The SaaS model depends on trust. As a SaaS provider, are potential customers confident they can trust you with their data?
Despite massive and growing investments in cloud applications and services, a recent McAfee study on the state of cloud adoption and security found only 23% of organizations completely trust public clouds to keep their data secure. And 29% of businesses still distrust public clouds altogether.
It follows if you can inspire trust and confidence in your SaaS, you have a major competitive advantage. Arguably the best way to build that trust is to demonstrate you’ve earned it—through independent, third-party accreditation of your security controls.
But which of the many possible information security accreditations, certifications and frameworks should you choose? This can be a challenging question to answer, especially if you face multiple compliance demands (e.g., HIPAA, PCI and HITRUST).
Cyber Security Accreditations for SaaS Companies
Based on extensive experience in this area, here are our top 5 picks for SaaS providers serving various industries.
1) ISO 27001
The internationally recognized ISO 27001 standard is relevant to any organization across industries, but is especially relevant to SaaS providers. To achieve ISO 27001 certification, you must document and put in place a comprehensive Information Security Management System (ISMS).
The key word there is “management.” While every ISMS is unique, each is made up of policies, procedures and technology specifically designed to manage risk to information assets across every relevant aspect of the business, including IT infrastructure, the SaaS application, physical security and more.
An ISO 27001 certification entails a formal audit process with periodic recertification. This makes it the strongest and most comprehensive single form of independent attestation for any information security program, including SaaS providers.
2) SOC 2
SOC 2 specifically defines criteria for how SaaS providers should manage customer data. SOC 2 is “all about trust” in that it defines security in terms of five trust principles:
- Processing Integrity
Like ISO 27001, SOC 2 is a global standard and hinges on a third-party audit, the result of which is a report. A SOC 2 report can reference a “point in time” (Type I) or “period of time” (Type II) evaluation of anywhere from one to all five of the trust principles, depending on exactly how a SaaS provider handles other firms’ data. Security (Can you prevent a data breach?) and availability (Is your service up-and-running continuously?) are generally most relevant for nearly any SaaS provider.
3) CSA STAR
Developed by the Cloud Security Alliance and first launched in 2013, the CSA STAR attestation is touted as “the future of cloud trust and assurance.” It focuses on “key principles of transparency, rigorous auditing, and harmonization of standards.”
CSA STAR consists of three levels of assurance:
- A rigorous, third-party assessment
- A continuous monitoring program (still under development)
While comparatively new, CSA STAR is intended to augment the controls of SOC 2 or ISO 27001. Accordingly, it is mainly used to provide an additional level of assurance defined by the Cloud Controls Matrix (CCM).
More and more leading cloud platforms, including Microsoft Azure, are CSA STAR certified.
4) OWASP ASVS
How can prospects know if your SaaS application is secure? The OWASP Application Security Verification Standard (ASVS) gives SaaS providers an open, standardized framework for testing and hardening web application technical security controls.
Where ISO 27001, SOC 2 or CSA STAR focus on security holistically, the OWASP ASVS focuses on the security of your application at a very detailed level. Specifically geared towards establishing a verifiable level of confidence in the security of a web application, it defines a range of coverages and levels of rigor suitable for any SaaS scenario.
While the ASVS does not offer “certification” of applications per se, attesting to even Level 2 verification goes well beyond commonplace, automated testing. ASVS Level 2 requires at least some access to developers, documentation, code and the running application. Level 3 testing further entails code review, threat modeling and other processes that could only be accomplished by an in-depth audit process, preferably by an independent third-party.
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!
5) ISO 22301
Downtime and loss of service are not only extremely costly and problematic for SaaS providers and their clients, but also increase a provider’s vulnerability to security threats. ISO 22301 Business Continuity Management certification requires organizations to have a verifiably robust business continuity strategy.
is based on requirements to “plan, establish, implement, operate, monitor, review, maintain and improve your infrastructure to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.” Achieving this international certification, which requires ongoing, third-party attestation, is the gold standard for SaaS organizations looking to demonstrate high availability.
This checklist is simple guide to make sure your ISO 22301 implementation hits on the key points of the attestation.
How to Choose a Security Solution?
Which accreditation, certification or framework to tackle first? For many SaaS providers, that choice should encompass key factors like your regulatory environment, what your customer base is requesting, what competitors are doing, and your ultimate objectives around both security and marketing.
Ultimately, your best choice may be to pursue multiple accreditations—particularly if you can exploit the synergy between them to demonstrate compliance with multiple frameworks (e.g., ISO 27001 and OWASP ASVS) with a minimum of additional effort.
To talk with SaaS industry experts on the best approach to pursuing security certifications for your business, contact Pivot Point Security.