ISO 27001 Recertification: Keeping pretix Secure (And Our Biggest Takeaways)
Reading time: 5 minutes
pretix GmbH has been an ISO/IEC 27001 certified company since May 2023. One of the reasons we decided to pursue certification was to formalize the information security practices already in place at pretix and to transparently demonstrate this to our customers.
This benefits you, so that you can easily include pretix in your vendor management process, as you can rely on our ISO 27001 compliance. To verify its validity, you can access the current certificate on our website.
Assessing the scope of the pretix certificate is straightforward: it covers our entire value chain from development and operations to the rental and sale of compatible hardware. By scanning the QR code on the certificate, you will be directed to the official website of the certification body, TÜV Austria GmbH, which confirms both the validity and the term of the certificate.
All information, process descriptions, policies, risk assessments, and much more are consolidated into an Information Security Management System (abbreviated as ISMS). This complete system is evaluated and verified by the certification.
While an ISO 27001 certificate is valid for three years, achieving certification does not mean we can just sit back during this period. A complex framework like an ISMS is far from static; it is subject to a continuous cycle of review and improvement (the PDCA cycle) and must be actively practiced and documented in its daily operations. This continuous cycle includes an annual internal audit as well as a surveillance audit conducted by independent, third-party auditors who are not involved in the operation or setup of the ISMS.
2026 Recertification
Prior to a certificate expiring, a full recertification is scheduled before the three-year deadline. During a multi-day audit, third-party auditors do more than just verify compliance with the standard's requirements. They also evaluate whether the established Information Security Management System is effectively implemented in daily operations. This includes assessing risk management and verifying that controls and measures have truly proven effective over the years. Additionally, they review whether there is documented evidence of regular corrective and improvement processes to adapt the ISMS to evolving threats and circumstances.
We successfully completed this recertification audit in March 2026 and are pleased that the continuous, compliant operation of our ISMS has been confirmed. We have received the ISO 27001 certificate for another three years.
3 Key Takeaways from Our ISMS Journey
Through the long-term operation of our ISMS, we are constantly learning, expanding, and refining our processes. If you are currently operating an ISMS or planning to establish one soon, you might find some of our key lessons learned valuable:
- Establishing a Single Source of Truth: We have used a wiki right from the beginning to manage the majority of our documentation. And we couldn't be happier with this choice. It provides a single source of truth, eliminates any uncertainty about whether documents are up to date, and includes version control. Owners can collaborate on materials, and we use a granular permission system for read and write access. This provides a central place for all team members to view all the information they need.
- Less is More with KPIs: The ISO standard requires measurable information security goals. These must be suitable for their organization and can be defined internally. We initially launched with too many Key Performance Indicators for continuous measurement. If a metric barely changes over time, its actual value as an indicator should be carefully questioned. Looking back, we would rather start with just a few KPIs and expand their number over time as needed.
- Excel has its Limits:: Almost everyone who builds an ISMS starts out using Excel spreadsheets. We were no exception. However, they quickly become unwieldy when it comes to smooth, day-to-day operations. There is also a constant risk of losing track of which version is current and where it is stored. In the beginning, we managed our assets and risk management this way, among other things. But we were so unhappy with this setup that we developed a custom-tailored in-house tool: PRISMA (pretix Information Security Management Automation). Today, we use it to handle our service providers, our assets, the KPIs, and the risk management.
We are well-positioned for the ongoing operation of our ISMS, embed security into our culture, and look forward to future audits and recertifications with confidence.
If you have any further questions about our ISO 27001 certification or need access to our Statement of Applicability (SoA), please feel free to reach out to our support team.
