Storyblock featured image of ISO 27001 logo with Storyblok logo icon and headshot of Sebastian Gierlinger

Ask anyone at AWS about the importance of security, and they're likely to say it's  "job zero" – and for good reason.

Unless you've been living under a rock, you probably know that cybersecurity threats and data breaches are on the rise, reaching epic proportions last year. According to SonicWall, a leading security provider, there were nearly 500 million ransomware attacks through September 2021, with a staggering 1,748 attempted attacks per organization.

That's equivalent to a single business receiving 9.7 ransomware attempts every day. Yikes.

While many software platforms have embraced security standards in an effort to validate their trust, not all content management systems (CMS) have invested in these credentials. However, as more CMS platforms move to SaaS delivery and enterprise self-service, security is becoming a more pressing issue than ever before.

While new benchmarks for security compliance continue to emerge, the International Organization for Standardization – also known as ISO – has long been an institution for normalizing critical business practices and product requirements. Along with providing a heightened degree of technical governance around key information security requirements, ISO's 27001 certification might offer a new model for CMS platforms to project a more secure posture across global markets.

To that end, Storyblok – an enterprise headless CMS that enables developers and marketers to deliver powerful content experiences on any digital platform – recently announced that it had received ISO 27001 certification from TÜV Rheinland, an independent third party. This critical certification verifies that all of Storyblok’s products, operations, support processes, and data storage protocols meet the highest international security standards when it comes to managing information security. 

To understand more about how users view their CMS security, Storyblok surveyed 530 professionals who personally use a CMS in the United States, UK, Germany, Sweden, and the Netherlands. We had a chance to chat with Sebastian Gierlinger, VP of Engineering at Storyblok, about the data they received from the survey – as well as some of his insights on the headless CMS market. You can read our Q&A below. 

Understanding the perception of security for CMS users

If you don't already know from personal experience (and we hope you don't), security problems can be very expensive for enterprises – and in some cases, even sink a business. 

In a report called The Four Tenets Of SaaS Application Security And Protection, analyst firm Forrester said: “Losing data in a SaaS application because of insufficient data protection is every CISO’s and compliance officer’s nightmare. Mitigation costs can exceed $3 million to $3.5 million per incident — and that’s a conservative estimate.”

Once again, we'll insert a yikes for dramatic purposes. 

Storyblok conducted its survey to better understand the collective psyche of CMS users as it relates to security. The results were quite revealing and reflect the elevated concern felt across software markets. Here are a few of the most telling data points gleaned from respondents:

  • 64.3% worry about the security of their CMS
  • 80% said security is extremely important or very important to them when choosing a CMS
  • More than half (55.5%) said their CMS has new security issues on a monthly, weekly, or daily basis
  • 46.4% had a CMS security issue affect their content
  • 21.7% conduct security updates 5-9 times per month

The rise of headless and the impact on CMS security

There's no question that headless has been powering the energy in the CMS market for the last few years. More businesses are making the move from traditional monolithic platforms to decoupled systems that provide greater agility with API-first architectures. This has been reflected in the rapid rise of composable solutions and MACH (Microservices, APIs, Cloud-first SaaS, Headless) architectures – and the proliferation of the MACH Alliance

There are many advantages to using a headless CMS. While they don't provide the same backend rendering capabilities as a traditional CMS, they do offer more flexibility, scalability, and ease of use. But there's also one key advantage of headless that is often overlooked: security. By maintaining a separated frontend and backend, a headless architecture is much less susceptible to security threats like distributed denial of service (DDoS) attacks.

To learn more about Storyblok’s commitment to the highest standards of security, visit its Trust Center.

Q&A with Sebastian Gierlinger, VP of Engineering at Storyblok

CMS Critic had an opportunity to connect recently with Sebastian Gierlinger. He shared some of his views on the headless CMS market, particularly around security, as well as the rise of MACH. 

As Gierlinger noted in the company's press release, “Traditional CMSs have a bad reputation for the security headaches they cause, and for a good reason. Getting the ISO 27001 certification was especially important to us because it ensures that any enterprise using Storyblok to share their content with the world is doing so on the most secure, enterprise-grade headless CMS available on the market.”

