Did You Know?
The platform is for evaluating and undertaking of credit and political risk.
The platform is for evaluating and undertaking of credit and political risk.
Compliance with standards and adherence to specific requirements are critical for third-party software and service providers. It is essential to understand and comply with these requirements, particularly when organizations entrust third-party vendors to manage large volumes of sensitive customer and financial data.
We always have your security in mind. Rest easy knowing we are ISO 27001 certified and your data is protected with AES 256-bit encryption. Learn more.
When purchasing third-party software, it is crucial to ensure compliance with industry standards. External auditors and certifications serve as mechanisms to verify how third-party vendors operate and manage customer data. Standards such as ISO 27001 and NIS2, encompassing areas like Risk Management, Supplier/Vendor evaluation, and Product Risk Management, are commonly implemented to maintain these compliance measures.
The Zenik Solutions software is owned and developed by Zenik Solutions AG. As well as the SaaS / PaaS cloud offerings are provided and operated by Zenik Solutions AG. This compliance management document highlights the following scenarios
How the company operates and the internal standards employed.
The standards and processes followed during software development.
Standards established to ensure data security for clients who purchase and operate the software within their environments.
Measures implemented to ensure data security when providing software as a service within a cloud environment.
ISO 27001 is an international standard for establishing, maintaining, and improving an information security management system (ISMS). It describes how we operate as a software company, how we do the development. The certification can demonstrate and prove how we implement strict data security standards like our clients do.
Zenik Solutions AG implemented comprehensive ISO 27001 ISMS, including all subsidiaries and branches. It focuses on the data privacy and security measures adopted during the daily operations and the development process.
GDPR is Europe’s data privacy and security law, that is the toughest privacy and security law in the world. It applies to you, if you process the personal data of EU citizens or residents, or you offer goods or services to such people. It says about if you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2.
Zenik Solutions AG, as a company who owns the license and the software IP must comply with GDPR because (1) it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU; (2) it is registered in the EU. Our ISO 27001 ISMS implements comprehensive actions to comply with GDPR policy that is related to our operations as a company, or how we collect data on our website, or how we collect and store our client’s data.
ISO 27001, the ITSM document and its Product Risk Management focuses on the data privacy and security measures adopted during the development process.
Technical standards and quality metrics is adopted in the development phase to establish data privacy and security, for instance, the entire team is trained on OWASP Top 10; set up secure development infrastructure; use of coding standards, reliable frameworks and libraries; Test Management is established to ensure quality of code; security scans are performed on several layers to reduce the number of exploitable flaws before they are introduced to the market for broad use; development team monitor, analyze and prioritize the security issues.
Secure by design , according to US Cybersecurity and Infrastructure Security Agency, is an approach to software development that prioritizes security as a core business requirement rather than a technical feature or afterthought. Taking this approach, tech providers build security into the design process as well as every other stage of a product’s development lifecycle in order to identify and mitigate potential vulnerabilities before they are introduced to the market. The ultimate goal is to realize a future where consumers can trust the safety and integrity of the technology that they use every day. (See also )
Secure by design products are purposely designed, built, tested, and maintained to reduce the number of exploitable flaws before they are introduced to the market for broad use. Secure by default products are products that are secure to use out of the box. Meaning, they are designed to be resilient against prevalent threats, vulnerabilities, and exploitation techniques without end users having to take additional steps to secure them. These products have secure configurations enabled by default and security features such as multi-factor authentication (MFA), logging, and single sign on (SSO) available at no additional cost or extra licensing required.
Although we are committed to applying the standard, we wanted to find a healthy balance in secure by design, because “over-engineering for security can have even greater cost implications than over-engineering for scale or performance, but under-engineering can have devastating consequences too.”
The company is ISO 27001 certified, the ITSM document contains all measures we adopted during the development process. A secure development process itself does not guarantee that the product will be secure as well. The software vendors must implement different data security standards in the code.
Software quality means software that is secure, reliable, and maintainable. These three aspects - security, reliability, and maintainability contribute to the long-term value of your software and satisfy our stakeholders:
Clients expects to deliver error-free functionality that will satisfy their business needs.
Clients expects the software performs its job, using it will be safe and secure.
We want to react quickly that needs reliable and maintainable codebase.
We adopt Clean Code concept that ensures that our software works as intended and meets high standards of quality. To ensure data privacy and security of customer data the following areas are concerned during the development phase where we have to apply standards and set up measures on:
How we build our own secure code
How we use secure 3rd party libraries
How we host and execute it in a secure environment
Specific auditing standards and requirements requirements are designed specifically for cloud-based service organizations, such as SaaS providers, software developers, and other technology services, to demonstrate they have adequate data protection controls to safeguard customer data. For instance ISO 27017, ISO 27018 or SOC 2. Zenik Solutions acquired ISO 27001 and working on to get audited for ISO 27017/18.
An ISO 27001 certification and SOC 2 compliance are both rigorous standards for information security, but they are not interchangeable. System and Organization Control (SOC) 2 is an auditing standard for managing sensitive data, developed by The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) . Here are some key points to consider:
Overlap: There is about an 80% overlap between ISO 27001 and SOC 2 criteria1. Both standards cover foundational security principles like data security, integrity, availability, and confidentiality.
Differences: ISO 27001 is an international standard for establishing, maintaining, and improving an information security management system (ISMS), while SOC 2 is a set of audit reports that validate internal controls related to information systems.
Certification vs. Attestation: ISO 27001 results in a certification, whereas SOC 2 results in an attestation report3. SOC 2 compliance is typically attested by a licensed Certified Public Accountant (CPA).
While an ISO 27001 certification can provide a solid foundation for SOC 2 compliance, it does not automatically ensure SOC 2 compliance. Additional steps and audits specific to SOC 2 would still be required.
