FrancodesystemsFran<code>systems
12 July 2026 · 11 min read · By Juan Cantón Rodríguez

ISO 27001 and integrations: the controls that actually matter when you connect systems

Integrating two systems means taking data out of its home and moving it across the network. ISO 27001:2022 is the international framework for doing that responsibly. These are the Annex A controls that apply to any integration (API keys, webhooks, logs, suppliers, AI agents) and what we actually do for each one.

ISO/IEC 27001 on one card
Current versionISO/IEC 27001:2022
What it certifiesAn ISMS (Information Security Management System)
Annex A controls93, across 4 themes: organisational, people, physical, technological
Key documentStatement of Applicability (SoA)
Certification cycleInitial audit (Stage 1 + 2) · annual surveillance · recertification every 3 years
2013 → 2022 transitionPeriod closed on 31 October 2025

Integrating means moving data out of its home

When you connect your ecommerce to your ERP, your CRM to your invoicing, or your ERP to an AI agent, one thing happens that is easy to overlook: data leaves the system where it lived protected and travels across the network to another system. Names, tax IDs, amounts, addresses, emails. That journey is where a careless integration turns into a security problem.

ISO 27001 is the international reference framework for managing information security, and it is not exclusive to large enterprises or to any one country: it is the standard many companies worldwide require from their suppliers. You do not need to be certified to apply what matters. These are the Annex A controls that land squarely on any integration project, what they mean when you move data between systems, and what we do for each one.

A.8.24

Use of cryptography

Every time data travels from one system to another, it travels across a network you do not control. In the clear, anyone on the path can read it.

What we do

TLS 1.2+ end to end on every call, no exceptions and no plain HTTP between services. Any intermediate copy (queues, staging, cache) is encrypted at rest.

A.5.17

Authentication information

An integration authenticates with an API key or a token. That credential is the key to the house: whoever holds it, gets in.

What we do

Keys live in a secret manager, never in code or in the browser. Rotation on a schedule and on any suspicion of a leak. One credential per integration, revocable in isolation.

A.5.15 · A.5.16

Access control and identity management

The temptation is to use the admin key because it works with everything. If that key leaks, the whole ERP leaks with it.

What we do

Real least privilege: each flow gets a credential scoped to what it needs (read-only if it only reads, only the resources it touches). Scope is a deliberate decision, not a default.

A.5.14

Information transfer

A careless integration drags a system's full record into another one just in case. Every extra field is one more surface of risk.

What we do

Data minimisation: only the fields the destination genuinely needs travel. Data flows are documented (what leaves, where to, on what legal basis).

A.8.15 · A.8.16

Logging and monitoring

Without traces an integration is a black box: you cannot tell if an invoice was duplicated, if a webhook failed silently, or if someone is probing your credentials.

What we do

Every sync leaves a queryable, tamper-evident record. Alerts on anomalies: spikes in authentication failures, stuck queues, retries that never resolve.

A.5.19 · A.5.21

Suppliers and ICT supply chain

By connecting your systems, we become a supplier that touches your data. And there is more behind us: the hosting, n8n Cloud, the payment gateway. All of them are in scope.

What we do

A written contract and data processing agreement (DPA). Review of the sub-processors involved in the flow and of where the data is hosted (inside or outside the EEA).

A.8.12 · A.5.34

Data leakage prevention and PII protection

The place personal data leaks most often by accident is not the database: it is the logs. A full payload dumped into a log exposes tax IDs, emails and addresses.

What we do

The full payload with personal data is never dumped. We log just enough to debug, with sensitive fields masked. All of it aligned with what the GDPR requires.

A.8.10 · A.8.11

Information deletion and data masking

Integrations leave copies along the way: queues, test environments, backups. Real customer data living in places nobody looks at again.

What we do

Retention defined per flow and real deletion when due. Outside production we work with masked or synthetic data, never the live customer base.

