Big news from Zammad headquarters: Zammad has received ISO/IEC 27001:2022 certification. For us, this certification marks an important milestone. For our customers, it is an independently verified confirmation that information is handled securely. Read on to learn what this gold standard entails and how it can simplify IT procurement and compliance processes.
What this post is about
- Certified Information Security as a Foundation of Trust
- Responsible Handling of Sensitive Support Data
- Clear Processes for Greater Security and Traceability
- Security as the Interplay of Processes, Technology, and Functions
- Transparency and Security in an Increasingly AI-Driven Support Environment
Every day, confidential information flows through helpdesk and ticketing systems — including personal data, technical details, internal queries, contract information, bug reports, and log excerpts.
For businesses, this means that Zammad is more than just a tool for handling inquiries. It is a central hub where knowledge, processes, and data converge. That is precisely why information security plays such a critical role.
What does ISO/IEC 27001:2022 complaint mean exactly?
ISO/IEC 27001 is the internationally recognized standard for information security. It defines the requirements for establishing, implementing, operating, monitoring, and continuously improving an information security management system, or ISMS.
The focus is on protecting confidential information and ensuring its integrity and availability. This focus is not limited to technical measures or IT systems. ISO/IEC 27001 views information security as a holistic process, covering responsibilities, risk management, documentation, training, internal controls, and regular reviews.
The current version, ISO/IEC 27001:2022, has been updated to place greater emphasis on modern cloud environments, agile software development, and increasingly complex cyber threats.
What does ISO/IEC certification mean for Zammad customers?
The certification brings several tangible benefits for our customers:
1. Verified standards for handling information
ISO/IEC 27001:2022 certification demonstrates Zammad's commitment to a systematic approach to information security. Risks are identified, assessed, and addressed with appropriate measures. This is especially important for organizations that need to meet strict data protection requirements or regulatory obligations.
2. Reduced effort for IT procurement, compliance, and vendor management
Many companies need to regularly assess their software providers. In particular, larger organizations conduct security questionnaires, supplier audits, and data protection reviews as part of their everyday business.
ISO/IEC 27001:2022 certification can streamline these processes significantly. It provides a verified foundation that supports internal assessments and helps speed up the onboarding of new software solutions. This is particularly relevant for:
- IT departments and compliance teams
- Data protection and information security officers
- Procurement and vendor management
- Public-sector organizations and regulated industries
When selecting helpdesk software or a ticketing system, ISO/IEC certification can be a deciding factor.
3. Security as an ongoing process
Information security is not a static state but rather an ongoing commitment. As cyber threats increase, systems evolve, and IT security requirements become more demanding, this commitment becomes increasingly important. This is why ISO/IEC 27001 is based on continuous improvement. Through regular reviews and audits, we ensure our security processes adapt to new challenges.
Which Zammad features provide additional protection in day-to-day support operations?
ISO/IEC certification establishes a solid foundation for organizational and technical security. However, in day-to-day support, it is equally important that teams can securely and controlably access information.
This is why helpdesk software requires features that support traceable, structured support processes. Zammad offers several security features designed to do exactly that:
- Two-factor authentication: additional security layer for user accounts
Passwords alone are often no longer sufficient to reliably protect user accounts. With two-factor authentication (2FA), Zammad adds an extra layer of security to the login process. In addition to the password, a second factor is required, such as a time-based one-time code. This reduces the risk of unauthorized access when a password is compromised.
- Role and permission management: access based on the need-to-know principle
Not all employees need to be able to view or edit every ticket. Zammad offers granular role and permission management, which allows organizations to define exactly which users can access specific areas, features, and information.
This supports the need-to-know principle, ensuring that employees only have access to the information necessary to perform their tasks.
- Secure authentication with LDAP, SAML, and OpenID Connect
Many companies manage identities centrally using existing systems such as LDAP, SAML, or OpenID Connect. Zammad supports these authentication methods and can therefore be integrated into existing identity and access management structures. This offers several advantages: user accounts do not have to be managed separately within the ticketing system, login processes can be controlled centrally, and security policies can be applied more consistently.
- Encrypted email communication with S/MIME and PGP
Not all customer inquiries originate directly within the Zammad interface. Many customers continue to communicate via email, while support teams handle the inquiries centrally in Zammad. In the process, confidential information may be exchanged, such as personal data, technical details, or confidential documents. Zammad supports the S/MIME and PGP encryption methods to make email communication more secure.
- Strict password policies: a secure foundation for local accounts
Even though modern authentication increasingly relies on single sign-on and central identity providers, strong password policies remain an important building block for security. Zammad allows password requirements to be defined for local user accounts, creating a secure foundation for day-to-day operations.
- Ticket history: audit-ready documentation of changes
Security also means traceability. Zammad automatically documents changes to tickets, such as status updates, new priorities, group assignments, and ownership changes, in the ticket history. This feature allows teams to see at any time what was changed, when, and by whom. This creates transparency throughout the support process, which is especially helpful for escalations, compliance checks, and internal audits.
Security, transparency, and the future of AI
As open source software, transparency is in Zammad’s DNA. Our ISO/IEC certification further solidifies this commitment by reinforcing our dedication to open software, verifiable processes, and clear responsibilities.
This foundation will become even more important in the future. The way support teams work is changing with the use of artificial intelligence. AI processes, transfers, and uses data for automation. This makes clearly defined security processes, technical frameworks, and responsibilities essential.
Zammad also takes a transparent approach to AI for this reason: customers decide which large language model to connect and which solution best fits their company’s compliance requirements. This allows customers to stay in control of which AI services are used and how data flows are designed. Learn more on our Zammad AI topic page.
📑 Need the ISO/IEC certificate for your compliance records?
Reach out to our sales team via the contact page. We're happy to provide relevant documents for internal reviews, vendor assessments, and compliance processes.
