ISO 27001:2022 — LiquidFiles Compliance Mapping
We regularly get asked whether LiquidFiles is ISO 27001 certified and how LiquidFiles maps to ISO 27001 controls. This page provides a detailed mapping of the ISO 27001:2022 Annex A controls that are relevant to a file transfer product like LiquidFiles, and describes how LiquidFiles addresses each one.
A downloadable spreadsheet with all the control mappings is available at the bottom of this page.
Why LiquidFiles isn't ISO 27001 Certified
ISO 27001 is an organisational certification, not a product certification. It certifies that an organisation has implemented an Information Security Management System (ISMS) covering policies, procedures, risk management, human resources, physical security and technology controls. The organisation being certified is the one that manages information and bears the associated risks.
LiquidFiles is a self-hosted product. We sell you the software, you install it on your infrastructure, behind your firewalls, managed by your staff. We don't host your data, we don't manage your systems, we have no access to your LiquidFiles installation or any of the files transferred through it. Since we don't perform any form of management on behalf of our customers, and have no access to any customer data, ISO 27001 certification of LiquidFiles as a company is not applicable in the way it would be for a cloud/SaaS provider.
What is relevant is whether LiquidFiles as a product provides the technical capabilities your organisation needs to meet the ISO 27001 controls in your own ISMS. That is what this page addresses.
How to Use This Page
ISO 27001:2022 Annex A contains 93 controls organised into four themes:
- Organisational Controls (A.5) — 37 controls covering policies, governance, supplier management, etc.
- People Controls (A.6) — 8 controls covering HR, training, awareness.
- Physical Controls (A.7) — 14 controls covering physical premises and equipment.
- Technological Controls (A.8) — 34 controls covering technical security measures.
The vast majority of these controls — organisational policies, HR procedures, physical building security, supplier management — are your organisation's responsibility and are unrelated to the LiquidFiles product. LiquidFiles primarily maps to the A.8 Technological Controls and a handful of the A.5 Organisational Controls that relate to access management and identity.
For each relevant control below, we describe the product capability that LiquidFiles provides. How you configure and operate these capabilities within your organisation is part of your ISMS and is your responsibility.
Technological Controls (A.8)
The A.8 Technological Controls form the core of what LiquidFiles addresses. The table below maps each control to the relevant LiquidFiles features.
| Ref | Control | LiquidFiles Capability |
|---|---|---|
| A.8.1 | User Endpoint Devices | Customer responsibility. LiquidFiles is a web-based application accessed through a browser — no client software or agents are installed on endpoints. |
| A.8.2 | Privileged Access Rights | LiquidFiles provides role-based access with distinct Sysadmin, Admin and User roles. Admin web interface access can be restricted to specific network ranges. Sysadmin console (SSH) access can also be restricted to specific networks. See Hardening — Admin Security. |
| A.8.3 | Information Access Restriction | Access to files is controlled through group-based permissions determining who can send to whom. File downloads are protected with randomised tokens (384-bit effective entropy). Messages can be configured with expiration dates and download limits. See Randomized Tokens. |
| A.8.4 | Access to Source Code | Not applicable. LiquidFiles is a closed-source product delivered as a virtual appliance. |
| A.8.5 | Secure Authentication | LiquidFiles supports multiple authentication methods: local username/password with configurable password policy (points-based with CrackLib dictionary validation), LDAP/Active Directory integration, SAML2 SSO (Azure AD, Okta, ADFS, etc.), and strong two-factor authentication via TOTP, SMS or Duo Security. MFA can be enforced per group. Passwords are stored using bcrypt. No passwords are ever sent in cleartext. See Strong/Two Factor Authentication. |
| A.8.6 | Capacity Management | LiquidFiles monitors disk usage and provides admin alerts when disk space is low. The admin dashboard displays system resource usage. Automatic message expiration and file deletion policies help manage storage capacity. |
| A.8.7 | Protection Against Malware | ClamAV antivirus is built in and enabled by default. Virus signatures are updated every two hours. All uploaded files are scanned automatically. Custom file scanning can be configured using Actionscripts to integrate additional AV scanners. See Antivirus Scanning. |
| A.8.8 | Management of Technical Vulnerabilities | Automatic security updates are enabled by default and run daily. The system checks the Ubuntu CVE database for known vulnerabilities. Ubuntu Pro licenses are supported for extended security maintenance. LiquidFiles typically responds to reported vulnerabilities within 24–48 hours. See System Vulnerabilities and Responding to Vulnerability Assessments. |
| A.8.9 | Configuration Management | LiquidFiles is delivered as a hardened virtual appliance with secure defaults. The underlying OS is a minimal Ubuntu installation with only required packages. The built-in firewall only exposes necessary ports (HTTP/HTTPS). Internal services like PostgreSQL are not exposed on any TCP port. See Platform Security and Hardening LiquidFiles. |
