At SOTI, security is paramount. The security protocols we have in place ensure data integrity is always maintained. We take great pride in the fact that our customers know their data and information is safe and secure while using our products to manage their business-critical mobile and IoT devices. We keep two things in mind when it comes to security; to protect your data and to keep your business and operations moving forward.
When you have mobile security, you must also have compliance. At SOTI, we have a security-first approach and meeting (and exceeding) compliance standards is table stakes. We have been ISO 27001 certified since 2018 and can provide a SOC 2 Type II audit report under NDA.
That’s great…but what does it mean if you are a SOTI customer? What impact does this have on your own business and more importantly, your customer’s operations?
Let’s break this down and dive into the benefits of security and compliance.
What is ISO 27001 Certification?
ISO 27001 is one of the most widely recognized and internationally accepted Information Security Management System (ISMS) standards. It is an annual “point-in-time” audit where an auditor reviews our policies and the evidence we provide to ensure we are in compliance. This certification has requirements for establishing, implementing, maintaining and continually improving the ISMS within SOTI. It also includes requirements for the assessment and treatment of information security risks.
As a global organization, we’re proud of the work our teams have done to attain and maintain ISO 27001.
Our latest ISO 27001 audit was conducted by KPMG and validated by PECB. Our certificate can be viewed here.
What Does This Mean for Our Customers?
As a SOTI customer, daily activities within your business can continue to operate with confidence knowing you are protected and secure. This certification is additional proof of our commitment to information security. It plays an important role in assuring our customers that SOTI takes all necessary steps to keep data safe, secure and accessible.
Information security breaches can be extremely detrimental to businesses both in terms of financial loss and reputational damage. Having the ISO 27001 certification confirms that we have taken measures to prevent unauthorized access to private information, internal systems and networks. It also ensures that information can be accessed and changed only by users that have proper authorization. In addition, being ISO 27001 certified confirms we have security procedures and practices in place that have been assessed by an independent organization outside of SOTI.
What Is A SOC 2 Audit?
SOC, in this context stands for "System and Organization Controls". It reports on the mechanisms we use to protect, process and store your data. It focuses on the security design and operating effectiveness of our policies, procedures and controls. There are two types of SOC 2 audits, conducted by independent BDO Canada auditors. A SOC 2 Type I report is produced after a “point-in-time” audit. It looks for evidence of controls only at the time of the audit. Our SOC 2 Type II report (available to you under NDA) is more difficult to obtain. The auditors evaluated the operating effectiveness of our security controls, policies, and privacy procedures over the entire audit period. This is more difficult to achieve as it measures how well the systems work in real-world, real-time practice.
SOC 2 has substantial overlap with the ISO 27001 certification, but works to eliminate the ability of companies to present only favorable evidence. This means that when it comes to information security, it’s not enough to “talk the talk”. Our SOC 2 Type II report is proof that SOTI demonstrated to the auditors, via representative sampling, that we maintain our controls and policies effectively.
Why Does SOC 2 Compliance Matter?
It’s important that our customers feel safe and secure using our products and services. We chose the more comprehensive and demanding SOC 2 Type II compliance audit to achieve independent BDO Canada verification that SOTI maintains a strong defensive posture against security breaches of any kind. For our customers, SOTI’s compliance with the SOC 2 guidelines provides confidence that we are committed to keeping your information secure, so you can focus on operating your business.
Five Categories of Trust
For customers, a clean “unqualified” SOC 2 report means that a BDO Canada has independently verified that SOTI can be trusted as a service organization.
SOC 2's Five Trust Services Criteria guide how service organizations should handle sensitive client data.
- Security: Addresses systems and data protection against unauthorized physical and logical access. Security is the only required criteria, also called the "common criteria." Some companies stop here, SOTI has been evaluated on all five Trust Services Criteria.
- Availability: Addresses how systems and data are accessible as agreed upon in the service organization's service level agreements and objectives.
- Processing Integrity: Addresses how system processing is complete, valid, accurate, timely and authorized.
- Confidentiality: Addresses how confidential information is protected.
- Privacy: Addresses how personal information is collected, used, retained, disclosed and destroyed per commitments in the privacy notice.
It's one thing to create a product that securely handles data: it's another to verify that it performs over the long term. In SOC 2 terminology, this is "operating effectiveness." It means our customers can have peace of mind knowing we have taken that extra step and put stringent measures in place to keep their organization, operations and data safe. With this SOC 2 report, we have shown that our products and services are built to protect, store and process data securely.
For more information on our ISO 27001 certification and other security related questions, please visit the Security and Compliance section of our website. A copy of our SOC 2 Type II report is available under the NDA. Please contact your sales representative.