Business Continuity Management, Disaster Recovery, InfoSec Risk Assessment, InfoSec Strategies, ISMS Consulting, ISO 22301

5 Top Information Security Accreditations for SaaS Providers

Reading Time: 4 minutes

Last Updated on June 3, 2019

ISO 27001 Roadmap ThumbnailISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times

saas security certifications
The SaaS model depends on trust. As a SaaS provider, are potential customers confident they can trust you with their data?
Despite massive and growing investments in cloud applications and services, a McAfee study on the state of cloud adoption and security found only 23% of organizations completely trust public clouds to keep their data secure. And 29% of businesses still distrust public clouds altogether.
It follows if you can inspire trust and confidence in your SaaS, you have a major competitive advantage. Arguably the best way to build that trust is to demonstrate you’ve earned it—through independent, third-party accreditation of your security controls.
But which of the many possible information security accreditations, certifications and frameworks should you choose? This can be a challenging question to answer, especially if you face multiple compliance demands (e.g., HIPAA, PCI and HITRUST).

Cyber Security Accreditations for SaaS Companies

Based on extensive experience in this area, here are our top 5 picks (you will note we threw in a bonus pick !) for SaaS providers serving various industries.

1) ISO 27001

The internationally recognized ISO 27001 standard is relevant to any organization across industries, but is especially relevant to SaaS providers, as it is widely considered “the gold standard” of third party validation of your security posture. To achieve ISO 27001 certification, you must put in place a comprehensive Information Security Management System (ISMS) that provides the logical construct for you to consistently manage information related risk in accordance with your risk appetite, client contractual obligations, and relevant laws and regulations.
An ISO 27001 certification includes a formal certification audit process with annual surveillance audits to ensure that your information security posture evolves as your business does. This makes it the strongest and most comprehensive single form of independent attestation for any information security program, including SaaS providers.

ISO 27001 Un-ChecklistInterested in a checklist to see how ready you are for an ISO 27001 certification audit? It’s a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!

2) SOC 2

SOC 2 is also a widely leveraged and well-respected information security/audit framework that provides your clients with a high degree of assurance as to the security of your SAAS solution.  SOC2 is an AICPA issued framework that includes up to five trust principles (Security, Availability, Processing Integrity, Confidentiality, Privacy) that you can be audited against.
Like ISO 27001 hinges on a third-party audit, a SOC 2 report can reference a “point in time” (Type I) or “period of time” (Type II) evaluation of anywhere from one to all five of the trust principles.
If you are asking yourself the all too common question; “ISO 27001, SOC2, or both?”.  You may want to listen to this vCISO podcast on the topic.

3) OWASP ASVS

How can prospects know if your SaaS application is secure? The OWASP Application Security Verification Standard (ASVS) gives SaaS providers an open, standardized framework for testing and hardening web application technical security controls.
Where ISO 27001, SOC 2 or CSA STAR focus on security holistically, the OWASP ASVS focuses on the security of your application at a very detailed level. Specifically geared towards establishing a verifiable level of confidence in the security of an application (including web, API, mobile, etc.) it defines a range of coverages and levels of rigor suitable for any SaaS scenario. While the ASVS does not offer a formal “certification” of applications per se, a report that verifies your “conformance” with OWASP ASVS Level 1, 2 or 3  provides a high degree of assurance to your clients that your application is highly secure. Level 2 verification goes well beyond commonplace, automated testing like is typically done with an OWASP Top 10 aligned assessment. ASVS Level 2 requires at least some access to developers, documentation, code and the running application. Level 3 requires an ultra-deep dive into 292 controls that a very high risk application needs to account for.

OWASP ASVS Testing Guide ThumbnailFree OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!
Get your download here!

4) CSA STAR

Developed by the Cloud Security Alliance and first launched in 2013, the CSA STAR attestation is touted as “the future of cloud trust and assurance.” It focuses on “key principles of transparency, rigorous auditing, and harmonization of standards.”
CSA STAR consists of three levels of assurance:

  1. Self-assessment
  2. A rigorous, third-party assessment
  3. A continuous monitoring program (still under development)

While comparatively new, CSA STAR is intended to augment the controls of ISO 2700, specifically to cloud use cases, by leveraging additional prescriptive guidance from the
Cloud Controls Matrix (CCM). More and more leading cloud platforms, including Microsoft Azure, are CSA STAR certified.

5) ISO 22301

Downtime and loss of service are not only extremely costly and problematic for SaaS providers and their clients, but also increase a provider’s vulnerability to security threats. ISO 22301 Business Continuity Management certification requires organizations to have a verifiably robust business continuity strategy.
ISO 22301 is based on requirements to “plan, establish, implement, operate, monitor, review, maintain and improve your infrastructure to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.” Achieving this international certification, which requires ongoing, third-party attestation, is the gold standard for SaaS organizations looking to demonstrate high availability.  Post Covid, we expect the demand for this standard to increase.

ISO 27001 Roadmap ThumbnailISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times

Back to list

Related Posts

7 thoughts on “5 Top Information Security Accreditations for SaaS Providers

  1. Jack Thomas says:

    Amazing information you have shared in this article. This article helps me a lot and also I found some unknown information in this article. Thank you for the information.

  2. Rudy Salas says:

    Would like to learn more to start building guidelines and standards

  3. Faisal says:

    Amazing stuff

  4. Suresh says:

    How about adding the data privacy standard by the ISO – the ISO 27701 standard?
    Since 2018, GDPR penalties have resulted in businesses reconsidering their privacy commitments to the end users.
    ISO 27701 will serve as a foundation for any company looking to incorporate a Privacy Information Management System / PIMS in their operations.

    1. Andrea VanSeveren says:

      You are absolutely correct and we should have gone back and updated this content to reflect 27701. We are doing a lot of 27701 projects right now, many with CSPs including SAAS. Appreciate the feedback.

  5. At present we are not secure on any online platform. Hackers play with your information all the time. They can hack anyone’s information at any moment. So we should make all kinds of accounts more secure.

  6. M Hodnett says:

    Curious that as much interest and pressure as we receive from our active and potential customer base that I do not see HITRUST listed here among the top five. Would/could you share more information about how you arrived at this ranking and maybe the reasons others ranked higher that HITRUST?

Leave a Reply

Your email address will not be published.