by Juha-Pekka Laine
Find me on LinkedIn
Midaxo has always taken information security seriously as we understand how crucial it is for our customers to keep their data safe. We have a comprehensive, high-quality information security management system (ISMS) for risk management and mitigation to ensure data confidentiality, integrity, and availability. Audited by KPMG, the Midaxo ISMS meets the international ISO/IEC 27001:2013 standard, and has since 2016.
Information security is not a one-time project but a continuous company-wide activity that we approach systematically.
This continuous activity is formalized in the ISMS that is a framework of policies, procedures, and controls. Midaxo’s ISMS is an integrated part of Midaxo’s day-to-day operations and governance, covering Midaxo’s personnel, processes, and systems.
For us, it has been obvious to maintain and execute our ISMS in the Midaxo platform as it is designed for such a systematic process.
The features such as traceability, document management, and task assignments make it a perfect solution to run the process; they also help prove in an audit that the process has, in fact, been executed. In addition, our M&A software platform functions as a storage for the final versions of the documents and for knowledge sharing.
Pipeline view shows an overview of current and historical projects. Activities having high number of tasks, can be modeled as separate projects, such as access rights review in our example.
We utilize Midaxo as a tool to run our ISO27001 certified ISMS as follows:
- We have the annual ISMS cycle as a project in the Midaxo platform. The project playbook has all planned activities for the year, including detailed actions. Their execution and outcomes are filled out in during the year. Required documents for each activity are stored under each tasks.
- We have “year clocks” for administrative and technical milestones. These include actions such as certificate renewals, asset reviews, and penetration tests. In addition, we have KPIs, improvements for each year, monthly risk management team meetings, as well as findings from various audits as action points.
- We improve the tasks structure as needed. The task hierarchy allows us to have several level of details in each action topic, as is shown in the screenshot below.
There is a trace of everything done in the platform. We can, therefore, easily track and prove that the process is executed as planned.
As Midaxo is a collaboration platform, the people involved in tasks get visibility to the instructions and information they need; they also get notified when their actions are needed. We use the platform to securely share information outside the company as well, e.g., the auditors.
Comparing ISO 27001 with SOC2
We sometimes receive inquiries from our customers about why we have an ISO 27001 certificate but not a SOC 2 attestation. We feel that they are competing standards with a lot of similarities.
Both are targeted at improving information security management, and they share multiple requirements. While they overlap, they also differ. Below is our take on the differences and why we feel ISO 27001 is more suitable for us.
|Issue or Area||SOC 2||ISO 27001|
|Target audience||North America||International|
|Focus||Adherence to trust principles during a period of time in the past||Information Security Management System's compliance and adaptation now and going forward|
|Applicability||More applicable to datacenter operators and similar||More applicable to software providers like us|
|Best use||Measure and demonstrate how a service organization has fulfilled their security principles and criteria last year||Implement, maintain and improve an ISMS (Information Security Management System)|
|Difficulty to obtain||Medium||High|
|Proof of compliance||Independent attestation by professional accountant organization||Certificate by ISO approved certification body|
|Customer preference||Rarely||Almost all customers|
In short, we feel that the ISO 27001 certificate provides more business value to an international software provider like us. Please contact your sales representative or account manager if you have further questions.
Get your ISMS ready for certification
Improve your ISMS to the level that meets the ISO or other certification standards by using your Midaxo instance also for this important use-case! Our ready-made ISMS playbooks get you started quickly. Don’t hesitate to contact firstname.lastname@example.org for a demo and further discussion.