| A.8.10 | Information Deletion | Messages and files can be configured with automatic expiration and deletion. Retention periods are configurable per group. Admin can configure system-wide message retention policies (default 365 days). Individual messages can be manually deleted by administrators. |
| A.8.11 | Data Masking | Not applicable. LiquidFiles is a file transfer system that delivers files as-is. It does not process or transform file contents. |
| A.8.12 | Data Leakage Prevention | LiquidFiles provides configurable file type restrictions (allow/deny lists), file size limits, and group-based permissions controlling who can send files and to whom. Combined with comprehensive audit logging, this provides DLP capabilities for the file transfer channel. For organisations that require integration with external DLP scanners or content inspection tools, the Attachment Upload Actionscript and Share Files Upload Actionscript enable custom scripts that can call external DLP solutions to inspect each uploaded file and accept or reject it based on the result. These scripts receive the uploading user's email and group as environment variables, allowing per-user or per-group DLP policies. |
| A.8.13 | Information Backup | Shared responsibility. LiquidFiles provides built-in backup and restore tools. The virtual appliance model makes it straightforward to take VM-level snapshots. The backup strategy and schedule is the customer's responsibility. |
| A.8.14 | Redundancy of Information Processing Facilities | Customer responsibility. LiquidFiles can be deployed on high-availability infrastructure. The choice of redundancy strategy (VM HA, multiple sites, etc.) is determined by your infrastructure. |
| A.8.15 | Logging | All uploads, downloads, login activity (successful and failed), and admin activity are logged. The system log is available in Admin → System Log. Logs can be forwarded to an external syslog server for long-term retention and SIEM integration. See Logging and Auditing. |
| A.8.16 | Monitoring Activities | The message log (Admin → Message Log) provides a detailed audit trail of all file transfer activity with configurable retention (default 365 days). Syslog forwarding enables integration with external SIEM and monitoring platforms. Brute force protection automatically detects and blocks suspicious login attempts. See Brute Force Protection. |
| A.8.17 | Clock Synchronization | NTP is configured by default on the LiquidFiles appliance to ensure accurate timestamps across all log entries and audit trails. |
| A.8.18 | Use of Privileged Utility Programs | Not applicable. LiquidFiles is a sealed appliance. Users do not have shell access or the ability to run system utilities. Console access is restricted to the Sysadmin role and can be limited to specific network ranges. |
| A.8.19 | Installation of Software on Operational Systems | Not applicable. The appliance model prevents installation of arbitrary software. LiquidFiles updates are delivered through a controlled, automated update mechanism. |
| A.8.20 | Network Security | LiquidFiles includes a built-in Netfilter firewall configured to only expose necessary ports. Internal services (PostgreSQL, etc.) are configured to not listen on any TCP port. Even with the firewall completely disabled, no vulnerable services are exposed. See Built-in Firewall. |
| A.8.21 | Security of Network Services | The web server (Nginx) is configured with TLS 1.2/1.3 only, using AES-256 encryption with strong cipher suites. Default configuration achieves an A+ rating on both SSL Labs and SecurityHeaders.com. HSTS is supported. See Web Server, SSL and Transmit Encryption and External Scanners. |
| A.8.22 | Segregation of Networks | Shared responsibility. LiquidFiles supports admin network restrictions to segregate administrative access from user access. Network-level segregation of the LiquidFiles appliance within your infrastructure is your responsibility. |
| A.8.23 | Web Filtering | Not applicable. LiquidFiles is a file transfer application, not a web proxy or browsing platform. |
| A.8.24 | Use of Cryptography | Data in transit is encrypted with TLS 1.2/1.3 (AES-256). FIPS 140-3 mode is available via Ubuntu Pro for environments requiring validated cryptographic modules. Full disk encryption (LUKS/AES-256) is available for data at rest. Passwords are stored using bcrypt hashing. See FIPS Mode and Full Disk Encryption. |
| A.8.25 | Secure Development Lifecycle | LiquidFiles is developed using TDD (Test Driven Development) methodology with automated unit, functional and integration testing. All code changes go through pull request review. GitHub Actions runs the full test suite and security scanners on every build. No release can be created without passing all tests. See Secure Development Practices. |
| A.8.26 | Application Security Requirements | LiquidFiles is built on Ruby on Rails which provides built-in protection against common web security vulnerabilities including SQL Injection, XSS and CSRF. The development team follows the OWASP Top 10 and SANS Top 25 security guidelines. See Web Application Framework. |
| A.8.27 | Secure System Architecture and Engineering Principles | LiquidFiles is designed as a standalone monolithic application with all components self-contained. Each installation is completely isolated — there is no shared infrastructure between customers. The system is designed to be secure by default, running on the public Internet without additional hardening if needed. See Design & Architecture. |