CMS Critic (CC): Where are the top security advantages with a headless CMS versus traditional?

Sebastian Gierlinger (SG): Generally speaking, Headless CMS reduces the exposure of infrastructure that’s front-facing. This reduces the surface of potential attacks. In addition, the hosting infrastructure of a Headless CMS is less complex compared to a traditional CMS.

CC: The headless CMS market is growing, but so too are the platform options. How important is the ISO certification to differentiating across an expanding field of competitive players?

SG: Security is a major concern for many enterprises, and the ISO certification of Storyblok recognized that all our products, operations, support processes, and data storage protocols meet the highest standards. Customers do expect best-in-class security, and we believe that Storyblok’s ISO certification provides more proof that we deeply care about the modern enterprise tech stack and making it as secure as possible.

CC: How is infrastructure (ie, Cloud) playing into the overall security posture for CMS users – particularly with headless?

SG: A headless CMS is built on top of a best-of-breed approach that sits on cloud infrastructure solutions. While on-premise hosting has been the default situation up until recently (a few years ago), we would argue that cloud infrastructure tends to be more secure as it comes with security resources, 24/7 support, and uptime guarantees. With those things in place, there’s hardly anything that could really go wrong. Sure, cloud infrastructure isn’t 100% safe from security attacks or other issues; however, the likelihood of an AWS outage tends to be much smaller than that of an on-premise infrastructure managed by you and your team.

CC: How specifically is the ISO certification reinforcing trust for Storyblok? Are there specific tenants of the ISO standards that were challenging to meet – but now provide heightened security that other platforms aren’t able to meet?

SG: During the ISO certification process, we did not apply for any exemptions in the statement of applicability (SoA) and met all specific requirements right away. 

We are really proud that the ISO certification covers the entire operation, maintenance, and development of Storyblok’s CMS and all related services. In order to fulfill those requirements, we had to make sure that Storyblok establishes secure processes and standards in all departments across the organization.

CC: On the same topic: how is the ISO certification supporting Storyblok’s global growth strategy? Do you foresee this as an opportunity to grow your customer base in other markets where the ISO certification is preferred or even required?

SG: We do see existing and potential customers in all regions requesting security standards that are now being met with the ISO 27001 certification. Also, leading analyst firms reassured us that ISO 27001 certification is a top priority amongst many enterprises. Other security certifications can be mapped and fulfilled with ISO 27001.

Overall, ISO 27001 is definitely an important requirement in many European countries; however, we also see US-based companies requesting this certification.

CC: As of late, there’s been increased attention around MACH. We see that you are a member of the MACH Alliance – can you talk about the importance of being an open, best-of-breed technology in this ecosystem? Is this proving to be a differentiator?

SG: The MACH principles provide an innovative solution for creating and launching the modern enterprise tech architecture and building new experiences quickly and efficiently. Additionally, as the MACH principles adhere to the best-of-breed approach, organizations can easily add and replace tools as needed, unlike in monolithic structures.

Due to working with structured or atomic content, the way in which content moves within its ecosystem has been radically transformed. 

Content creators are now decoupled from developers due to CMS platforms, giving them the freedom to power on without leaning on developers for minuscule changes or edits. Simply put, the way we work has evolved along with our technology.

Overall, we believe that the MACH principles are becoming the standard way that the modern enterprise stack should look like. And with the MACH Alliance, we've found a group that tells this story on a global scale.

About Storyblok

Storyblok is an enterprise headless CMS that enables developers and marketers to deliver powerful content experiences on any digital platform. Developers create flexible components that are independently managed by content teams through a collaborative visual editor and customizable workflow. Published content is delivered through an API, so changes are made once and will appear everywhere: websites, mobile, IoT, the metaverse, and beyond. This approach reduces maintenance and makes content management more efficient. Leading brands such as Adidas, Pizza Hut, and Marc O’Polo use Storyblok to manage and share their content with the world. Storyblok was named the #1 CMS for 2022 by G2.

For more information, visit and follow Storyblok on LinkedIn and Twitter.