Your firm holds ISO 27001 certification. The next audit is in six months. Among the things the auditor will look at: your supplier inventory, including the PDF tools your staff use every day. Each one needs to fit into your information security management system.
Why PDF tools are in scope
ISO 27001 covers the information security management system (ISMS) of an organisation. Annex A controls include supplier relationships, secure development, cryptography, communications security and more. Tools used to process information are part of the picture.
A PDF tool that handles sensitive contracts, employee records or customer data is a supplier under A.5.19 (information security in supplier relationships). The control: have a process to manage supplier risk.
What auditors look for
Inventory: do you know what tools your staff use to process sensitive PDFs? Many organisations don't, which is itself a finding.
Risk assessment: have you evaluated each tool for the data it handles? Privacy posture, certifications, data residency, retention.
Contracts: are appropriate agreements in place (DPA, BAA where applicable)?
Monitoring: are you reviewing tool choices and incidents?
The finding isn't usually 'you used X tool'. The finding is 'you didn't think about it'.
Tool selection criteria
For ISO 27001 environments, prefer tools that:
- Hold their own ISO 27001 certification, or equivalent (SOC 2 Type II). - Publish data handling documentation. - Offer DPAs where personal data is processed. - Process locally (browser-based) where possible — reduces supplier scope.
Flint's browser-based approach means files don't transit Flint's servers, reducing the supplier-processing footprint. Verify current certification posture in Flint's trust documentation.
Staff training and shadow IT
Common failure: staff use unauthorised free PDF tools for sensitive work. Auditors look for awareness, training and policy on tool selection.
Provide an approved-tool list. Make the approved tools easy to use — staff use shadow IT when sanctioned tools are friction. Browser-based vetted tools are easier to roll out than enterprise installs.
FAQ
Does ISO 27001 require my suppliers to be ISO 27001?
Not strictly — A.5.19 requires risk-based supplier management. Certified suppliers simplify the assessment but aren't mandatory.
Is Flint ISO 27001 certified?
Check Flint's current trust documentation. Browser-based architecture significantly reduces the data Flint processes, simplifying supplier assessment regardless.
What about ad-hoc free tools my team uses?
Shadow IT is an audit finding. Inventory what's in use and either approve, replace or document.
How often do I need to review tools?
Per your risk appetite — annually is common. Major incidents in a vendor should trigger immediate review.
ISO 27001 puts tools in scope. Choose ones that simplify the audit story — and document why.