Customer data security and critical business processes meet demanding global best practice standards
I’m really excited to share that this month VATCalc passed its ISO 27001:2022 audit.
It doesn’t matter how cool a SaaS company’s demos are, if they can’t demonstrate that they can be trusted with their customer’s data and critical business processes then they will never be able to scale.
Managing data to make sure it is confidential, available and has integrity is an intentional mindset that must be embedded deeply into an organisation. It is critical for a business to understand its possible risk exposure and how it can mitigate risks. This is done by operating a Risk Register and an Information Assets Register. This involves:
- Understanding and scoring risks
- Having a plan to mitigate known risks
- Understanding what the residual risk post mitigation is and then,
- Knowing whether to tolerate, treat, transfer the risk to a better equipped third party or terminate the risk
Business Continuity Planning
It is then vital to maintain and regularly test a Business Continuity Plan so that the business knows exactly what to do and has well oiled processes in case of a critical failure. Managing data properly involves building and implementing processes and controls across the four dimensions of a business:
- Organisational controls, this includes setting up processes across the whole business and it’s wider environment to ensure data is properly understood and managed.
- People controls, this is about ensuring that only the right people have access to the right data and they know exactly how to handle it.
- Physical controls, this is about ensuring data is physically safe. For example, that offices are secure and suitable and that physical storage of data is secure.
- Technological controls, this includes ensuring that the company network is secure, that the development of software is done in a way that mitigates vulnerabilities, that the software delivered to customers is secure and that customer data is secure in transit and at rest.
Ongoing best practices controls and processes
It is also important for companies to understand that securely managing data is not something that you just write a policy for once and then your are done. It must be constantly reviewed to ensure that the controls and processes are properly adhered to and that they are evaluated continuously to see whether they then can be improved upon. This must be encouraged across the whole organisation but also it must be formalised into the following ongoing streams:
- Management reviews– this puts a stake in the ground that ensures that proper preparation is given to ensuring that the evidence is in place that things are being done correctly and it makes sure that management have the proper oversight of information security matters.
- Internal audits – this makes sure that any non-conformances are identified and can be remediated.
- External audits– this ensures further focus on controls and procedures and provides external confidence that your company operates with all the appropriate rigour when handling data.