We are thrilled to announce that CYRISMA received its Systems and Organization Controls – SOC2 Type 1 compliance certification in September this year, through a partnership with the Vanta and Johnson Group LLP. The certification demonstrates CYRISMA’s compliance with the data security criteria set by the American Institute of CPAs (AICPA). The trust service principles covered by SOC2 include availability, confidentiality, processing integrity, privacy, and security.
As the creator of a SaaS platform designed for cyber risk management, CYRISMA has a deep understanding of information security principles and the need to protect customer data at all times. From the earliest stages of product development, we have taken all possible measures to ensure that any customer data that passes through our platform is handled securely. The SOC2 certification is proof of our commitment to customer data security.
Because we’re now SOC2-certified, our partners and clients can be confident that our processes and systems are consistent with SOC2’s confidentiality and trust service principles.
What is SOC2?
The SOC2 Type 1 audit, developed by the AICPA in the 2010s, examines an organization’s data security policies, processes and execution, and provides proof (in the form on an audit report) that it is compliant with all the trust service principles covered by SOC2. These are:
- Security: Security includes everything relating to the protection of data and the systems that use electronic data. Organizations must implement various preventive and detective controls to ensure that data is protected during its collection or creation, use, processing, transmission, and storage.
- Availability: The data used by an organization’s internal systems and the products and services provided to customers must always remain accessible for operation, monitoring, and maintenance.
- Processing integrity:The Processing Integrity check is to make sure that systems are running and performing their functions as they were intended to, without errors, delays, or manipulation of any kind. It tests system processing accuracy.
- Confidentiality:The Confidentiality principle addresses an organization’s ability to protect confidential or sensitive data from the time when it is collected or created to its final removal from the system. Confidentiality requirements may vary from one organization to another based on laws, regulations, and customer agreements. In general, organizations must limit the access, use, disposal and retention of confidential data to authorized entities only.
- Privacy:The Privacy principle addresses the protection of personal data. This is different from Confidentiality, which could apply to multiple types of sensitive data and not just personal information. Privacy criteria, as defined under SOC2, include (1) notice and communication of objectives; (2) choice and consent; (3) collection; (4) use, retention and disposal; (5) access; (6) disclosure and notification; (7) quality; and (8) monitoring and enforcement.
Why is the SOC2 audit important for SaaS providers?
The SOC2 audit is becoming increasingly important for SaaS providers today because of growing concerns about data breaches resulting from supply chain attacks and new data storage models that move business-critical data from within the physical boundaries of an organization to the cloud. While cloud-hosting has immense operational and performance benefits, it also exposes businesses to new attack vectors.
A SOC2 audit provides the confidence and assurance to businesses looking to partner with SaaS providers that their data (or their customers’ data) will be handled securely. A SOC2-compliant SaaS company can present its positive audit report to partners and prospective clients as proof of its strong data handling processes.
Why did CYRISMA get certified?
At CYRISMA, we have been committed to customer data security since the inception of the company. Being security professionals ourselves, we understand the value of data protection and the continued effort it takes to implement strong security controls. With our SOC2 audit, we wanted to demonstrate our adherence to the strictest data protection and confidentiality controls to keep customer data secure. We’ve built close and trusted relationships with our partners and clients over the years and believe that the SOC2 report will provide further proof of our commitment to customer data protection to both existing and prospective partners.
Our SOC2 Type 1 certification is just one milestone in what we hope will be a long journey. As a risk management platform, we believe we need to continually demonstrate our compliance with strong data protection controls. With the SOC2 Type 1 audit complete, we are now preparing for our SOC2 Type 2 audit, which will be a longer process. Stay tuned for more news on Type 2!