yasoon’s ISO 27001 compliance with Vanta

TL;DR: yasoon is happily ISO 27001 compliant, because we worked with Vanta. We think it is very useful for software vendors and this is our new trust page with all cumulated security information: http://trust.yasoon.com/

As an Atlassian Platinum Marketplace partner, keeping our app secure is extremely important to us. One effective way to show our commitment to security is by obtaining certifications. Certifications involve having outside experts review our security practices, policies, and operations. There are different types of certifications available, but the most common ones are ISO 27001 and SOC2. ISO 27001 is accepted worldwide, while SOC2 is popular in North America. There are also certifications like FedRAMP or HIPAA that are specific to certain industries.

The importance of certification

yasoon achieved ISO 27001 compliance as of April 2023. Following these standards helps us gain trust and approval from security teams more quickly. This is especially important when dealing with customers who value certifications, like in Germany. Based on our experience, ISO 27001 is widely recognized globally, making it a valuable certification for us to pursue.

Why did we choose Vanta for yasoon’s certification?

Vanta is a mature SaaS that helps you automate most of the work required to obtain ISO 27001. They have a great reputation and a lot of experience in the industry (aka “Vanta has the most stars on Github”). Vanta integrates smoothly with important platforms like M365, AzureAD, GitHub, and AWS. This makes monitoring efficient and simplifies the certification process.

After successfully obtaining a certification like ISO 27001 or SOC2, Vanta provides discounted rates for extending your compliance to other standards like GDPR. This enables you to tackle multiple compliance requirements at once. We were truly impressed with the value for money offered by Vanta, and it played a vital role in our certification journey. Without Vanta, we wouldn't have achieved certification.

Infrastructure improvements

AWS CloudWatch logs and alerts provide a clearer view of your infrastructure's security, helping you respond quickly to potential threats. GitHub enhances code security during development with features like code scanning in pull requests and advanced repository policies. Microsoft Intune (MDM) improves security by enrolling employee hardware and implementing security and configuration policies. It ensures better protection, automatic updates, and easier management.

Benefits of MDM

You don't have to worry about reminding employees to install security updates or manually configure things. With automatic and timely security updates, including patches for software like Outlook, vulnerabilities are minimized. Additionally, MDM (Microsoft Intune/Endpoint Manager) keeps you informed about important events like clicking on phishing links, allowing you to take proactive measures against potential threats.

Wow, MDM is super useful 😛 You shouldn’t be able to access that 😱 We should probably retire this old EC2 instance 💣

– us, realizing a certification is *actually* useful

Overall benefits of certifications

Certifications drive better quality, security, and overall security posture in your organization. They encourage important security practices like regular backups and access reviews. Obtaining certifications ensures fewer blind spots and better preparedness for security challenges.

While pursuing certifications requires time and money, the benefits for your company are significant. Certifications show your dedication to security, build customer trust, and improve operational efficiency. Assess your business needs and decide whether ISO 27001 or SOC2 certification is the right fit for your specific audience.

As we made a lot of progress with ISO 27001, SOC2 is next on our roadmap. A good certification process is addicting 🤓 

And this is how our shiny new trust page with all cumulated security information looks like: http://trust.yasoon.com/

P.S.: 📹 In his talk at Dev Day 2023, yasoon's CTO and co-founder Tobias gave insights, how we obtained our ISO 27001 certification with Vanta. Check out this on-demand session: Using Vanta for ISO27K Compliance: DevDay: The Meetup (atlassian.com)