ISO Compliance Center
CodeTwo’s Information Security Management System (ISMS), certified as compliant with the requirements of ISO/IEC 27001 and ISO/IEC 27018, guarantees maximum information security and personal data protection both in the cloud and on-premises.
This ISO Compliance Center is intended to provide you with information about:
What is ISO/IEC 27001 and ISO/IEC 27018
ISO standards are developed, issued, and maintained by the International Organization for Standardization. The ISO/IEC 27000-series address information security to ensure the confidentiality, integrity and availability of information. The table below gives a general overview of ISO/IEC 27001 and ISO/IEC 27018 and shows the certificate that proves our compliance.
IS 764207 PII 764209
How CodeTwo has implemented ISO/IEC 27001 and ISO/IEC 27018-compliant ISMS
The protection of company’s data and the data entrusted to us by our clients and partners has always been a priority for us. We have been developing and improving relevant policies, procedures and systems which make up our Information Security Management System for many years, drawing heavily on proven best practices and industry standards, such as ISO/IEC 27001 and ISO/IEC 27018. In addition, CodeTwo is also GDPR & HIPAA compliant and meets the PCI data security requirements.
The achievement of ISO certification is the culmination of our long-term efforts to provide only the highest level of security to the information processed within our organization and via our software, both locally and in the cloud.
View CodeTwo's Information Security Management System Policy
1. 100% compliance with the standards
CodeTwo’s ISMS meets all requirements set by ISO/IEC 27001 and ISO/IEC 27018 – no exceptions.
2. Upholding the CIA triad principles
We make sure that the Confidentiality, Integrity and Availability of information we process is preserved at all times.
3. Comprehensive documentation
We document every policy, process and procedure functioning in CodeTwo. In addition, we also keep record of each risk assessment, audit, security measure, information security incident, etc. All documentation is reviewed by C-level executives.
4. Change management
We implement every organizational change by following the PDCA cycle (i.e. Plan-Do-Check-Act) to ensure the confidentiality, integrity, and availability of information systems. These principles apply to the software development as well. Every change to our software is carefully planned, documented, and is subject to approval, whereas the old version of the software is secured in a way that makes it possible to restore it whenever necessary. Once the change is successfully implemented, we release the new version of the software only after all tests have been successfully completed. Finally, once the new version is released, we make efforts to improve the product even further.
5. Risk assessment and risk treatment plan
We identify and document all possible threats and vulnerabilities that would compromise the security of information in our company. We also determine the likelihood and impact of those risks (taking into consideration different scenarios) and develop a corrective action plan to minimize or eliminate information loss and the probability of occurrence of such risks. The security measures and control mechanisms implemented in our company allow us to quickly see who made a modification to a given source code, procedure, or any document whatsoever, when the change was made, and what has been changed.
6. Rigorous auditing
We undergo regular internal and external security audits, which are performed at both our offices. During external audits a third-party certification body verifies if CodeTwo remains compliant with ISO/IEC 27001 and ISO/IEC 27018. Apart from that, we also perform additional internal audits in case of an information security incident, after every organizational change, etc. These audits are done by selected employees, appointed and trained as auditors, as well as by third-party auditors, according to our annual audit plan.
7. Business continuity management
We are prepared for any eventuality that may affect CodeTwo’s business-critical processes, software and services. A business continuity plan implemented in our company outlines all organizational and technical measures that are in place and that are used to respond to potential crisis situations and to continuously provide services to our clients.
8. Engagement of all employees
Every CodeTwo employee needs to know their responsibilities regarding information security, follow all applicable procedures, and adhere to guidelines set out in company’s policies. In addition, all employees are bound by a confidentiality agreement, whereas those who process personally identifiable information or clients’ data also need to have appropriate written authorization to do so. To ensure that and to improve staff awareness, we organize in-house or outsourced training sessions for all personnel every time changes are introduced to the ISMS. All changes are communicated to all employees without undue delay and all related documentation is read at least once a year by the entire staff. Additional training sessions are organized whenever necessary. The C-level executives proactively support and contribute to all security and ISO-related activities.
9. Privacy by design / privacy by default
By following these two approaches, we make every effort to ensure that the development and supply of our solutions which process personally identifiable information is conducted with security of such information in mind. Moreover, all the security features are always active by default – no additional action is required from users to ensure the highest level of protection.
10. Regulatory compliance
Aside from fulfilling the requirements of ISO/IEC 27001 and ISO/IEC 27018, we also always make sure we comply with all relevant laws and regulations governing the privacy of data, such as the EU General Data Protection Regulation.
11. Security incident management
We deal with all actual and potential security incidents promptly and in accordance with the ISMS. Once identified, each such incident is reported to designated personnel, where it’s assessed, documented and resolved. Additionally, we draw conclusions from all reported incidents in order to improve the security and response time, and to minimize or avoid similar incidents in the future.
12. Supplier relationships
We check, monitor and review all third-party services and suppliers we use in terms of information security. We also make certain that the access of third parties to information we process is minimized and that all agreements concluded with such entities include confidentiality clauses.
13. Continual improvement
Being compliant with ISO/IEC 27001 and ISO/IEC 27018 is not about holding specific certificates. It is an ongoing process that goes beyond meeting all requirements set in both standards – we also continually seek to improve the ISMS. That is why at CodeTwo we carry out and undergo audits, review all our policies and procedures, and assess risks and incidents associated with the loss of confidentiality, integrity and availability of information – all this allows us to become even better at handling information security across the entire company.
What are the benefits of certifying our systems for compliance with ISO/IEC 27001 and ISO/IEC 27018
By complying with ISO/IEC 27001 and ISO/IEC 27018, CodeTwo follows only the best practices regarding the security of information to ensure the confidentiality, integrity and availability of your data. We also make every effort to ensure that our solutions for cloud and on-premises platforms follow the privacy by design and privacy by default principles.
Only you can change, correct or delete your personal information that we hold. You can even restrict our use of your data. By implementing version control and backup strategy, we make sure the integrity of your data is not compromised – it will not be altered in any way and will always remain accurate.
Your data is always available for you – you know where it is processed, and you can request access to it at any time. We ensure that all our systems are regularly updated and actively monitored 24/7 to ensure maximum availability and performance. In case of hardware failures, we are always ready to failover to secondary, mirror services.
Find out also how secure and reliable our programs are: