Event Store was recently awarded ISO 27001:2013 certification and SOC 2 Type 1 attestation from the external auditing company A-LIGN. Team members at Event Store have been working towards these achievements for some time, and are now delighted to have achieved this. The previous blog posts by Andrés Méndez Barco explain Event Store’s journey to certification, but what are these accreditations, and why do we want them?
ISO 27001 sets out the international standard for an information security management system (ISMS). It defines how a company should organize the data and files and allow team members to access the information securely. By achieving this certification, Event Store can prove that our ISMS is aligned with information security best practices.
An ISMS is not just software: it is policies, controls and procedures about data. A successful ISMS becomes part of the culture of the business, one that has made security a core value. It keeps confidential information secure, protects company assets and gives confidence to investors, shareholders and clients.
In order to prove the ISMS in a company reaches this standard, it needs to be audited by an external company. For that task, Andrés, together with the Information Security Steering Board (ISSB), chose the auditing firm A-LIGN.
A-LIGN is an independent and accredited certification body based in the United States, with offices in Europe and is well recognized in the sector.
System and Organization Controls (SOC) is a suite of service offerings Certified Public Accountants (CPAs) may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.
In a SOC 2 examination, the service organization management engages the CPA to examine and report on system controls relevant to security, availability, processing integrity, confidentiality, or privacy as set forth in the AICPA’s Trust Services Criteria (TSC).
This first year of our SOC 2 implementation we chose a Type 1 report on management’s description of Event Store Cloud and the suitability of the design of controls. The resulting report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls that Event Store has implemented relevant to the security of the systems of Event Store Cloud.
SOC 2 is mainly demanded by American customers, while ISO 27001 is used worldwide, but due to our high number of American customers, we wanted to satisfy their demands.
A key aspect of our success on these audits has been our effort to align both security frameworks, so we could satisfy both without additional overhead. Another key element has been choosing an auditor which could audit both at the same time, which reduced our workload significantly.
Where do we go from here?
Achieving both was an important goal for Event Store, as it would publicly demonstrate our commitment to information security. From now on, we can enable Event Store Cloud and EventStoreDB users to create more secure products. With security embedded into the ethos of the company, customers of Event Store Cloud will know their information is safe with us, trust our service offering and unlock the potential of their EventStoreDB.
Both ISO27001 and SOC 2 are important accreditations, but they are not the only two we will ever achieve. The next steps are to become fully compliant with HIPPA and FedRAMP. There will be updates on Event Store’s journey to achieving these over the next year, so subscribe to our newsletter to receive these as they happen.