Millions of online transactions each day are filled with personal identifiable information (PII) that, in the wrong hands, could render consumers vulnerable to a host of financial and identity issues. Knowing that, consumers across all industries are hyper-aware of the risks and are more attentive regarding how their information is gathered, used, stored and, more importantly, secured. They are demanding better protection of their personal data from the companies with which they do business – and rightly so. Our industry is no exception.
We built technical privacy into our platform with a two-pronged, approach, first ensuring that we focused the security of the “back end,” the application delivery platform that powers our services. When that was complete, we designed the processes for handling the data itself, especially privacy-related and payment information entrusted to us by customers and partners.
But how do you know if your data is actually in safe hands? We can describe the measures we take and show you our policies, but how do you know if those policies are followed and enforced? This is where SOC 2 and ISO 27001 come into play.
What are SOC 2 and ISO 27001?
SOC 2 (Service Organization Controls) was developed by the American Institute of CPAs (AICPA), and defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy. SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles. After an assessment is completed, the organization is provided a report with the auditor's findings, which can be shared with clients. While a SOC 2 report isn’t a requirement for companies like ours, it’s an industry assessment we consider important, and we see our adherence to it as a testament to our commitment to delivering our services in a world-class way.
ISO 27001 is a certification that is designed to function as a framework for an organization’s information security management system (ISMS). This includes all policies and processes relevant to how data is controlled and used. ISO 27001 does not mandate specific tools, solutions, or methods, but instead functions as a compliance checklist. The framework analyzes more than 100 specific data points, called “controls,” across 14 different categories, ranging from technical measures like firewalls and encryption, to incident management and even employee background checks.
Receiving an ISO 27001 certification is typically a multi-year process that requires significant involvement from both internal and external stakeholders. It is not as simple as filling out a checklist and submitting it for approval. The process is typically broken up into three phases:
- The organization hires a certification body that then conducts a basic review of the ISMS to look for the main forms of documentation.
- The certification body performs a more in-depth audit where individual components of ISO 27001 are checked against the organization’s ISMS. Evidence must be shown that policies and procedures are being followed appropriately. The lead auditor is responsible for determining whether the certification is earned or not.
- Follow-up audits are scheduled between the certification body and the organization to ensure compliance is kept in check.
eventcore has completed a SOC 2 assessment and is in process with a ISO 27001 gap analysis with certification expected in the second half of 2021.
Our end goal is to not satisfy compliance with industry standard assessments such as SOC and ISO, but to provide service above and beyond those benchmarks.