Umbraco secures ISO 27001 certification for CMS arm

Umbraco has gained ISO 27001/IEC:2022 certification for its product organisation, marking a new security accreditation milestone for the open-source .NET content management system supplier.

The certification follows a third-party audit of Umbraco's people, processes and technologies by an independent security specialist. The scope of the audit covered the product organisation rather than the wider business.

The ISO 27001 standard assesses an organisation's information security management system against an internationally recognised framework. It focuses on the management of security risk and the consistency of documented practices.

Umbraco said the standard provides a framework for identifying and managing security risks, ensuring consistent and documented security practices, creating accountability and transparency across teams, and continuously reviewing and updating security as products and organisations evolve.

Security assurance

Umbraco's CEO, Mats Persson, linked the certification to deployments among larger firms and regulated sectors. He described ISO 27001 as a marker of controls around how its products handle sensitive data.

"We already implement robust information security processes to comply with the NIS2 Directive and EU Cyber Resilience Act. ISO 27001 certification provides our global partners and customers with the reassurance that Umbraco follows international best practices governing the way that our products process, store, and protect sensitive data," said Mats Persson, CEO, Umbraco.

Umbraco also presented the certification as an external validation of internal governance practices around product development and maintenance.

"Gaining the ISO 27001 certification shows that independent auditors have scrutinised the processes used to develop, operate, and maintain Umbraco products, and confirmed that the company reviews and manages security risks on an ongoing basis. This is a milestone on a continuous security journey," said Persson.

Partner focus

Umbraco positions its partner ecosystem of digital agencies as a route to market for multinational customers. The company framed the new accreditation as relevant for work on digital experiences that sit within international information security frameworks.

ISO 27001 certifications have become more common among software suppliers that sell into regulated industries. Buyers often use such certifications as part of vendor assessment processes, particularly when a product touches customer data and business-critical content.

For content management systems, security considerations can span editorial workflows, integrations with third-party applications and hosting arrangements. Umbraco said its CMS integrates with third-party applications and that it offers Umbraco Cloud with regional hosting.

Company background

Umbraco was founded in 2003. It describes itself as the most widely-used open-source content management system built on Microsoft .NET.

The company is headquartered in Odense, Denmark. It has offices in the US, the UK and Australia, and it employs more than 150 people.

Umbraco also points to a community of more than 250,000 developers and users. The company said it has a global partner network of digital agencies.

Umbraco's ISO 27001/IEC:2022 certification applies to its product organisation and follows an extensive audit process, with Persson characterising it as "a milestone on a continuous security journey."