The security philosophy, frameworks, and legislation that shape everything SoftSol does — from how we architect remote access and protect your data to how we run a cable.
Our compliance position
We take this approach for a simple reason: it lets us bring our service to you at lower cost, because we are not funding certification audits, badges, and paperwork for their own sake. Our default is practical alignment with recognised standards and legislation — the “good practice” path that delivers real protection and reliability without passing unnecessary overhead on to you. If your organisation needs or prefers a deeper level of formality — for example, evidence packs, tighter control mappings, or project work aimed at a specific compliance outcome — we can do that too, as additional, scoped work at an additional cost, when you ask for it.
SoftSol is not registered with any standards authority and holds no formal certifications. Our goal is not to pursue certification — it is to apply these standards genuinely, in day-to-day practice, for the direct benefit of our clients. We consider ourselves compliant in the practical sense: we follow the guidelines, principles, and requirements each standard sets out, and we continuously improve how we work.
Many of the technology vendors and infrastructure suppliers we partner with hold formal certifications in their own right; we leverage and build on their certified platforms and verified practices. Where a standard is a legislative requirement, compliance is not optional — it is a legal obligation we take seriously.
Security principles
The security philosophy that underpins how we design, configure, and manage your environment.
Security philosophy
Zero Trust
Never trust, always verify
The old security model assumed everything inside a corporate network was safe to trust. Zero Trust replaces that assumption entirely: no user, device, or application is trusted by default — every access request is verified, every time, regardless of where it comes from. Stolen credentials, phishing, and cloud environments have made the traditional perimeter obsolete. We apply Zero Trust principles when designing remote access, managing identities, and securing cloud workloads for our clients.
Every account, application, and service gets only the permissions it needs to do its job — nothing more, and only for as long as required. When a role changes or a project ends, access is removed. This limits the blast radius if credentials are ever compromised: an attacker cannot simply move laterally through your entire environment from a single stolen password.
South African law — compliance is mandatory, not optional.
Legislation
POPIA
Protection of Personal Information Act 4 of 2013
South Africa’s primary data privacy law. Governs how personal information may be collected, stored, processed, and shared by any organisation operating in South Africa.
Electronic Communications and Transactions Act 25 of 2002
Regulates electronic commerce, electronic signatures, and digital communications in South Africa. Applies to any business operating online or issuing digital contracts and communications.
Voluntary frameworks we follow in practice — we are not certified, but we are compliant.
Best practice
ISO/IEC 27001
Information Security Management
Defines a systematic framework for managing information security risks through policies, controls, and processes. Covers access control, incident response, supplier security, and more.
International standard for quality management. Ensures services are delivered consistently, client feedback drives improvement, and processes are documented and repeatable.
Specifies requirements for an IT service management system — how services are planned, delivered, measured, and improved. Directly applicable to managed services providers.
The world’s most widely adopted framework for IT service management. ITIL 4 aligns IT service delivery with business objectives through 34 management practices.
Standards governing the installation of telecommunications cabling infrastructure in commercial premises — covering copper categories (Cat6/Cat6A) and fibre optics.
A prioritised set of 18 cybersecurity controls developed by global security experts to defend against the most common and damaging attacks. Covers asset inventory, patching, access control, and more.
