CodeTwo
ISO Compliance Center

CodeTwo’s Information Security Management System (ISMS), certified as compliant with the requirements of ISO/IEC 27001 and ISO/IEC 27018, guarantees maximum information security and personal data protection both in the cloud and on-premises.

This ISO Compliance Center is intended to provide you with information about:

What is ISO/IEC 27001 and ISO/IEC 27018

ISO standards are developed, issued, and maintained by the International Organization for Standardization. The ISO/IEC 27000-series address information security to ensure the confidentiality, integrity and availability of information. The table below gives a general overview of ISO/IEC 27001 and ISO/IEC 27018 and shows the certificate that proves our compliance.

ISO Compliance Center - BSI logo

IS 764207         PII 764209

Overview

ISO/IEC 27001

Information technology – Security techniques – Information security management systems – Requirements

An information security standard that provides requirements related to the implementation of the information security management system (ISMS). The ISMS defines a set of processes, procedures, policies, and other means (including people and IT systems) that allow the company to ensure an adequate level of protection of its sensitive information as well as the information of its partners and clients. The standard also imposes that all risks related to information security are analyzed and treated, and the ISMS itself is continuously improved.

ISO/IEC 27018

Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

This standard specifies detailed requirements and guidelines for data processors that cover the implementation, maintenance, and validation of measures used to protect personal data processed in public cloud environments. It also sets forth a code of practice for handling the personally identifiable information, and lists users’ rights in relation to their data.

 

Our certificates

Cert. No. IS 764207

CodeTwo's ISO certificate - thumbnail

Cert. No. PII 764209

CodeTwo's ISO certificate - thumbnail
Overview

ISO/IEC 27001
Information technology – Security techniques –
Information security management systems – Requirements

An information security standard that provides requirements related to the implementation of the information security management system (ISMS). The ISMS defines a set of processes, procedures, policies, and other means (including people and IT systems) that allow the company to ensure an adequate level of protection of its sensitive information as well as the information of its partners and clients. The standard also imposes that all risks related to information security are analyzed and treated, and the ISMS itself is continuously improved.


ISO/IEC 27018
Information technology – Security techniques – Code
of practice for protection of personally identifiable
information (PII) in public clouds acting as PII
processors

This standard specifies detailed requirements and guidelines for data processors that cover the implementation, maintenance, and validation of measures used to protect personal data processed in public cloud environments. It also sets forth a code of practice for handling the personally identifiable information, and lists users’ rights in relation to their data.

Our certificates

Cert. No. IS 764207

CodeTwo's ISO certificate - thumbnail

Cert. No. PII 764209

CodeTwo's ISO certificate - thumbnail

How CodeTwo has implemented ISO/IEC 27001 and ISO/IEC 27018-compliant ISMS

The protection of company’s data and the data entrusted to us by our clients and partners has always been a priority for us. We have been developing and improving relevant policies, procedures and systems which make up our Information Security Management System for many years, drawing heavily on proven best practices and industry standards, such as ISO/IEC 27001 and ISO/IEC 27018. In addition, CodeTwo also complies with GDPR, HIPAA, CCPA & other U.S. state data privacy laws compliant and meets the PCI data security requirements.

 

The achievement of ISO certification is the culmination of our long-term efforts to provide only the highest level of security to the information processed within our organization and via our software, both locally and in the cloud.

 

View CodeTwo's Information Security Management System Policy

 

How we adhere to ISO standards

 

1. 100% compliance with the standards

1. 100% compliance with the standards

CodeTwo’s ISMS meets all requirements set by ISO/IEC 27001 and ISO/IEC 27018 – no exceptions.

2.	Upholding the CIA triad principles

2. Upholding the CIA triad principles

We make sure that the Confidentiality, Integrity and Availability of information we process is preserved at all times.

3.	Comprehensive documentation

3. Comprehensive documentation

We document every policy, process and procedure functioning in CodeTwo. In addition, we also keep record of each risk assessment, audit, security measure, information security incident, etc. All documentation is reviewed by C-level executives.

4.	Change management

4. Change management

We implement every organizational change by following the PDCA cycle (i.e. Plan-Do-Check-Act) to ensure the confidentiality, integrity, and availability of information systems. These principles apply to the software development as well. Every change to our software is carefully planned, documented, and is subject to approval, whereas the old version of the software is secured in a way that makes it possible to restore it whenever necessary. Once the change is successfully implemented, we release the new version of the software only after all tests have been successfully completed. Finally, once the new version is released, we make efforts to improve the product even further.

