For an organization certified or in the process of ISO 27001 certification, integrating Apache Superset into its ISMS requires complying with several controls. This guide maps the applicable ISO 27001 controls and the associated Superset configuration in 2026.
1. ISO 27001 and Superset
ISO 27001 doesn't certify software, but an organization and its ISMS (Information Security Management System). Superset must be configured and operated to support applicable ISO 27001 controls.
If you want an ISO 27001-compatible Superset, TVL Managed Superset is hosted at OVHcloud (ISO 27001 certified) with applicable controls.
2. Applicable controls (Annex A)
| Control | Superset application |
|---|---|
| A.5.10 Acceptable use | Document Superset usage, signed AUP |
| A.8.2 User access management | SSO, RBAC, automatic deprovision |
| A.8.3 User responsibilities | Training, strong password |
| A.8.4 System and application access | RLS, fine permissions |
| A.8.5 Cryptography | TLS 1.2+, encryption at-rest |
| A.8.16 Monitoring | Centralized logs, alerting |
| A.8.20 Network security | Network policies, WAF |
| A.8.24 Use of cryptography | SECRET_KEY rotation, secrets vault |
| A.8.25 Secure development | CI/CD, code review |
| A.8.32 Change management | Documented update procedure |
3. Hosting
The underlying host must be ISO 27001 or equivalently certified:
- OVHcloud: ISO 27001 + HDS + SecNumCloud;
- AWS: ISO 27001 + SOC 2 + ISO 27017/27018;
- GCP / Azure: equivalents;
- On-premise: your datacenter must be certified.
4. Access policy (A.8.2)
- Mandatory SSO (cf. OIDC / SAML);
- MFA enforced on IdP side;
- Automatic deprovision (IdP sync);
- Quarterly access review;
- Principle of least privilege (cf. RBAC).
This configuration is applied by default on TVL Managed Superset, which follows community best practices.
5. Cryptography (A.8.5, A.8.24)
- TLS 1.2+ mandatory (cf. HTTPS);
- SECRET_KEY 64+ characters, 12-month rotation;
- Encryption at-rest K8s volumes, Postgres DB;
- Secrets in vault (HashiCorp, AWS, ESO);
- HSM for sensitive keys if required.
6. Monitoring and logging (A.8.16)
- Centralized logs (cf. centralized logs);
- Superset audit trail enabled (cf. audit trail);
- Prometheus alerting (cf. monitoring);
- Log retention 12 months minimum.
7. Change management (A.8.32)
- Documented update procedure (cf. updates);
- Staging tests before prod;
- Rollback plan;
- User communication;
- Change Advisory Board approval for critical changes.
8. Continuity (A.5.30)
- DR plan (cf. DR);
- Quarterly tested backups;
- RTO and RPO defined;
- Annual game day.
9. Required documentation
- Superset access policy;
- Inventory of sensitive datasets;
- Provisioning/deprovisioning procedure;
- Continuity plan;
- Incident register;
- Test evidence (restore, pen-test).
10. Conclusion
Integrating Apache Superset into an ISO 27001 ISMS is entirely possible with rigorous configuration. Most technical controls are supported natively by Superset (SSO, RLS, audit). Organizational controls (reviews, training, procedures) are to be implemented on the company side.
Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted at OVHcloud (ISO 27001) in France.