ISO/IEC 27017:2015 provides guidance and recommendations of implementing cloud-specific information security controls that supplement the ISO/IEC 27001 standards, to ensure continuous management of security in a comprehensive manner.
MongoDB's cloud services are ISO/IEC 27017:2015 certified, the result of an independent third party audit.
The scope of the ISO/IEC 27001:2013 certification is limited to the Information Security Management System (ISMS) covering the documented policies, procedures and controls managed by the MongoDB Cloud globally distributed workforce, in accordance with the Statement of Applicability, version 3.0, and aligned to the control sets in ISO/IEC 27017:2015 and ISO/IEC 27018:2019. The ISMS preserves the confidentiality, integrity and availability of the end to end Customer Sensitive Information (CSI) flows, as these relate to the MongoDB Cloud Platform, which is hosted in AWS, GCP and Azure, and comprises MongoDB Atlas, MongoDB Realm, MongoDB Atlas Data Lake and MongoDB Charts. Any products or features that are in beta, preview, or similar are not in scope.
The MongoDB ISMS is centrally managed out of the MongoDB Inc. headquarters in New York, United States of America.
The departmental scope includes Cloud Engineering, Technology Operations, Technical Services Support, Data Lake Engineering, Charts Engineering, Professional Services, Product, HR, Legal, Procurement and the CISO (Security and GRC) organizations.
MongoDB's cloud services is hosted on multiple third-party Infrastructure-as-a-Service (IaaS) environments, which are not included in the scope of this ISMS.
MongoDB Atlas is hosted on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, which have each achieved ISO/IEC 27017:2015 certification. More information about the ISO/IEC 27017:2015 compliance for these providers is available at their respective websites:
The ISO/IEC 27001:2013 certificate for MongoDB is available here.
Schellman and Company, LLC.
This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.