Checklist · Compliance

8 ISO 27001 Checks for Secure Client Document Sharing

The eight ISO 27001-aligned requirements professional-services teams should verify in any document-sharing tool, each with a quick pass-or-fail question covering encryption, access control, audit logs, and EU data sovereignty.

By Mathias Celis, Founder, Alkmist Last updated June 2026 9 min read

TL;DR

An ISO 27001 certificate on a vendor's website is a starting point, not an answer. It tells you the provider runs an information security management system, but not whether the specific service you are buying is in scope, where your data lives, or who can see it. These eight checks turn the standard into pass-or-fail questions you can ask any document-sharing tool before client files go near it.

Why certification alone is not the answer

ISO/IEC 27001:2022 certifies that an organization operates a managed information security system, audited by a third party. That is meaningful, and tools like Box, Egnyte, and Alkmist carry it. What a logo on a marketing page does not tell you is the scope of the certificate, whether your data stays in the EU, or how access and logging actually work for external client users.

For an audit or accounting firm, those specifics are the difference between a tool that helps you pass your own assessment and one that becomes a finding. The checklist below maps to the Annex A controls that matter most for client document sharing, so you can verify the substance behind the badge.

The eight checks

  1. Annex A 5.19–5.23 · Supplier & cloud services

    The certificate is real, current, and in scope

    A certificate can be expired, narrowly scoped, or held by a parent entity rather than the product you are buying. Ask to see it, not just a badge.

    Pass ifThe vendor provides a current ISO/IEC 27001:2022 certificate that names the actual service in scope and is in date.
  2. Annex A 8.24 · Use of cryptography

    Encryption in transit and at rest

    Files must be protected while moving and while stored. Key custody matters too, since who holds the keys decides who can ultimately read the data.

    Pass ifData is encrypted in transit (TLS) and at rest (for example AES-256), and the vendor can state who controls the encryption keys.
  3. Annex A 5.15, 8.3 · Access control & restriction

    Role-based access with least privilege

    Clients and external advisors should see only what their role allows. Folder-level all-or-nothing access is a common failure point for client work.

    Pass ifYou can grant access by role with least privilege, granular to the file or folder, including for external users.
  4. Annex A 8.5 · Secure authentication

    Strong authentication you can enforce

    A password alone is not enough for client financial data. Look for multi-factor authentication and single sign-on that you can require, not just offer.

    Pass ifMFA and SSO are supported and can be enforced for internal users, and ideally for external ones too.
  5. Annex A 8.15, 8.16 · Logging & monitoring

    An immutable, exportable audit trail

    If you cannot show who accessed what and when, you cannot evidence the control. The log must be tamper-resistant and yours to export.

    Pass ifEvery access, upload, and change is logged immutably with actor and timestamp, and the log is exportable for your records.
  6. Annex A 5.14 · Information transfer

    Controlled external sharing

    Public-by-default links are how data leaks. Shares to clients should be governed, time-bound, and reversible.

    Pass ifExternal shares can be password-protected, time-limited, and revoked, with no public-by-default links.
  7. Annex A 5.23 · Cloud services · plus GDPR

    EU data residency and sovereignty

    Residency is where the data sits; sovereignty is which laws can reach it. A vendor can host in the EU and still be exposed through a non-EU corporate parent.

    Pass ifData is stored in the EU and you understand any non-EU jurisdiction exposure from the provider's corporate parent.
  8. Annex A 8.10 · Information deletion

    Retention and verifiable deletion

    Holding client data forever is its own risk. You need to set how long data is kept and to delete it for real at engagement close.

    Pass ifYou can set retention rules and verifiably delete client data when an engagement ends.

Applying this to the tools you are evaluating

Box, Egnyte, and ShareFile are capable, security-certified platforms, and they will pass several of these checks comfortably. The checklist is most useful where the named tools differ, not where they agree.

Where the real differences show up

On encryption and authentication, most enterprise tools pass. The separation tends to appear on checks 1, 3, and 7: the exact scope of the certificate, how granular access control is for external client users, and whether the provider offers EU residency under EU corporate control rather than an EU region operated by a US parent.

That last point is where Alkmist differs from US-headquartered platforms. Alkmist is a Belgian company, ISO 27001 certified and GDPR compliant, that keeps client data on EU infrastructure, with eight permission roles and an immutable audit trail built for external client work. Run all eight checks against any shortlist, and weight checks 1, 3, and 7 heavily for regulated EMEA firms.

See how Alkmist answers all eight →
ISO 27001
Certified
EU
Data residency
8
Permission roles
8,000+
Users on Alkmist

Frequently asked questions

What is an ISO 27001 certified document sharing tool?
It is a document-sharing platform whose provider holds ISO/IEC 27001 certification, meaning a third party has audited their information security management system. The certificate shows a managed security posture, but you still need to verify scope, encryption, access control, logging, and data residency for the specific service you are buying.
Is ISO 27001 certification enough to choose a tool?
No. Certification is necessary but not sufficient. It confirms a managed security system exists, not where your data lives, how granular access control is for external users, or whether the certificate even covers the product you are using. Run the eight checks above to verify the specifics behind the badge.
What ISO 27001 controls matter most for client document sharing?
The most relevant Annex A controls are cryptography (8.24), access control and restriction (5.15, 8.3), secure authentication (8.5), logging and monitoring (8.15, 8.16), information transfer (5.14), cloud services (5.23), and information deletion (8.10). The eight checks in this guide map to these controls.
Are Box, Egnyte, and ShareFile ISO 27001 certified?
Box and Egnyte publish ISO/IEC 27001 certification, and ShareFile carries recognized enterprise security certifications. As check one notes, always confirm the current certificate and its scope directly from the vendor, since scope and version can differ from what a marketing page implies.
Does ISO 27001 require EU data residency?
Not directly. ISO 27001 requires you to manage information security risk, which includes supplier and cloud-service risk (Annex A 5.23). EU residency itself is a GDPR and sovereignty consideration. Alkmist keeps client data on EU infrastructure under EU corporate control, which simplifies that risk for EMEA firms.
This checklist is general guidance, not legal or certification advice. Confirm each vendor's current ISO/IEC 27001 certificate and scope from their own documentation, and validate your obligations with your DPO or compliance lead.

A document portal that passes all eight

Alkmist is an EU-hosted, ISO 27001 certified client portal with role-based access, controlled sharing, and an immutable audit trail, built for audit and accounting firms.

Book a demo Explore the platform
© Copyright Alkmist
built by
Deployyy.co
Ravensteinstraat 2/301, 9000 Gent | BE1026.308.203
Terms of serviceCookie policyLegalTrust
💊
Inbox giving you a headache?
Read the label →
Paracetamail box