ISO/IEC 27001 is widely referenced in this context, yet frequently misunderstood. Below, we answer the most common questions we receive from customers and partners, focusing on what ISO 27001 actually changes for them, not just what it looks like on a certificate.
Yes. ISO/IEC 27001 certification applies to an organization, not to a standalone product. Dokapi has certified its Information Security Management System (ISMS) under ISO/IEC 27001, and the entire Dokapi platform is fully included within the scope of this system.
For customers, this means Dokapi is operated within a structured, audited and continuously improved security framework that governs how information is processed, stored, accessed and monitored across the entire organization.
Electronic invoicing and Peppol exchanges involve sensitive business and financial data that often sit at the core of accounting, tax reporting and cash flow processes.
ISO 27001 ensures that these data flows are handled in a controlled environment, with defined responsibilities, access controls, monitoring mechanisms and incident response procedures.This significantly reduces operational risk, especially in high-volume or automated invoicing scenarios.
For customers, ISO/IEC 27001 means reduced security and operational risk through a structured, risk-based approach to information security.It provides clear governance, defined roles and management oversight, and simplifies vendor risk assessments thanks to a recognized and auditable international standard.
In practical terms, it allows customers to integrate Dokapi into critical business workflows with confidence, knowing that security is managed consistently and transparently.
No.
ISO/IEC 27001 and GDPR address different but complementary aspects. GDPR focuses on personal data protection and individual rights, while ISO 27001 provides a broader framework for managing information security risks across all types of information.
A well-implemented ISMS strongly supports GDPR compliance by enforcing security controls, governance mechanisms and auditability across the organization, but it does not replace legal obligations under GDPR.
No.
Cybersecurity is only one part of ISO 27001. The standard covers the confidentiality, integrity and availability of information across people, processes and technology.
This includes physical security, access management, supplier relationships, internal procedures, change management, business continuity and incident handling.In other words, ISO 27001 is a management system, not just a technical checklist.
Peppol is a multi-party ecosystem involving access points, service providers, software vendors and public authorities. Trust between these actors is essential.
ISO 27001 establishes a common security baseline and a shared language around risk management and governance.It provides objective proof that security is embedded into daily operations, decision-making and continuous improvement, rather than handled reactively.
No.
ISO 27001 certification involves regular surveillance audits to ensure ongoing compliance and continuous improvement of the ISMS.
This guarantees that security practices evolve with new threats, regulatory changes and business growth, instead of remaining static after the initial certification.
