Our certifications in ISO 27001 and Microsoft 365 App Certification highlight our commitment to the highest standards of security and privacy. Additionally, there are overlaps with other recognized audit standards such as SOC 2, which we integrate into our processes. Below is a detailed breakdown of the contents, including the rigorous audit procedures and how these standards work together.

ISO 27001: comprehensive information security and management systems

The ISO 27001 certification is an internationally recognized standard that ensures organizations have implemented an effective Information Security Management System (ISMS). This system protects the confidentiality, integrity, and availability of information through a risk-based approach. The certification covers the following core areas:

Establishing and operating an ISMS

  1. Development and documentation of security policies:

    • Defining information security objectives and processes.
    • Creating clear guidelines for handling and protecting data.

  2. Asset management:

    • Identifying and assessing all information and systems that require protection.
    • Implementing safeguards based on criticality and risk.

  3. Continuous improvement:

    • Regular internal audits and management reviews to identify weaknesses and improvement opportunities.
    • Establishing measures to continually optimize the ISMS.

Technical and organizational security measures

  1. Risk management:

    • Systematically identifying and evaluating risks to information security.
    • Implementing appropriate measures to mitigate risks, such as technical controls or organizational processes.

  2. Access and permissions management:

    • Strict controls to ensure that only authorized personnel have access to sensitive information.
    • Regularly reviewing and updating access rights.

  3. Technical security controls:

    • Using technologies such as encryption, firewalls, and intrusion detection systems.
    • Regularly reviewing and updating these measures to address emerging threats.

Incident response and recovery

  1. Incident management:

    • Establishing processes for reporting, resolving, and analyzing security incidents.
    • Training employees to respond to potential security risks.

  2. Disaster recovery and business continuity:

    • Developing and regularly testing plans to restore operations after security incidents.
    • Ensuring critical systems and data remain available.

  3. External audits:

    • Annual reviews by accredited bodies to ensure compliance with ISO 27001.
    • Recertifications every three years with comprehensive audits.

Microsoft 365 App Certification: trusted applications

The Microsoft 365 App Certification is conducted by Microsoft employees who annually review the security, compliance, and privacy standards of certified applications. These rigorous audits cover the following areas:

Application security: protection throughout development

  1. Secure development lifecycle (SDL):

    • Ensuring security best practices are followed throughout the software development process.
    • Reviewing code for vulnerabilities like injection attacks or misconfigurations.

  2. Vulnerability management:

    • Conducting regular vulnerability scans and penetration tests.
    • Resolving identified security issues within specified timeframes.

  3. Security assessments and code reviews:

    • Assessments conducted by Microsoft employees or external security experts.
    • Ensuring no unauthorized or harmful functionalities are implemented.

Operational security: securing application operations

  1. Access control and authentication:

    • Enforcing multi-factor authentication and strict user access controls.

  2. Logging and monitoring:

    • Detailed logging of security-relevant events to identify unauthorized activities.

  3. Incident management:

    • Verifying robust plans for restoring services in case of a security incident.

Data handling and privacy: securing user data

  1. Data encryption:

    • Using modern encryption methods such as TLS 1.2+ and AES-256.

  2. Data minimization and transparency:

    • Limiting data collection to what is necessary.
    • Providing clear privacy statements and user control over personal data.

Overlaps with SOC 2 and other standards

Our certifications in ISO 27001 and Microsoft 365 App Certification align with many requirements of SOC 2 and other security standards. SOC 2 is based on Trust Service Criteria (TSC): security, availability, confidentiality, processing integrity, and privacy. Overlaps include:

  1. Security: Protecting systems against unauthorized access and ensuring integrity.

    • ISO 27001 and Microsoft 365 App Certification implement similar controls, such as access management and encryption.

  2. Availability: Ensuring systems and services remain operational.

    • ISO 27001 addresses this with business continuity and disaster recovery plans.

  3. Confidentiality and privacy: Protecting sensitive data and complying with legal requirements like GDPR.

    • Both certifications require measures for data security, minimization, and user control.

Why these certifications matter

The combination of ISO 27001, Microsoft 365 App Certification, and overlaps with SOC 2 ensures that we meet the highest security and privacy standards. With regular audits and continuous improvement, we offer you the confidence that your data is in safe hands.

Was this page helpful?