| A.8.28 | Secure Coding | Automated security scanning is performed using Brakeman (Rails vulnerability scanner), RuboCop (Ruby linter with security cops) and ESLint (JavaScript). These scans run both manually before commits and automatically in CI. The build process will not complete if any scanner reports an issue. See Code Scanning. |
| A.8.29 | Security Testing in Development and Acceptance | In addition to the automated test suite and code scanners, LiquidFiles is regularly scanned using external tools: SSL Labs, SecurityHeaders.com, OWASP ZAP and OpenVAS. Customers routinely perform their own vulnerability assessments. See External Scanners. |
| A.8.30 | Outsourced Development | Not applicable. LiquidFiles development is not outsourced. |
| A.8.31 | Separation of Development, Test and Production Environments | LiquidFiles maintains separate development, testing and production environments. The automated build and release process via GitHub Actions ensures that only code that has passed the complete test suite can be released. |
| A.8.32 | Change Management | All changes are managed through version-controlled releases. Release branches are maintained for each version. Security fixes are cherry-picked to active release branches. All releases are documented on the Release Notes page and announced through the LiquidFiles Mailing List. |
| A.8.33 | Test Information | Not applicable. LiquidFiles uses generated test data in its automated test suite, not customer data. |
| A.8.34 | Protection of Information Systems During Audit Testing | Customers are encouraged to perform security audits and vulnerability assessments of their LiquidFiles systems. See Security Audits and Compliance and Frequent Responses After Security Reviews. |
Relevant Organisational Controls (A.5)
While the A.5 Organisational Controls are primarily about your organisation's policies and procedures, a few relate to technical capabilities that LiquidFiles provides:
| Ref | Control | LiquidFiles Capability |
|---|---|---|
| A.5.15 | Access Control | Role-based access (Sysadmin, Admin, User) with group-based permissions. LDAP/Active Directory integration for centralised access management. Network-based restrictions for administrative access. Configurable user auto-expiration for inactive accounts. |
| A.5.16 | Identity Management | LDAP/Active Directory integration for centralised identity management. SAML2 SSO support. Local account management with configurable lifecycle policies. Automatic group assignment based on LDAP groups. |
| A.5.17 | Authentication Information | Passwords stored using bcrypt (non-retrievable). CrackLib dictionary validation prevents weak passwords. Configurable password policy (points-based or custom regex). Configurable password expiration. No passwords sent in cleartext via email. See Password Storage. |
| A.5.23 | Information Security for Use of Cloud Services | When deployed on AWS EC2 or Microsoft Azure, LiquidFiles runs in the customer's own private cloud space. It is not a shared multi-tenant service. All data remains within the customer's assigned cloud environment. See Platform Security. |
Secure Development Controls
Several ISO 27001 controls address how software should be developed securely. While these are about LiquidFiles as a company rather than the product you install, they are frequently asked about. LiquidFiles addresses these through:
- Test Driven Development (TDD) — all features and bug fixes are developed with automated tests.
- Automated security scanning — Brakeman, RuboCop and ESLint run on every build.
- Continuous Integration — GitHub Actions runs the full test and scanning suite. Builds fail if any test or scanner reports an issue.
- Dependency management — Bundler and Dependabot monitor all third-party libraries for security vulnerabilities.
- External validation — regular scanning with SSL Labs, SecurityHeaders, OWASP ZAP and OpenVAS.
- Rapid vulnerability response — reported vulnerabilities are typically fixed within 24 hours, with a public release within 48 hours.
- Customer vulnerability assessments — customers are encouraged to perform their own security scans and share results.
For full details, see the Secure Development Practices page.
Customer Responsibility
Because LiquidFiles is a self-hosted product, the following ISO 27001 control areas are entirely your organisation's responsibility and cannot be addressed by LiquidFiles as a product vendor:
- Organisational policies (A.5.1–A.5.14, A.5.24–A.5.37) — information security policies, roles, responsibilities, asset management, information classification, supplier relationships, incident management, business continuity, legal compliance.
- People controls (A.6.1–A.6.8) — screening, employment terms, training, disciplinary process, remote working.
- Physical controls (A.7.1–A.7.14) — physical perimeters, entry controls, facility security, equipment maintenance and disposal.
- Operational management — how you configure LiquidFiles, your backup strategy, your network architecture, your monitoring procedures. We can describe what the product can do, not how you have configured it.
For more context on this distinction, see our Vendor Onboarding Forms page.
Download
A spreadsheet with the complete ISO 27001:2022 control mapping for LiquidFiles is available for download. This can be used as input for your Statement of Applicability or to provide to your auditors.
Download ISO 27001 Control Mapping (CSV)
The CSV file includes all 93 Annex A controls, marking each as either addressed by LiquidFiles, a shared responsibility, customer responsibility, or not applicable — with a description of the relevant LiquidFiles capability where applicable.