Best practice
ISO/IEC 27001
Information Security Management System
ISO/IEC 27001 is the international standard for establishing and maintaining an Information Security Management System (ISMS). It provides a risk-based framework for protecting information through policies, technical controls, and organisational processes.
Our position: SoftSol is not ISO/IEC 27001 certified. We have not been audited by a certification body. We do, however, apply ISO 27001-aligned security controls across our operations and follow its principles in how we protect client data and systems. Many of our platform vendors and cloud infrastructure providers hold this certification.
Key control domains (Annex A)
- Organisational controls — policies, roles, responsibilities
- People controls — background checks, training, offboarding
- Physical controls — premises access, equipment security
- Technological controls — access management, cryptography, patching, monitoring
- Asset management — inventory, classification, disposal
- Incident management — detection, reporting, response, lessons learned
- Supplier relationships — contractual controls, access reviews
- Business continuity — data backup, recovery procedures
How SoftSol aligns
- Access to client systems and data is managed through role-based access controls and reviewed regularly.
- Security patches and updates are applied on a defined, regular schedule across managed infrastructure.
- Security incidents are logged, investigated, and formally reviewed to prevent recurrence.
- Subcontractors who access client data are bound by confidentiality and security obligations contractually.
- Managed client environments include continuous monitoring, alerting, and event logging.