ISO 27001 Certification for a SaaS Company

Request a quote
08 Nov, 2019

ISO 27001 Certification for a SaaS Company

Every day, new SaaS products are being launched into the market, and they are being adopted, but at a relatively slower pace. At present, security continues to be the top barrier to adoption of SaaS products. After a SaaS company implements the controls outlined in ISO 27001 and gets certified, it can show that it is fully committed to secure customer data. Moreover, it can also show that its SaaS product operates in a secure and reliable environment. 

Industry Standard for Information Security: ISO 27001 

ISO 27001 is the only widely accepted information security standard at the global level. ISO 27001 certification demonstrates that all the relevant security controls covering various aspects of technical infrastructure have been implemented. It also showcases that a SaaS company has a mature, properly managed, and independently verified approach to information security that not only focusses on risk but also includes governance and compliance. 

We have lately seen that many industries are now looking at ISO 27001 as a primary security requirement before selecting their SaaS vendor. There are chances that if a SaaS company is not ISO 27001 certified, a prospective customer will not even shortlist the vendor. Having ISO 27001 gives attestation to the clients that the SaaS company takes security seriously. 

Change is often driven by the industry-leaders, and companies such as Salesforce.com, Oracle, Microsoft, etc. are paving the way for newcomers to achieve ISO 27001 certification. At this point, the sooner a SaaS company gets certified, the more sustained competitive leverage they derive. 

How does ISO 27001 certification ensure that customer data is protected? 

ISO 27001 requires a SaaS company to undertake the following steps for implementation – 

  • Identify the business objectives 
  • Obtain support from the top management 
  • Define the scope of ISMS 
  • Define risk assessment methodology 
  • Define risk acceptance level and risk treatment plan 
  • Set up policies and procedures to control risks 
  • Implement training and awareness plans 
  • Carefully monitor the ISMS 
  • Prepare for an Internal Audit 
  • Conduct an internal audit 
  • Management review 

After these steps are implemented, a SaaS company should regularly conduct internal audits and management reviews to find instances of non-conformities so that the ISMS can improve continuously.  Further, a total of 114 controls are required to be implemented which are divided under the following headings – 

A.5 Information security policies  

  • Management direction for information security 

A.6 Organization of information security 

  •  Internal organization 
  • Mobile devices and teleworking 

A.7 Human resource security 

  • Prior to employment 
  •  During employment 
  • Termination and change of employment 

A.8 Asset management 

  • Responsibility for assets 
  •  Information classification 
  • Media handling 

A.9 Access control 

  • Business requirements of access control 
  • User access management 
  • User responsibilities 
  • System and application access control 

A.10 Cryptography 

  • Cryptographic controls 

A.11 Physical and environmental security 

  • Secure areas 
  • Equipment 

A.12 Operations security 

  • Operational procedures and responsibilities 
  • Protection from malware 
  • Backup 
  • Logging and monitoring 
  • Control of operational software 
  • Technical vulnerability management 
  • Information systems audit considerations 

A.13 Communications security 

  • Network security management 
  • Information transfer 

A.14 System acquisition, development, and maintenance 

  •  Security requirements of information systems 
  • Security in development and support process 
  • Test data 

A.15 Supplier relationships 

  • Information security in supplier relationships 
  • Supplier service delivery management 

A.16 Information security incident management 

  • Management of information security incidents and improvements 

A.17 Information security aspects of business continuity management 

  • Information security continuity 
  • Redundancies 

A.18 Compliance 

  • Compliance with legal and contractual requirements 
  • Information security reviews