A hotel depends on its PMS, booking engines, door locks, payments, Wi-Fi, channel managers, telephony and external suppliers. ISO/IEC 27001 governs these risks through a management system built on scope, risk, controls, incidents, continuity and improvement. Certifying is not just about securing the server: it must cover the dependencies that keep operations running and protect guest data.
Defining the scope
The scope can cover one or several hotels and central services. It must include critical interfaces:
- PMS.
- Website and booking engine.
- Channel manager.
- POS and payments.
- Wi-Fi.
- Door locks and CCTV.
- Email and Microsoft 365.
- Backups.
- Support suppliers.
- Corporate systems.
No dependency is excluded just because it is SaaS.
Assets and processes
| Process | Assets |
|---|---|
| Booking | Data, website, engine and email. |
| Check-in | PMS, documents and terminals. |
| Stay | Keys, Wi-Fi, charges and preferences. |
| Payment | POS, gateway and reconciliation. |
| Operations | Housekeeping, maintenance and suppliers. |
| Checkout | Invoice, loyalty and retention. |
The inventory links owner, location, classification, dependency and recovery.
Specific risks
- Phishing using real bookings.
- PMS ransomware.
- Compromised platform accounts.
- Malware on the POS.
- Poorly segmented Wi-Fi.
- Vulnerable locks or IoT.
- Backups connected to the domain.
- Suppliers with standing access.
- Impersonation in bank detail changes.
- Leaked guest documents.
The analysis accounts for peak season and 24/7 operation.
Identity and access
- Named accounts.
- MFA for admin and remote access.
- Role-based permissions.
- Immediate deprovisioning.
- Periodic reviews.
- Temporary supplier access.
- Terminal lockout.
- Segregation of payments.
Front desk staff don't need system privileges, and support should not use generic accounts.
PMS and bookings
Permissions, exports, API, integrations and logs are reviewed. Reports downloaded to the desktop are a recurring risk.
Guest information is limited, and document data is handled according to legal obligation and minimization. Channel manager integrations must use restricted, rotatable credentials.
Payments
ISO 27001 does not replace PCI DSS. The scope must minimize card data and use suitable providers. Full card data is not stored in PMS notes or email.
Refunds and account changes require dual control.
Networks and Wi-Fi
Separate:
- Guests.
- Administration.
- POS.
- IoT/locks.
- Cameras.
- Suppliers.
The guest portal does not grant access to the internal network. Devices are monitored and firmware is kept up to date.
Suppliers
For PMS, cloud, bookings, connected laundry, maintenance or security:
- Criticality.
- Contract and SLA.
- Access.
- Incidents.
- Subcontractors.
- Continuity.
- Security.
- Exit.
A supplier's certificate must be checked for scope and validity.
Backups and ransomware
The strategy includes separate backups, immutable where appropriate, encrypted and restore-tested. RTO/RPO is defined for PMS, bookings, invoicing and locks.
The degraded mode must allow operations to continue without improvising spreadsheets holding excessive data.
Continuity
Scenarios:
- PMS down.
- Internet unavailable.
- Payment gateway down.
- Locks not working.
- Ransomware.
- Critical supplier down.
- Evacuation or physical unavailability.
Each plan states owners, minimum data, communication, recovery and subsequent reconciliation.
Incident management
A 24/7 channel, classification, containment, evidence and communication are established. An incident can trigger GDPR obligations, contractual duties, insurance or authorities.
It is rehearsed with front desk, management, IT and suppliers.
Personal data
ISO 27001 supports security, but on its own it does not demonstrate GDPR compliance. Lawful bases, information, retention and rights must all be in place. ISO/IEC 27701 can be integrated where appropriate.
Statement of Applicability
The SoA selects the Annex A controls and justifies their inclusion or exclusion based on risk. It must match actual operations.
Examples of evidence:
- Policy.
- Access matrix.
- Segmentation.
- Logs.
- Patches.
- Backups.
- Tests.
- Contracts.
- Training.
- Incidents.
Training
Front desk, reservations, administration and maintenance face different threats. Training covers phishing, fraudulent calls, documents, payments, keys and escalation.
Competence is measured through simulations, not just attendance.
120-day plan
Days 1-30
Scope, assets, processes and gap analysis.
Days 31-60
Risks, SoA, access and suppliers.
Days 61-90
Controls, continuity, incidents and training.
Days 91-120
Internal audit, corrections and management review.
Common mistakes
- Limiting scope to IT.
- Ignoring SaaS.
- Mixing Wi-Fi and administration.
- Sharing front desk accounts.
- Leaving supplier access open.
- Never restoring backups.
- Storing cards in notes.
- Lacking a degraded mode.
- Confusing ISO with GDPR.
- Certifying before controls run.
Checklist
- Scope and dependencies.
- Assets and risks.
- Identity and MFA.
- Network segmentation.
- PMS and integrations.
- Payments and data.
- Suppliers.
- Backups and restoration.
- Continuity and incidents.
- SoA, audit and management.
Frequently asked questions
Is ISO 27001 only for large chains?
No. The system scales to size and risk. The scope must remain manageable.
Does it cover card data?
It helps govern security, but PCI DSS and payment rules still apply.
Does certifying the supplier certify the hotel?
No. The hotel's own responsibilities and configurations remain within its own scope.
Summum Calidad can support the scope, risk analysis, SoA, implementation and internal audit, so certification reflects the hotel's real operation and continuously protects guest data.