May 19, 2026
Tom Runzo, CEO
Chris Kroll, Director of Information Security

IR Websites: High-stakes security targets

Unlike typical marketing or brochure websites, Investor Relations websites and the CMS/infrastructure that support them and store MNPI, PII, earnings materials, and contact details are not just prime security targets but high-risk ones. If compromised there may be market-moving impacts and regulatory exposure. A bad actor stealing data, disrupting an earnings event, or even a dropped earnings call can have major consequences, including regulatory, privacy, legal, and reputational damage, making IR website vendor security a business-critical mandate for IR leaders.

Tightening regulations and SEC cybersecurity rules

On top of these risks, recent SEC cybersecurity rules elevate security to the board level and into core disclosure documents.

They require:

  • Timely Form 8‑K filings for material cybersecurity incidents
  • Annual 10‑K disclosures describing how the company assesses and manages cybersecurity risk

Being able to state that your policy is to use ISO 27001 and 27018‑certified vendors “whenever possible” is a concrete, defensible risk‑reduction measure to describe in those disclosures.

Conversely, working with vendors that handle sensitive data without ISO certification makes it much harder to justify that exposure to regulators, investors, or plaintiffs’ attorneys.

How ISO 27001 and 27018 decrease risk

As these cybersecurity risks increase and regulations tighten, the question for IR leaders is no longer “Does our vendor say they take security seriously?” but “Who has independently verified that they do?” That is where ISO security and privacy certifications, specifically ISO 27001 and ISO 27018, become a strategic differentiator in vendor selection.

ISO 27001 is a recognized framework for managing information security, and ISO 27018 adds cloud-specific privacy controls for protecting personal data. Together, they signal that a vendor has formalized security and privacy practices, rather than relying on ad hoc safeguards.

Though no certification can eliminate risk entirely, organizations that maintain both ISO 27001 and ISO 27018 certifications may help reduce the likelihood of significant data breaches within their control environment. Over the five-year period we reviewed, we could identify only one example of a breach at an organization holding both certifications, which suggests these standards strengthen risk management when evaluating third-party partners.

Given the FBI’s Internet Crime Complaint Center 2025 Annual Report, which documented 1,008,597 U.S. cybercrime complaints last year, and the Identity Theft Resource Center’s 2025 Data Breach Report, which recorded more than 3,300 compromises last year, the scarcity of reported incidents among dual-certified organizations is notable.

Audit versus certification: why the distinction matters

Many vendors point to a SOC 2 report as evidence of security. A SOC 2 audit has value, but it is important to understand its limitations:

  • The scope of the audit is defined by the company being audited, not by the auditor.
  • SOC 2 has become a commodity; it is increasingly common to see reports with no findings at all.
  • Exceptions, exclusions, and qualified opinions can carve out precisely the areas you most care about (for example, MNPI handling) unless you read the report end‑to‑end.

By contrast, ISO certifications are not simple attestations of what a vendor chose to present. They are independent certifications against a globally recognized standard, issued by specialized bodies whose own license and reputation depend on getting it right.

Why ISO 27001 and ISO 27018 are so hard to earn

ISO 27001 certification covers an organization’s Information Security Management System (ISMS) and validates that an organization’s ISMS systematically manages risks to the confidentiality, integrity, and availability of information through defined controls, processes, and continuous improvement.

ISO 27018 is a complementary, privacy-specific extension that focuses on protecting personally identifiable information (PII) in public cloud environments, confirming that a cloud service provider follows internationally recognized controls for handling, processing, and securing customer PII, and in both cases, the certifying body is required to challenge the scope, test control effectiveness, and refuse certification if the organization does not meet the standard.

Earning and maintaining ISO security and privacy certifications is neither quick nor cheap. It typically requires:

  • Dedicated, full‑time security and compliance leadership, not a side project.
  • A multi‑year implementation effort to design, document, and operationalize controls across technology, process, and people.
  • Ongoing annual audits and surveillance assessments, along with continuous improvement of systems and procedures.
  • Investments in infrastructure, tooling, and training to bring the entire environment up to standard.

For many vendors, the primary reasons they do not hold ISO 27001 and 27018 boil down to two possibilities:

  • They cannot achieve certification because their controls, culture, or architecture are not mature enough.
  • They will not invest the time and money required to reach and maintain that standard.

Both are problematic signals when you are trusting that vendor with PII, MNPI, and mission‑critical disclosure workflows.

Beware of “we operate under the ISO framework”

One of the most concerning trends in vendor marketing is the claim that a company “operates within the framework” of ISO 27001 without actually being certified. On its face, that statement is meaningless:

  • Anyone can map their existing controls to ISO language and say they follow the framework.
  • Without certification, no independent party has tested whether those controls actually work in practice.

In reality, when a financially capable vendor says they follow the framework but have not obtained certification, it often means exactly what you fear: they either tried and failed or they have chosen not to subject themselves to external scrutiny.

As a buyer, you should treat “we operate under the ISO framework” as a warning, not reassurance.

ISO as a fast‑track for third‑party risk reviews

From a third‑party risk management perspective, ISO certification can dramatically streamline evaluation. If a vendor is currently certified to ISO 27001 and ISO 27018, you gain immediate, independent assurance that:

  • A comprehensive information security management system is in place and operating.
  • Controls around confidentiality, integrity, availability, and privacy have been tested by an accredited certifier.
  • Scope is not arbitrarily constrained; certifiers can and do push to include relevant systems when the initial scope is too narrow.

In some recent audits, for example, ISO auditors required the scope to be expanded to include additional physical or operational components once they understood how the company actually worked. That kind of pushback is fundamentally different from a SOC 2 engagement, where the auditor accepts whatever scope the client defines.

While some risk teams will still send long questionnaires out of habit, ISO 27001 and 27018 should, in principle, allow you to shorten assessments and focus your questions on how the certified controls intersect with your own environment.

How to use ISO in vendor selection

When you evaluate IR website vendors (or any vendor touching sensitive data), ISO should move from a footnote to a top‑tier decision criterion.

A practical approach:

  • Start with certifications: Ask directly which ISO certifications the vendor currently holds and request the certificates.
  • Confirm scope: Understand what systems and services are in scope for each certification and how that aligns with the services you will use.
  • Look beyond SOC 2: Treat SOC 2 as supporting documentation, not a substitute for ISO 27001 or 27018.
  • Be wary of “framework only”: Treat “we follow the ISO framework” without certification as a red flag.