Skip to main content
Wenite takes information security seriously — not as a checkbox, but as a structural commitment to the consultants and organisations who trust us with sensitive people data. As part of that commitment, Wenite is actively pursuing ISO 27001 certification, the internationally recognised standard for information security management.
ISO 27001 certification status: IN PROGRESS Expected completion: Q3 2026

Current status

Wenite’s ISO 27001 certification is in progress. We are on track to complete the certification process by Q3 2026. This means we are working through the formal requirements — scoping, risk assessment, control implementation, internal audit, and third-party certification audit — in a structured, time-bound programme. We are not yet certified. If your organisation has a hard requirement for ISO 27001 certification today, we encourage you to reach out so we can have an honest conversation about fit and timeline.

What ISO 27001 means

ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that defines the requirements for an Information Security Management System (ISMS). In plain language, it means:
  • Security controls are documented — there is a written, auditable record of how information is protected across every system and process
  • Risk is actively managed — threats to data are identified, assessed, and mitigated in a continuous cycle rather than addressed reactively
  • Third-party auditors verify compliance — an accredited certification body independently checks that the documented controls are actually in place and working
  • Continuous improvement is built in — certification is not a one-time event; it requires regular reviews and re-audits to maintain
For a P&O consultant, this matters because the organisations you advise — particularly larger employers and public sector bodies — increasingly require their technology partners to demonstrate this kind of structured security governance.

What we’re doing now

While the formal certification is in progress, the security practices that will underpin it are already in place and operational:
  • Access control — role-based permissions limit who can access which data, both within consultant accounts and internally at Wenite
  • Encryption — all data is encrypted in transit (TLS) and at rest; see Data Handling for details
  • Incident response — Wenite has a documented process for identifying, responding to, and communicating security incidents
  • Vendor management — all third-party sub-processors are assessed for security posture before being onboarded
  • Internal audits — regular internal reviews of security controls are conducted as part of the certification preparation
  • Staff awareness — everyone at Wenite with access to production systems is trained on information security responsibilities
These controls are not theoretical — they are the operational foundation we are building the ISO 27001 certification on top of.

GDPR compliance

Wenite is already fully GDPR compliant. EU data processing, consultant-controlled data ownership, and employee anonymity by default are live, working features of the platform today — not roadmap items. For full details on how Wenite handles GDPR, see GDPR compliance and data privacy.
If you represent an enterprise client, a public sector organisation, or a practice with specific information security requirements, we’d like to hear from you. Reach out at contact@wenite.io and we’ll walk you through our current security posture in detail and give you an honest picture of where we are in the certification journey.