Company
16 Jul 2026
X
Min read

Corti completes ISO 27001, 27017, and 27018 with zero nonconformities

TL;DR

  • ISO 27017 and ISO 27018 are new certifications for Corti, while ISO 27001 was successfully renewed.
  • The certifications provide independent, third-party validation of Corti's security, cloud governance, and protection of personal data.
  • The expanded assurance framework helps healthcare organizations streamline procurement and clinical governance reviews.

On June 16 2026, Corti completed its latest external ISO audit cycle covering ISO 27001, ISO 27017, and ISO 27018 with zero nonconformities. ISO 27017 and ISO 27018 are the first certifications of their kind for us, and ISO 27001 was renewed. We treat this as the point of the exercise: trust in healthcare AI cannot be built on promises. It has to be proven independently, by a third party, against published standards.

Three standards, one security and privacy posture

The three standards layer into a single posture that covers how data is governed, how the cloud is operated, and how personal information is protected.

  1. ISO 27001 is the foundation. It is the governance framework for managing information security risks, covering access control, incident response, supplier relationships, asset management, and continuous improvement. It is the standard procurement teams look for first, because it sets the baseline for how an organization runs security day to day.
  2. ISO 27017 extends ISO 27001 with controls specific to cloud service providers and their customers. Corti's software runs on cloud infrastructure, so this standard governs how cloud environments are configured, operated, and monitored.
  3. ISO 27018 protects personally identifiable information in public cloud environments. In healthcare, sensitive patient data underpins clinical AI workflows, so this standard carries real weight.

Read together, the three answer a question every clinical governance review asks: is data governed properly, is the cloud operated properly, and is personal information protected properly.

What zero nonconformities means

Zero nonconformities means that across every control area assessed, the auditors found no gaps between what the standards require, what our policies say, and what the evidence shows. No exceptions. No observations requiring corrective action.

That result reflects work across Security, Legal, Privacy, Product, Engineering, IT, and Operations. A clean outcome across all of them is a maturity signal. A first audit is usually about gap-filling, and a clean outcome consistently means the controls are part of normal operations rather than something assembled for the assessment. That distinction matters most to customers who need the posture to still hold twelve months from now.

The assessment was conducted by A-LIGN, a cybersecurity compliance and certification partner that has performed more than 36,000 audits over the past 15 years. Their review was thorough and evidence-driven.

What it means for approving AI in your organization

Approving AI for clinical use runs through a set of gates. Procurement needs ISO 27001. Cloud deployments need cloud assurance. Privacy-conscious systems, and anyone with GDPR obligations, need evidence that personal information is handled correctly. Our expanded ISO framework gives documented, third-party-verified answers to each.

The practical effect is that the institutional cost of deploying Corti-based software just got lower. Fewer rounds of back-and-forth during vendor assessment, faster procurement, and a clearer evidentiary basis for clinical governance sign-offs.

This sits inside a wider assurance posture we already hold, including SOC 2 Type II, BSI C5, ISO 42001, ISAE 3000, HIPAA, and GDPR accountability. Our Information Security Management System is integrated into our Quality and Risk Management Systems compliant with ISO 13485 and ISO 14971. We build governance from the ground up for regulated clinical environments, rather than adding it in response to healthcare demand. It is why we describe our goal as building software that is the easiest to approve for clinical use.

We will keep earning that standing the same way we earned it here: through day-to-day practice and independent assurance, cycle after cycle. If you are building on Corti, the evidence your governance review needs is documented and ready.

Visit Corti Trust Center

Build faster. Ship safer. Scale smarter.

Get started with healthcare-native APIs built to power real clinical workflows.

More stories from Corti

View all