Many companies tell you that “the security of our customers’ data is very important to us” in their marketing communications. And you believe them, for a while.
But then you discover they were hacked with an open FTP server, using a password like “nameOfTheCompany2022”, and you realise that it’s not that important after all.
Why do we mention this, you ask? Well, a few months ago Bugfender got ISO 27001-certified. What this means, in layman’s terms, is that we really care about the security of our customers’ data. As we’re about to show you.
First, the top-line.
On a high level, these is what our certification means for you:
- Improved uptime. One of our objectives is to provide a great service. Lately, our systems have been available more than 99.95% of the time. Since we started the implementation of ISO 27001 two years ago, we have experienced only one major outage of 5 hours, with no data loss.
- Compliance. We comply ****with privacy regulations like GDPR, CCPA, and similar, and even more stringent domain-specific regulations like HIPAA (or GPDR for healthcare data in Europe).
- Lower probability and impact of incidents. You don’t need to worry about the accidental deletion of data, or potential intrusions causing data leaks.
- Better team coordination. Better processes means everyone knows what to do, and when. This is an immediate benefit for everyday operations and the support you get from us, but it’s especially important during a crisis.
- Increased trust. Some corporations only work with certified ISO 27001 or SOC 2 vendors. This is an advantage if you’re looking for a logging solution for such an organization, whether you work there or they’re one of your clients.
Ok, now the detail. What is ISO 27001?
ISO 27001 is a tool to achieve better security in any organization. Adopting companies must establish a clear process of information security management, and commit to continuously improve that process.
The norm does not mandate the application of any specific security measures, although there are certain topics you must consider. Therefore, the specific measures applied by each company will vary depending on their size, industry, context, etc.
When a company gets certified, they must show an independent, accredited auditor that they’re performing these steps and that the selected security measures are appropriate.
Here is an extremely summarized list of the requirements we have adopted and undertaken (there are many, many more):
- The company management is committed to spending the necessary time and money to protect your data. We spend this time in risk analysis, implementing controls, creating policies, training our team, auditing, and continuously improving our security. You can see the management’s public statement here: https://bugfender.com/beenario-information-security-policy/
- The company has established the right processes. A set of processes and procedures to work securely, continuously learn from our environment, understand upcoming threats, and respond if necessary. Team members have an (anonymous, if desired) way to report examples of non-compliance.
- Our workplace is secure. We take special care of the intricacies of remote working.
- Computers and mobile devices are configured securely. They are also encrypted to protect the information stored within.
- Our employees and contractors are screened. They are screened prior to employment and receive regular training on security with specialized material depending on their role in the company.
- Our team members understand their role in the security of the company. Specifically, they understand the need to guard confidentiality. We have a robust disciplinary process in the unfortunate event that the policies are violated.
- Information is classified and protected with appropriate measures. In classifying information, we pay particularly close attention to personal and confidential data.
- We don’t work with paper documents. This avoids all problems related to printing, shredding, securely archiving, etc.
- The licenses of the software we use are checked. This is especially true when we use open-source software, in order to ensure proper usage.
- We provide access to sensitive information only to the people who need it. This includes physical access to our data centers, access to our server and software administration interfaces, customer support conversations, application source code, etc.
- We use ISO 27001 certified data centers to host our service.
- Our software —Bugfender— provides the necessary tools to apply your own security controls. These include secure authentication, granular access controls, audit logging, and SLAs for uptime and support.
- Our application code is peer-reviewed. Not only that, but it is automatically tested, and is continuously scanned for known vulnerabilities and “code smells” that could lead to security mistakes. We perform software supply chain management and continuously compile a software bill of materials.
- Our network communications are encrypted and protected with firewalls.
- Our development, test, and production environments are kept separate. Data is never extracted from them.
- Our whole infrastructure, including servers, network equipment, and supporting applications is updated regularly. It’s updated with the security patches recommended by the relevant vendors.
- We collect and review activity logs. On top of that, we continuously monitor our infrastructure for performance issues and intrusion attempts.
- We operate Bugfender from multiple data centers. They’re redundant to avoid single points of failure.
- We vet our suppliers to ensure minimum security measures are met. We also collect performance metrics and work continuously to improve their security, especially when considering development and hosting.
- We hire independent auditors. These auditors review our ISO 27001 implementation and perform vulnerability scans and penetration tests to audit the quality of our software.
And finally… the FAQs
How does ISO 27001 relate to SOC 2?
ISO 27001 and SOC 2 are actually very similar. SOC 2 is a United States regulation and might have some slightly different requirements, but it essentially addresses the same type of risks.
We chose to adopt and certify for ISO 27001 because we’re addressing multiple markets, not exclusively the United States, and ISO 27001 is more widely recognized internationally. SOC 2 companies should have no issue accepting an ISO 27001 certification.
Should I consider ISO 27001 for my company?
As for many complex questions, the answer is, well… it depends. Do you think your organization could benefit from greater security? Do you think your customers and business partners would appreciate this degree of security? If the answer is yes, you should give it a look.
Please note that implementing ISO 27001 involves significant work, so we’d recommend you only do it if it makes business sense. For example, it could be fruitful if you’ve found that certain potential customers will only purchase from you if you’re certified.
Also, you don’t need to go ISO 27001-all-the-way if you don’t want to. You can adopt only parts of it, or even the whole of it, without ever getting certified if you don’t need to.
If you would like to learn more about our journey, we wrote a blog post about it in Indie Hackers:
Is Bugfender HIPAA certified?
There is no such thing as “HIPAA-certified”, despite some companies misrepresenting themselves as such.
We implemented HIPAA compliance by incorporating the requirements of HIPAA into our information security management system, performing the necessary risk analysis, and implementing the necessary controls. This whole process falls under ISO 27001 certification, and therefore is audited.
If you intend to use Bugfender for a HIPAA application, please note that you need certain specific things that aren’t provided to general users, so please contact us to set up your account with a customized Enterprise plan.
Bugfender spends money and resources on security, because the security of the data you trust us with is truly important to us. Not everybody does that.
If you care about the security of what you’re logging, you should consider an ISO 27001-certified company for your logging needs (like us!).