Being certified and being compliant are not the same

It helps to separate two things that get confused. Getting ISO 27001 certified is a formal process: you build a management system, document it, and an accredited body audits you and grants the badge. Applying the controls is what actually protects the data, and you can (and should) do it even if you are not chasing certification. For a micro business the badge does not always pay off; for a company selling to large clients it is often an entry requirement. We do not sell certifications: we design integrations that apply these controls from day one, and if your case requires formal certification we factor it into the scope.

Frequently asked questions

Do I need to be ISO 27001 certified to integrate my systems?

No. Certification is a formal process (an audit by an accredited body, with cost and months of work) that makes sense when your clients require it or you compete for large contracts. Applying the Annex A controls is a different thing: you can (and should) build integrations with encryption in transit, least privilege, managed secrets and traceability even without the badge. Certification proves you do it; the controls are what actually protect the data.

Are ISO 27001 and the GDPR the same thing?

No, they are complementary. The GDPR is a mandatory European law focused on personal data: what you may process, on what legal basis and what rights people have. ISO 27001 is a voluntary international standard and broader: a management system to protect any information (personal or not) from loss, unauthorised access or tampering. In practice they reinforce each other: many Annex A controls (encryption, minimisation, PII protection, deletion) are also how you meet the GDPR at a technical level.

Which version of ISO 27001 is current in 2026?

ISO/IEC 27001:2022. The transition period from the 2013 version closed on 31 October 2025, so any live certification today is on the 2022 edition. The main change in Annex A is that it went from 114 to 93 controls, reorganised into four themes (organisational, people, physical, technological), and added new controls that are highly relevant to integrations: cloud services security, data leakage prevention, data masking, information deletion, monitoring and secure coding.

How much does ISO 27001 certification cost and how long does it take?

It depends heavily on size and on the scope you define, but as an order of magnitude: for a small company you are usually looking at several months of work to build the management system (ISMS) plus the cost of the certification audit by an accredited body, with annual surveillance audits and recertification every three years. For a micro business the badge does not always pay off: sometimes it is enough to demonstrate you apply the controls and comply with the GDPR. The decision usually comes from outside, when a large client makes it a requirement to work with them.

Are connectors like n8n, Zapier or Make secure under ISO 27001?

They can be, but the tool alone does not give you control: the control is in how you use it. The key difference is where the data lives. A cloud iPaaS puts that third party into your supply chain (control A.5.21) and routes your data through their infrastructure. Self-hosted n8n keeps the data on your own server, which greatly simplifies scope and fits better with clients who are sensitive about where their information is processed. In both cases managed secrets, least privilege and logs without personal data in the clear still apply.

How do AI agents and the MCP protocol affect ISO 27001?

They are a new surface, but the controls are the same as always. When you connect an agent (for example via MCP, the protocol that lets an assistant read and act on external systems with typed permissions), you are giving a model access to real data. The exact same criteria apply: scoped, read-only credentials when reading is enough, traceability of every action the agent takes, minimisation of what the model gets to see, and control over which provider that data is sent to. What is new is the actor; the security framework does not change.

Are you ISO 27001 certified?

We do not claim to hold ISO 27001 certification, because it would be false to say so without the badge from an accredited body. What we do is design every integration applying the Annex A controls described here: encryption in transit, managed secrets, least privilege, data minimisation, traceability and logs without personal data in the clear. If your project requires formal certification (yours or your suppliers') we discuss it in the diagnostic and factor it into the scope.

Note: this post is an explanatory guide on how we apply the ISO 27001:2022 controls when designing integrations. It is not an audit or certification service, and we do not claim to hold ISO 27001 certification. For a formal certification process you need an accredited body.

Author

Juan Cantón Rodríguez

Founder & lead developer at Francodesystems. Builds integrations with security in mind from day one: encryption in transit, managed secrets, least privilege and traceability. Maintains n8n-nodes-holded.

Do your integrations move sensitive data?

30 minutes. We map where your data travels and which controls to apply on each flow, with no hype and no selling you a badge you do not need.