Open in app

Sign in

Write

Sign in

5 Top Information Security Accreditations for SaaS Providers

Pivot Point Security
5 min readSep 17, 2019

The SaaS model depends on trust. As a SaaS provider, are potential customers confident they can trust you with their data?
Despite massive and growing investments in cloud applications and services, a recent McAfee study on the state of cloud adoption and security found only 23% of organizations completely trust public clouds to keep their data secure. And 29% of businesses still distrust public clouds altogether.
It follows if you can inspire trust and confidence in your SaaS, you have a major competitive advantage. Arguably the best way to build that trust is to demonstrate you’ve earned it — through independent, third-party accreditation of your security controls.
But which of the many possible information security accreditations, certifications and frameworks should you choose? This can be a challenging question to answer, especially if you face multiple compliance demands (e.g., HIPAA, PCI and HITRUST).

Cyber Security Accreditations for SaaS Companies

Based on extensive experience in this area, here are our top 5 picks for SaaS providers serving various industries.
1) ISO 27001
The internationally recognized ISO 27001 standard is relevant to any organization across industries, but is especially relevant to SaaS providers. To achieve ISO 27001 certification, you must document and put in place a comprehensive Information Security Management System (ISMS).
The key word there is “management.” While every ISMS is unique, each is made up of policies, procedures and technology specifically designed to manage risk to information assets across every relevant aspect of the business, including IT infrastructure, the SaaS application, physical security and more.
An ISO 27001 certification entails a formal audit process with periodic re-certification. This makes it the strongest and most comprehensive single form of independent attestation for any information security program, including SaaS providers.

ISO 27001 Un-Checklist

Interested in a checklist to see how ready you are for an ISO 27001 certification audit? It’s a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!
2) SOC 2
SOC 2 specifically defines criteria for how SaaS providers should manage customer data. SOC 2 is “all about trust” in that it defines security in terms of five trust principles:
Security
Availability
Processing Integrity
Confidentiality
Privacy
Like ISO 27001 hinges on a third-party audit, a SOC 2 report can reference a “point in time” (Type I) or “period of time” (Type II) evaluation of anywhere from one to all five of the trust principles, depending on exactly how a SaaS provider handles other firms’ data. Security (Can you prevent a data breach?) and availability (Is your service up-and-running continuously?) are generally most relevant for nearly any SaaS provider.
3) CSA STAR
Developed by the Cloud Security Alliance and first launched in 2013, the CSA STAR attestation is touted as “the future of cloud trust and assurance.” It focuses on “key principles of transparency, rigorous auditing, and harmonization of standards.”
CSA STAR consists of three levels of assurance:
Self-assessment
A rigorous, third-party assessment
A continuous monitoring program (still under development)
While comparatively new, CSA STAR is intended to augment the controls of ISO 27001. Accordingly, it is mainly used to provide an additional level of assurance defined by the Cloud Controls Matrix (CCM).
More and more leading cloud platforms, including Microsoft Azure, are CSA STAR certified.
4) OWASP ASVS
How can prospects know if your SaaS application is secure? The OWASP Application Security Verification Standard (ASVS) gives SaaS providers an open, standardized framework for testing and hardening web application technical security controls.
Where ISO 27001, SOC 2 or CSA STAR focus on security holistically, the OWASP ASVS focuses on the security of your application at a very detailed level. Specifically geared towards establishing a verifiable level of confidence in the security of a web application, it defines a range of coverages and levels of rigor suitable for any SaaS scenario.
While the ASVS does not offer “certification” of applications per se, attesting to even Level 2 verification goes well beyond commonplace, automated testing. ASVS Level 2 requires at least some access to developers, documentation, code and the running application. Level 3 testing further entails code review, threat modeling and other processes that could only be accomplished by an in-depth audit process, generally by an independent third-party.

OWASP ASVS Testing Guide Thumbnail

Free OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!
Get your download here!
5) ISO 22301
Downtime and loss of service are not only extremely costly and problematic for SaaS providers and their clients, but also increase a provider’s vulnerability to security threats. ISO 22301 Business Continuity Management certification requires organizations to have a verifiably robust business continuity strategy.
ISO 22301 is based on requirements to “plan, establish, implement, operate, monitor, review, maintain and improve your infrastructure to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.” Achieving this international certification, which requires ongoing, third-party attestation, is the gold standard for SaaS organizations looking to demonstrate high availability.

ISO 22301 Checklist Thumbnail

Organizations must comply with specific standards in order to earn ISO 22301 certification, including extensive documentation, maintenance, monitoring and review.
Download our ISO 22301 Implementation Checklist now!
This checklist is simple guide to make sure your ISO 22301 implementation hits on the key points of the attestation.

How to Choose a Security Solution?

Which accreditation, certification or framework to tackle first? For many SaaS providers, that choice should encompass key factors like your regulatory environment, what your customer base is requesting, what competitors are doing, and your ultimate objectives around both security and marketing.
Ultimately, your best choice may be to pursue multiple accreditations — particularly if you can exploit the synergy between them to demonstrate compliance with multiple frameworks (e.g., ISO 27001 and OWASP ASVS) with a minimum of additional effort.
To talk with SaaS industry experts on the best approach to pursuing security certifications for your business, contact Pivot Point Security.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Iso27001
Iso 22301
Owasp
Pivot Point Security
Pivot Point Security

Written by Pivot Point Security

22 Followers
1 Following

We are a trusted source of simple, practical, and actionable information security guidance.

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams