For a SaaS company, it's essential that your users can trust in your application, infrastructure and procedures. Ineffective systems can make you vulnerable to security compromises and loss of service, which will drive users away from your platform. This will have a detrimental effect on your growth, credibility and revenue.
Achieving accreditations acts as an assurance to users that they can use your application with confidence, and without inordinate risk of data loss, theft or downtime. In fact, many companies will not work with SaaS providers unless these five accreditations are attained.
1. SOC 2 – Trust
SOC 2 is designed specifically for SaaS operations. It’s based on the five trust service principles of security, availability, processing integrity, confidentiality and privacy. A SOC 2 report describes the infrastructure, software, people and procedures you have in place to deliver on some or all of these principles.
Achieving SOC 2 requires thorough testing and auditing by a third-party. This Forbes article offers a good explanation of SOC 2 reports.
2. ISO 27001 – Information security management
The ISO 27001 standard is intended to help you keep information that is entrusted to you by third parties secure. It is designed for all companies in all industries, but it is of particular pertinence to SaaS providers.
To achieve the ISO 27001 accreditation, you must have in place a systematic and documented approach to securing data, known as an information security management system (ISMS). Every company’s ISMS is unique and implementing it can be a demanding process. Our ISO 27001 guide breaks implementation down into 15 steps.
3. ISO 27018 - Protection of personally identifiable information
ISO 27018 provides guidelines to safeguard sensitive, personal data in cloud environments. For your SaaS to be compliant with ISO 27018, you must be ISO 27001/2 compliant and take steps to augment your existing ISO 27002 controls, plus you must add new controls specific to personal data. This article spells out the additions to the ISO 27001/2 controls.
4. PCI DSS – Payment security
For all SaaS providers that handle card payments, PCI DSS is a legally required certification. The set of standards that is covers include technical and operational components related to cardholder data, such as firewall configuration, encryption of data in transmission and monitoring of network access. This reference guide outlines PCI DSS and how to become compliant.
5. ISO 22301 – Business continuity
Disruptive incidents and loss of service can be extremely costly for SaaS companies, particularly if other businesses rely on your service to operate.
ISO 22301 requires your company to have a detailed business continuity strategy. As defined by the ISO, this set of standards specifies requirements to "plan, establish, implement, operate, monitor, review, maintain and improve your infrastructure, to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise."
Achieving many of the controls and standards of these certifications is dependent on the systems of your cloud hosting provider. All cloud hosting providers should communicate their security measures and achieved accreditations on their website, so before you partner with a provider, it’s vital that you check this. We're very proud to be able to say that ServerSpace is the UK’s most accredited cloud company.
Though our guide to implementing ISO 27001 is geared towards that standard, it outlines a structured approach that will be useful when seeking any accreditation.