5.	Risk assessment and risk treatment plan

5. Risk assessment and risk treatment plan

We identify and document all possible threats and vulnerabilities that would compromise the security of information in our company. We also determine the likelihood and impact of those risks (taking into consideration different scenarios) and develop a corrective action plan to minimize or eliminate information loss and the probability of occurrence of such risks. The security measures and control mechanisms implemented in our company allow us to quickly see who made a modification to a given source code, procedure, or any document whatsoever, when the change was made, and what has been changed.

6.	Rigorous auditing

6. Rigorous auditing

We undergo regular internal and external security audits, which are performed at both our offices. During external audits a third-party certification body verifies if CodeTwo remains compliant with ISO/IEC 27001 and ISO/IEC 27018. Apart from that, we also perform additional internal audits in case of an information security incident, after every organizational change, etc. These audits are done by selected employees, appointed and trained as auditors, as well as by third-party auditors, according to our annual audit plan.

7.	Business continuity management

7. Business continuity management

We are prepared for any eventuality that may affect CodeTwo’s business-critical processes, software and services. A business continuity plan implemented in our company outlines all organizational and technical measures that are in place and that are used to respond to potential crisis situations and to continuously provide services to our clients.

8.	Engagement of all employees

8. Engagement of all employees

Every CodeTwo employee needs to know their responsibilities regarding information security, follow all applicable procedures, and adhere to guidelines set out in company’s policies. In addition, all employees are bound by a confidentiality agreement, whereas those who process personally identifiable information or clients’ data also need to have appropriate written authorization to do so. To ensure that and to improve staff awareness, we organize in-house or outsourced training sessions for all personnel every time changes are introduced to the ISMS. All changes are communicated to all employees without undue delay and all related documentation is read at least once a year by the entire staff. Additional training sessions are organized whenever necessary. The C-level executives proactively support and contribute to all security and ISO-related activities.

9.	Privacy by design / privacy by default

9. Privacy by design / privacy by default

By following these two approaches, we make every effort to ensure that the development and supply of our solutions which process personally identifiable information is conducted with security of such information in mind. Moreover, all the security features are always active by default – no additional action is required from users to ensure the highest level of protection.

10.	Regulatory compliance

10. Regulatory compliance

Aside from fulfilling the requirements of ISO/IEC 27001 and ISO/IEC 27018, we also always make sure we comply with all relevant laws and regulations governing the privacy of data, such as the EU General Data Protection Regulation.

11.	Security incident management

11. Security incident management

We deal with all actual and potential security incidents promptly and in accordance with the ISMS. Once identified, each such incident is reported to designated personnel, where it’s assessed, documented and resolved. Additionally, we draw conclusions from all reported incidents in order to improve the security and response time, and to minimize or avoid similar incidents in the future.

12.	Supplier relationships

12. Supplier relationships

We check, monitor and review all third-party services and suppliers we use in terms of information security. We also make certain that the access of third parties to information we process is minimized and that all agreements concluded with such entities include confidentiality clauses.

13.	Continual improvement

13. Continual improvement

Being compliant with ISO/IEC 27001 and ISO/IEC 27018 is not about holding specific certificates. It is an ongoing process that goes beyond meeting all requirements set in both standards – we also continually seek to improve the ISMS. That is why at CodeTwo we carry out and undergo audits, review all our policies and procedures, and assess risks and incidents associated with the loss of confidentiality, integrity and availability of information – all this allows us to become even better at handling information security across the entire company.

What are the benefits of certifying our systems for compliance with ISO/IEC 27001 and ISO/IEC 27018

By complying with ISO/IEC 27001 and ISO/IEC 27018, CodeTwo follows only the best practices regarding the security of information to ensure the confidentiality, integrity and availability of your data. We also make every effort to ensure that our solutions for cloud and on-premises platforms follow the privacy by design and privacy by default principles.

 

CodeTwo ISO Compliance Center - confidentialityCodeTwo ISO Compl Center - confidentiality mobile

CONFIDENTIALITY

Data encryption and access control are some of the methods we use to guarantee that all your personal information stays confidential at all times – no unauthorized persons will have access to it. We process your data for the purpose you provided it to us. The only cases when we may disclose your data are specified in our Privacy Policy.

CodeTwo ISO Compliance Center - integrityCodeTwo ISO Compliance Center - integrity mobile

INTEGRITY

Only you can change, correct or delete your personal information that we hold. You can even restrict our use of your data. By implementing version control and backup strategy, we make sure the integrity of your data is not compromised – it will not be altered in any way and will always remain accurate.

CodeTwo ISO Compliance Center - availabilityCodeTwo ISO Compliance Ctr - availability mobile

AVAILABILITY

Your data is always available for you – you know where it is processed, and you can request access to it at any time. We ensure that all our systems are regularly updated and actively monitored 24/7 to ensure maximum availability and performance. In case of hardware failures, we are always ready to failover to secondary, mirror services.

Find out also how secure and reliable our programs are:

See also: