ISO 27001 and CRM configuration intersect wherever access control, auditability, and data handling are involved. The CRM can support compliance well, but only when the team knows which controls matter and how they are documented.
ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, and maintaining information security controls across an organisation. For companies that store customer data in CRM systems, ISO 27001 certification — or compliance with its controls — has direct implications for how CRM platforms are selected, configured, and operated. This guide covers what ISO 27001 requires in the context of CRM, how major CRM vendors approach certification, and the specific controls that apply to CRM data.
That makes compliance a configuration problem as much as a policy problem. If the CRM is not set up to prove what happened, passing an audit becomes much harder than it needs to be.
ISO 27001 and CRM: Why It Matters
ISO 27001 applies to any information system that handles sensitive or business-critical data — and CRM systems, by nature, hold some of the most commercially sensitive data in the organisation: customer contact details, deal values, revenue pipeline, pricing information, and sales strategy. Three scenarios make ISO 27001 directly relevant to CRM:
- Your organisation is pursuing ISO 27001 certification: CRM is within the scope of the ISMS assessment, and controls must be documented and implemented for how CRM data is accessed, stored, and protected
- Your customers or prospects require you to be ISO 27001 certified: Enterprise procurement increasingly asks for ISO 27001 (or SOC 2) as a vendor qualification requirement — your CRM data handling practices are part of what’s being assessed
- You’re selecting a CRM vendor: Whether the CRM vendor holds ISO 27001 certification is a legitimate due diligence criterion for procurement
ISO 27001 Certification Status of Major CRM Vendors
| CRM Vendor | ISO 27001 Certified | Additional Certifications | Notes |
|---|---|---|---|
| Salesforce | Yes | SOC 1, SOC 2, ISO 27017, ISO 27018, PCI DSS, HIPAA BAA available | Covers the Salesforce platform infrastructure; tenant configuration security is customer responsibility |
| HubSpot | Yes | SOC 2 Type II, ISO 27001 | Achieved ISO 27001 certification; SOC 2 Type II reports available under NDA for enterprise customers |
| Zoho CRM | Yes | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 | Covers Zoho’s data centres and platform infrastructure |
| Pipedrive | Yes | SOC 2 Type II, ISO 27001 | Standard enterprise security certifications |
| Microsoft Dynamics 365 | Yes | ISO 27001, SOC 1, SOC 2, ISO 27017, ISO 27018, FedRAMP | Runs on Microsoft Azure infrastructure with comprehensive compliance coverage |
| Freshsales (Freshworks) | Yes | SOC 2 Type II, ISO 27001 | Standard enterprise security certifications |
Vendor certification means the vendor’s infrastructure meets ISO 27001 controls — it does not mean that your specific configuration of the CRM platform is secure. The shared responsibility model applies: the vendor secures the platform; you are responsible for how you configure it, who has access, and what data you put in it.
ISO 27001 Controls Relevant to CRM Configuration
Access control (Annex A.9): ISO 27001 requires that access to information systems is granted based on the principle of least privilege — users only have access to the data and functions they need for their role. In CRM terms: sales reps should see only their own deals and accounts (or their team’s), not all records in the CRM; finance should not have access to customer contact data; administrators should be a small, named group. Apply CRM role-based access controls, field-level permissions (hiding sensitive fields from unauthorised users), and record-level access rules (territory-based or owner-based visibility).
Cryptography (Annex A.10): Data must be protected by appropriate encryption. CRM vendors who are ISO 27001 certified encrypt data at rest and in transit — verify this in the vendor’s security documentation. For organisations handling highly sensitive CRM data, check whether the vendor supports customer-managed encryption keys (CMEK), which give you control over the encryption key rather than the vendor.
Supplier relationships (Annex A.15): ISO 27001 requires that information security requirements are agreed with suppliers (third-party vendors who handle your data). CRM vendors are suppliers under this control. Execute the vendor’s Data Processing Agreement (DPA) and include information security requirements in the contract. Review the vendor’s ISO 27001 certificate annually and request updated SOC 2 reports.
