Our software is designed to request the most limited access to customer resources to achieve a seamless integrated experience. We are continuously mindful of our customer’s privacy and limit access to all customer data on a need to know basis internally.
ISOPlanner applies best security practices retaining a minimal amount of customer data and operating with the fewest privileges necessary to provide a great experience to all users.
- ISOPlanner is ISO 27001 certified for all controls.
- External pen-testing is performed each year.
Authentication and Single Sign-on
For ISOPlanner, single sign-on comes as default since only Microsoft 365 accounts are used to access the application. That means that the account is also protected by any MFA that is activated for users’ Microsoft 365 accounts.
The ISOPlanner application and its data is hosted in Microsoft Azure in region West Europe (Netherlands). Document data such as policies and evidence are stored in the SharePoint environment of the customer.
Microsoft designs and manages the Azure infrastructure to meet a broad set of international and industry-specific compliance standards, such as
- ISO 27001,
- SOC 1, and
- SOC 2.
It also meets country- or region-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence to the strict security controls these standards mandate.
For a full list of compliance standards that Azure adheres to, see the compliance offerings.
- All connections from the browser to ISOPlanner are encrypted in transit using TLS 1.2 and SHA-256 with RSA.
- All data is encrypted at rest.
Backups of Azure SQL-databases are made according to the standard Microsoft pattern.
SQL Databases use SQL Server-technology to create a full backup every week, differential backups every 12-24 hours and transaction log backups every 5 to 10 minutes.