ISO and SOC? Alphabet Soup and What It Means for IdentityNow

Today we announced some important news, namely that we’ve completed two information security assessments for IdentityNow, SailPoint’s SaaS-based identity governance solution. We successfully completed an ISO/IEC 27001:2013 certification, and also obtained a SOC 2® Type 2 report with an unqualified opinion.

While these letters and numbers sound complicated (and the process to complete them both was certainly complex), on a basic level these measures demonstrate our commitment to investing in and adhering to security, confidentiality and availability best practices.  Of course this is great news for SailPoint and our customers, but what does this alphabet soup actually mean? We can look at it in a few different ways.

These two assessments measure different things, though they’re both relevant to our customers and indications of our overall security posture. In simple terms, two highly competent, knowledgeable third parties have reviewed our service offerings and are giving our customers assurance of our adherence to security best practices.  The assessments look at everything we do, from background checks to backups, looking for good process, good visibility and good controls. At SailPoint, we fully embraced both of these assessments, and I’m proud to say that we came away with top marks.

The ISO/IEC 27001:2013 certification process is designed to change how a company thinks about security, driving a continuous security process improvement cycle that gets baked into the fabric of the machine.  In addition to implementing a continuous improvement process, it also defines an on-going cycle of external review – you might say testing the process rather than just the controls, always a good thing when it comes to security.

The SOC 2® Type 2 report is different because it’s an audit standard, which is valuable because it shows that SailPoint has defined security controls in place and is testing against those controls on a regular basis. Similar to a financial audit, it makes sure that security is baked-in and is measurable.  Measurement is key.  You can’t manage what you can’t measure, so this one is all about proof.  Having a control defined and being able to prove that it’s working effectively.

What does this mean for our customers? In short, we’re more secure. This is the sort of due diligence that customers should expect from their prospective security vendors. More than just a purchasing issue, these assessments demonstrate a commitment to security – something we think is required for a SaaS solution. The SOC 2® Type 2 report sets our security standards, and the ISO/IEC 27001:2013 certification implements a process for continuous improvement. Together, they mean better end-to-end security and lower material risk for our IdentityNow customers.

At SailPoint, we see security as a partnership, just as we see the relationships we have with our customers as a partnership. Our goal is to be as open, transparent and inclusive with our customers, at least as much as good security practice will allow. With these assessments, we’ve completed a thorough review of our overall system boundary, considered internal and external threats, reviewed the security and privacy of our customers’ data and are adhering to highly audited industry best practices for security and privacy controls. Completion of these security and compliance audits signals SailPoint’s commitment to providing an increased level of assurance to our customers and the company’s overall commitment to the security of its products.