Incident management (Annex A.16): ISO 27001 requires a documented incident response process. This includes procedures for responding to a CRM data breach: who is notified, how quickly, and what containment steps are taken. Know your CRM vendor’s breach notification policy (typically 72-hour notification under GDPR, which many vendors apply globally). Have an internal procedure for revoking access, investigating the incident, and notifying affected parties.
Asset management (Annex A.8): All information assets must be identified, classified, and owned. CRM customer data should be classified according to your organisation’s data classification scheme (confidential, restricted, public) and the data owner designated. In practice: the CRM data owner is typically the CRM Administrator or RevOps lead, responsible for the security configuration and data quality of the CRM system.
ISO 27001 Audit Preparation for CRM Systems
ISO 27001 certification requires organisations to show that information security controls are documented, implemented, monitored, and continually improved. CRM systems present a specific audit challenge because they hold large volumes of personal and commercially sensitive data, integrate with numerous external systems, and are accessed by a wide user population with varying levels of security awareness. Preparing CRM systems for an ISO 27001 audit takes a structured approach — not scrambling to document things at audit time.
“Our ISO 27001 auditor wants a list of who has admin access to the CRM — we don’t have this documented”
ISO 27001 auditors routinely ask for evidence of access control — specifically, a current list of users with privileged (admin) access to each information system. Fix: generate the CRM administrator user report from your CRM (HubSpot: Settings → Users → filter by Admin role; Salesforce: Setup → Users → filter by System Administrator profile). Export it, date it, and store it in your ISMS document library. Review this list quarterly as part of your access review process — former employees and contractors with admin access who are no longer with the company are a common finding.
“We have contractors and agency staff with access to our CRM and aren’t sure how to handle this in ISO 27001”
Third-party access to CRM (contractors, agencies, outsourced sales teams) is addressed under Annex A.15 (Supplier Relationships) and A.9 (Access Control). Fix: document each third party with CRM access, the specific access level granted, and the business justification. Execute an NDA and a supplier security agreement with each party. Grant the minimum access necessary — a marketing agency managing email campaigns doesn’t need access to deal pipeline or pricing data. Revoke access immediately when the contract ends. Include third-party access review in your quarterly access control review process.
“We’re not sure which CRM data is in scope for our ISO 27001 certification”
ISO 27001 scope definition is a common sticking point. The ISMS scope statement must describe which systems and data are included. For CRM: if the CRM contains personal data of customers or prospects, it is likely in scope. If it contains commercially sensitive data (deal values, pricing, pipeline), it should be in scope. Fix: document CRM as an in-scope information asset in the ISMS asset register. Record what data it holds, the data classification, who owns it, and what security controls apply. The asset register entry serves as evidence for the auditor that the asset is managed under the ISMS framework.
Is ISO 27001 certification required to use a CRM, or does it apply to the CRM vendor?
ISO 27001 certification can apply at two levels. First, your organisation may pursue ISO 27001 certification for its own information security management system — in which case your CRM is an in-scope information asset that your controls must address. Second, your CRM vendor may hold ISO 27001 certification for the infrastructure and services they provide — this gives you assurance that the vendor’s security practices meet the standard. Salesforce, HubSpot, Microsoft Dynamics, and Zoho all hold ISO 27001 certification for their cloud infrastructure. When your organisation pursues certification, you can rely on your vendor’s ISO 27001 certification as evidence that the underlying platform is covered, but you still need controls covering how your organisation configures, uses, and monitors the CRM.
What CRM logs should be retained for ISO 27001 audit evidence?
ISO 27001 Annex A Control 8.15 (Logging) requires that event logs are produced, protected, and retained. For CRM systems, relevant log categories include user login and logout events, failed login attempts, data export events (particularly bulk data exports), administrative changes (user creation, permission changes, configuration changes), and API access logs showing which external systems are calling the CRM API. Log retention periods should align with your organisation’s retention policy and any applicable legal requirements, but a minimum of 12 months of CRM audit logs is a common baseline for ISO 27001 purposes. Check whether your CRM vendor provides native audit log access and export capability, or whether you need a SIEM (Security Information and Event Management) tool to centralise and retain logs from the CRM API.
