity — Ensure that only authorized persons can change information.
  • Availability — Ensure that information is accessible to authorized persons when needed.

Van Dijk said ISO 27001 defines the requirements for the various components of an Information Security Management System (ISMS). But that system is not just hardware and software. In addition to such technological controls, the ISMS includes organizational, people-related, and physical controls:

  • Organizational controls — Defining rules to be followed and the behavior expected from users, equipment, software, and systems.
  • People-related controls — Providing knowledge, education, skills, or experience to people in the organization so that they can perform their jobs securely.
  • Physical controls — Features such as access cards for data centers, surveillance cameras, and intrusion detection sensors.

What are ISO 27017 and 27018?

Van Dijk said ISO 27017 and 27018 are certifiable extensions to ISO 27001 and are particularly relevant to Kinsta since they both apply to cloud computing environments.

ISO 27017 prescribes security controls and implementation guidance for cloud computing environments. These controls apply to tasks such as:

  • Handling of customer assets after contract termination.
  • Separation of customer virtual environments.
  • Customer monitoring of activity in a cloud computing environment.

ISO 27018 focuses on protecting personally identifiable information in cloud environments. These controls address issues such as:

  • Transparency in reporting the geographic location of customer data stores.
  • Restrictions on using customer data without consent.
  • Secure methods for returning, transferring, and securely disposing of personal information.

Kinsta’s ISO certification timeline

The year since achieving SOC 2 compliance has been busy for the security compliance team, particularly for Van Dijk, who was simultaneously studying for and earning his Certified Information Systems Security Professional (CISSP) designation.

The initial SOC 2 designation in 2023 followed a three-month audit period and applied to the fundamental Security trust service. That project transformed into continuous monitoring with annual reporting and expanded to incorporate SOC 2’s Availability and Confidentiality criteria.

Meanwhile, our work on ISO 27001 was already underway. Van Dijk said his extensive research on ISO 27001 requirements began around November 2023.

“ISO 27001 is very documentation and process-heavy,” he said. “It still contains a number of technical controls, but the entire premise of the framework is to implement an information security management system and its associated policies and procedures.”

Van Dijk said a gap analysis suggested that the SOC 2 project had already delivered about 40% of the work to be done for the ISO certifications. So, when a cross-company team came together in December 2023, it was able to quickly begin uploading status information to Vanta, the platform chosen to assist with evidence collection.

The team created 13 new ISMS policies and refined some existing policies developed for SOC 2. By March 2024, the team called on the cloud security company Rhymetec for an internal audit that helped determine what work was still required.

Later, BARR Advisory provided the independent audit verifying Kinsta’s eligibility for the ISO certifications.

“We consistently received praise from our auditors on how organized and prepared we were,” Van Dijk said.

The benefits of ISO 27001 certification

Kinsta’s ISO 27001 certification (and SOC 2 compliance) highlights our commitment to information security. We’ll continue to earn customer trust as we undergo regular audits to confirm ongoing compliance and effectiveness of our ISMS and maintain our certification status.

Many prospective customers tell us their hosting provider must be ISO 27001 certified. We are proud to be able to fulfill this need and welcome them to Kinsta.

Our ISO certifications show we have the security posture to shield customer assets and mitigate risk using best practices.

Summary

Kinsta has a strong history of protecting customer data. The new ISO certifications confirm and expand on the safeguards validated by our work to become SOC 2 compliant.

We’re dedicated to protecting customer websites. Our ISO-certified information security procedures reflect our investment in earning customer trust.

Visit Kinsta’s Trust Center for information on the company’s ongoing compliance efforts.

Are you not already a customer? Get started right — safe and sound — by choosing our secure infrastructure. Find the best web hosting solution for your business now!

Steve Bonisteel Kinsta

Steve Bonisteel is a Technical Editor at Kinsta who began his writing career as a print journalist, chasing ambulances and fire trucks. He has been covering Internet-related technology since the late 1990s.