Transparency & editorial policy
ISMS Directory is a curated resource for the compliance community. This page explains how we review vendors, what criteria we apply, and how we handle conflicts of interest. We believe transparency is the foundation of trust.
Conflict of interest disclosure
Full disclosure of our relationship to listed products
ISMS Directory is operated by Better ISMS, which also builds ISMS Copilot, a compliance platform listed in this directory. We disclose this relationship openly.
To mitigate this conflict of interest:
- No preferential ranking. ISMS Copilot is treated identically to every other listed service. There is no "featured" placement, no algorithmic boost, and no priority positioning in search results.
- Randomized discovery. Our search and discovery features use randomization (Fisher-Yates shuffle) to prevent any vendor — including our own — from appearing first consistently.
- AI search is instructed to lead with lesser-known vendors that match the user's specific needs, rather than defaulting to well-known names.
- No "featured" infrastructure. We deliberately removed the ability to mark any vendor as "featured" from our codebase, so preferential treatment is not just unused — it's technically impossible.
Review criteria
What we look for when evaluating submissions
Every submission — free or paid — goes through the same manual review. The €199 "Fast Submission" only accelerates the timeline (14 days vs. up to 6 months). It does not change the criteria or the outcome.
A service gets listed if it:
- Operates primarily in GRC, compliance, or information security (not general cybersecurity or vulnerability scanning)
- Has a functioning website with clear information about their services, team, or company
- Demonstrates genuine expertise (certifications, case studies, verifiable client work, or recognized frameworks supported)
- Has no documented concerns about deceptive practices, fake credentials, or community trust issues
A service gets rejected if it:
- Falls outside the GRC/compliance niche (e.g., penetration testing firms, general IT services, antivirus vendors)
- Has no verifiable web presence or uses misleading claims about their capabilities
- Has been flagged by independent sources for deceptive practices (see our Vendor Warnings page)
- Appears to be a shell company, white-label reseller without disclosure, or has fabricated reviews/testimonials
Paid submissions that don't meet our criteria are rejected with a full refund. We'd rather have a smaller, trustworthy directory than a large, unreliable one.
No affiliate links or tracking
We don't monetize clicks to vendor websites
- Outbound links from vendor listings to vendor websites are clean — no referral codes, UTM parameters, or affiliate tracking
- We don't earn commissions on vendor signups, purchases, or demos
- No analytics or tracking cookies — see our Privacy Policy for details
- Cross-property links to our sister products (ISMS Copilot, ISMS Mappings, Use AI Securely) may carry first-party UTM parameters so we can measure cross-product traffic. These are not affiliate links — we operate the destinations directly.
Our only revenue source is the optional €199 fast-track submission fee. This keeps our incentives aligned with listing quality, not click volume.
Editorial independence
We exclude vendors when evidence warrants it
We maintain a public Vendor Warnings page where we document vendors we've excluded and why, with links to independent sources. All claims are attributed and verifiable.
We are not afraid to exclude vendors — even well-funded or well-known ones — when independent evidence raises significant concerns about their practices. Our duty is to the compliance professionals who rely on this directory, not to the vendors listed in it.
Questions about our policies?
If you have questions about our editorial process, want to report a concern about a listed vendor, or believe any information on this site is inaccurate, please contact us. We take every report seriously and respond promptly.