ISO compliance at Exclaimer
Exclaimer holds ISO27001 certification since 2016. Our Information Security Management System (ISMS) is currently certified to ISO/IEC 27001:2022 and ISO/IEC 27018:2019 by BARR Advisory, with our most recent re-certification audits completed in February 2026.
Key facts at a glance
Certifications held: ISO/IEC 27001:2022 and ISO/IEC 27018:2019
Certifying body: BARR Advisory (ANAB-accredited)
Certified since: 2016 (first email signature solution to achieve ISO 27001)
Audit frequency: Annual surveillance audits; full recertification every three years
Scope: Development, operation, and support of Exclaimer's cloud-hosted email signature management platform
This page explains what our ISO certifications cover, how we implement the controls, and where to find the evidence you need for vendor risk assessments and data protection impact assessments (DPIAs).
"Email signatures touch every outbound message and pull live directory data, so the controls behind them matter. Our ISO certifications show those controls are designed properly and independently tested. That should make vendor reviews easier, not harder." — Karl Bagci, Director of IT and Information Security, Exclaimer
What ISO/IEC 27001 and ISO/IEC 27018 cover
Exclaimer's ISO certifications cover the security and privacy controls applied to our cloud platform and the data it processes.
What is ISO/IEC 27001:2022?
ISO/IEC 27001 is the international standard for Information Security Management Systems. It sets out how an organization identifies risks to information, applies controls to manage those risks, monitors how well those controls work, and improves them over time. This is all carried out under independent external audit.
The 2022 revision is the current version of the standard. It replaced the ISO/IEC 27001:2013, which was retired on October 31, 2025. Exclaimer transitioned to the 2022 revision well ahead of the deadline.
What is ISO/IEC 27018:2019?
ISO/IEC 27018 is the code of practice for protecting personally identifiable information (PII) in public clouds. It adds cloud-specific controls for how providers handle customer personal data: data minimization, consent, disclosure, audit trails, privacy impact assessments, and incident management.
For email signature management, ISO 27018 is the standard that maps most directly to how Exclaimer handles directory data synced from Microsoft 365 and Google Workspace. GDPR doesn’t have a formal certification model, but ISO 27018 is widely accepted as evidence that a SaaS vendor operates with GDPR principles built into its cloud platform.
What ISO certifications does Exclaimer hold?
Certification | Version | Certificate number | Certifying body | Last renewed |
|---|---|---|---|---|
ISO/IEC 27001 | 2022 | 011588-01 | BARR Certifications LLC | February 2026 |
ISO/IEC 27018 | 2019 | 011588-04 | BARR Certifications LLC | February 2026 |
Exclaimer was the first email signature solution to receive the ISO 27001 certification. It has held continuous certification through every annual surveillance audit and three-year recertification cycle since 2016.
Exclaimer's ISO certifications cover directory data synced from Microsoft 365 and Google Workspace, including user names, job titles, and contact details.
Scope | Audit cadence |
|---|---|
Our ISO certifications cover the development, operation, and support of Exclaimer's cloud-hosted email signature management platform. This includes the infrastructure, processes, and personnel involved in delivering the service. | Annual independent surveillance audits, with a full external recertification audit every three years. |
How does Exclaimer implement its ISO 27001 and 27018 controls?
Our Information Security Management System (ISMS) is the framework that holds our ISO certifications together. It defines the policies, controls, and review processes that our certifying body audits us against.
Two areas of the ISMS come up most often in ISO-specific vendor questions:
What is Exclaimer's Statement of Applicability and risk management process?
Exclaimer maintains a formal information security risk register. Each risk is owned by a named member of the security team, and the register is reviewed by senior management on a regular cadence.
The controls we apply to those risks are recorded in our Statement of Applicability (SoA). The SoA is reviewed at least annually, and after any significant change to the platform, our supplier base, or the threat environment. Our certifying body reviews the current SoA at every external audit.
How often is Exclaimer audited for ISO compliance?
Exclaimer is audited annually by an independent external auditor against the requirements of ISO/IEC 27001 and ISO/IEC 27018. Full recertification audits run every three years, with surveillance audits in the intervening years.
Internal audits and management reviews run alongside the external program. Corrective actions from any audit are tracked through to closure.
For the wider Exclaimer security program, including infrastructure, secure development, incident response, and employee security, see the Exclaimer security page.
Where can I download Exclaimer's ISO certificates?
Our Trust Center is where we publish the documentation, audit evidence, and security questionnaire responses procurement and security teams ask for.
You'll find our current ISO/IEC 27001:2022 and ISO/IEC 27018:2019 certificates there. You'll also find pre-completed answers to over 350 questions covering all our accreditations.
If your review needs documentation that isn't in the Trust Center, or you'd like to speak to our security team directly, contact our security team.
Visit the Trust Center →Frequently asked questions about Exclaimer and ISO compliance
Exclaimer is certified by BARR Advisory, an ANAB-accredited certification body that conducts independent audits. BARR Advisory is one of the leading SOC 2 and ISO audit firms in the U.S.
Exclaimer's ISO certifications protect directory data synced from Microsoft 365 and Google Workspace, including user names, job titles, and contact details. The certifications cover Exclaimer's cloud-hosted email signature management platform in full: the service itself, the infrastructure it runs on, and the people and processes that deliver it.
Our most recent external re-certification audits were completed in February 2026. Independent surveillance audits run annually, with a full external recertification audit every three years.
Current ISO/IEC 27001:2022 and ISO/IEC 27018:2019 certificates are available in the Exclaimer Trust Center, along with supporting audit evidence and security documentation.
Yes. Our Statement of Applicability (SoA) covers all ISO/IEC 27001 controls with no exclusions and is available in the Exclaimer Trust Center. Its contents are reviewed during ISO certification audits.
Talk to Exclaimer's security team
If your vendor review needs documentation or context that isn't covered here or in the Trust Center, our security team can talk through specific controls, scope details, or audit evidence with you directly.
Contact our security team →