How does multi-factor authentication for CRM relate to ISO 27001?
ISO 27001 Annex A Control 5.17 (Authentication Information) requires that authentication systems are designed to resist abuse and that appropriate authentication controls are applied based on risk. For CRM systems holding significant volumes of personal or commercially sensitive data, MFA is a required control, not an optional enhancement. An ISO 27001 auditor reviewing a CRM with no MFA enforcement for remote access would typically flag this as a gap against Control 5.17. Enforce MFA for all CRM users with no exceptions, including senior users and system administrators. Configure your CRM to require MFA on every login, not just on first device registration. If your CRM supports Single Sign-On with an identity provider, enforce MFA at the identity provider level to cover CRM and all connected applications through a single policy.
Does ISO 27001 require us to encrypt CRM data at rest?
ISO 27001 Annex A Control 8.24 (Use of Cryptography) requires that cryptography is used appropriately to protect the confidentiality, integrity, and availability of information. Encryption at rest for CRM data is generally expected as part of this control, particularly for cloud CRM deployments. The major cloud CRM vendors (Salesforce, HubSpot, Microsoft Dynamics, Zoho) encrypt data at rest by default using AES-256 or equivalent. Your ISO 27001 documentation should state that you rely on the CRM vendor’s encryption at rest controls, reference the vendor’s security documentation confirming this, and note that your organisation does not require additional application-layer encryption for standard CRM data. For particularly sensitive data categories (health information, financial data, high-value personal data), consider whether field-level encryption within the CRM adds a meaningful additional layer of protection.
The best implementation is the one that keeps everyone working from the same facts. If the CRM cannot do that, the process still has a gap.
Common Problems and Fixes
Problem: CRM access control documentation does not reflect actual user permissions
ISO 27001 Annex A Control 5.15 (Access Control) requires that access to information assets is restricted based on business and security requirements. In practice, CRM access rights are granted when users join and rarely reviewed when roles change. An ISO 27001 auditor reviewing your CRM will ask for an access matrix showing each user role, what data they can access, and the business justification. If your actual CRM permissions don’t match documented roles — which is very common after 12+ months of ad hoc permission grants — that’s a nonconformity. Fix: run a quarterly access review in CRM. Export all active user accounts with their permission profiles and compare against your documented roles. Revoke permissions that are no longer appropriate. Document the review and its outcomes. Many CRMs (Salesforce, HubSpot) support role-based access control reports that can be exported for audit evidence.
Problem: No documented process for revoking CRM access when employees leave
ISO 27001 Annex A Control 5.18 (Access Rights) requires timely revocation of access when employment or contract terms change. CRM account deactivation is frequently missed during offboarding because it requires action from both HR and the CRM administrator, and the handoff between them is often undocumented. Former employees with active CRM credentials are a significant security risk. Fix: add CRM deactivation to your formal offboarding checklist with a maximum 24-hour SLA from the employee’s final working day. Where possible, automate this using an identity provider (Okta, Azure AD, Google Workspace) with Single Sign-On to CRM — when the employee account is disabled in the identity provider, CRM access is revoked automatically. Document this integration as an automated control in your ISO 27001 Statement of Applicability.
Problem: CRM-to-third-party data transfers are not covered in the information security risk register
ISO 27001 Clause 6.1.2 requires that organisations identify information security risks, including risks associated with data transfers to third-party suppliers. CRM systems routinely transfer personal and commercial data to enrichment providers, email platforms, analytics tools, and data warehouses. Each integration is a potential data transfer risk that a shallow risk assessment will miss. Fix: map all CRM integrations as part of your risk assessment. For each integration, document the data categories transferred, the security measures in place (encryption in transit, API authentication method), the vendor’s security certifications (ISO 27001, SOC 2), and the contractual data processing agreement in place. Add each material integration as a line item in your supplier risk register (ISO 27001 Annex A Control 5.19, Supplier Relationships). Review annually or when the integration configuration changes materially.