There’s strength in numbers. There’s also security – especially when the numbers refer to an ISO certification.

Evisort was recently certified as compliant with both ISO 27001:2013 and ISO 27701:2019. We’re the only AI-native CLM company to be certified for both of those ISO categories to date, so what does that mean for our customers?

The International Organization for Standardization, or ISO for short, is a non-governmental organization that sets standards for technology, scientific testing processes, working conditions, societal issues, and more. It’s made up of 160 members, one from each member country.

In data governance – the process of gathering, storing, processing, and disposing of data – receiving ISO certification means that your processes not only conform to globally accepted international standards, they have also been confirmed by an independent, accredited third party.

"As an industry leader in data protection, Evisort supports our customers in addressing security and privacy challenges in addition to empowering strategic business decisions," said Jonathan Price, Director of Security at Evisort. "These certifications provide additional peace of mind for users, which is critical in a time of constantly changing threats and regulatory requirements."

Let’s take a closer look at what these ISO certifications mean.

ISO 27001 is a specification for an Information Security management system (ISMS). ISMS are frameworks for policies and procedures that include all legal, physical, and technical controls involved in an organization’s information risk management processes. When an organization receives ISO 27001 certification, it means they have confirmation from an ISO-accredited auditor that they:

• Secure information in all forms, including paper-based, cloud-based, and digital data
• Demonstrate increased resilience to cyber-attacks
• Provide a centrally managed framework that secures all information in one place
• Ensure organization-wide protection, including against technology-based risks and other threats
• Respond appropriately to evolving security threats
• Protect the integrity, confidentiality, and availability of data

The combined standards contain over 150 security and privacy controls to which Evisort has documented, implemented, and demonstrated continuous adherence. The ISO audit process repeatedly audits these controls across three separate audits during the certification process. “Our security program was very mature, and it already covered the vast majority of the ISO standard controls,” said Price. “This process for us was much more about documenting the controls to the ISO standard and completing the audits. This simplified things for us and helped us turn the entire process around in a matter of months, even with the multiple weeks-long audits”. 

ISO 27701 goes beyond ISO 27001 to address privacy protection. While data protection naturally requires a degree of information security (such as the “technical and organizational” measures provided by the GDPR and CCPA), this certification goes much further than simply protecting the information. An organization that has achieved an ISO 27701 must also protect the rights of the data subjects, which cannot be guaranteed through information security alone.

ISO 27701 supports compliance with a wider, international range of data protection and privacy legislation like HIPAA and CCPA. It also provides a framework for organizations to customize their compliance programs to meet specific legal and regulatory requirements.

"As an industry leader in data protection, Evisort supports our customers in addressing security and privacy challenges in addition to empowering strategic business decisions," Price added. "These certifications provide additional peace of mind for users, which is critical in a time of constantly changing threats and regulatory requirements."

Evisort is also SOC 2 Type 2 certified. We meet a voluntary compliance standard for service organizations developed by the American Institute of Certified Public Accountants that specifies how organizations should manage customer data and prevent malicious attacks, unauthorized deletion of data, misuse, unauthorized alteration, or disclosure of company information.

Measures we use to ensure the safety and privacy of customer data include:

Data control and monitoring – Evisort has continuous monitoring in place, including network and host intrusion detection. We keep full audit logs and conduct vulnerability scans regularly.

Secure web hosting services – Evisort is hosted on Amazon Web Services (AWS) in a multi-tenant configuration. We leverage a host of first- and third-party cloud security tools (such as AWS Config, SecurityHub, and GuardDuty) and infrastructure-as-code based change control practices to ensure we do not apply insecure cloud configuration. 

High encryption standards – Data is encrypted at rest and in transit (AES-256).

World-wide bug bounty program - Evisort runs a worldwide bounty program where white-hat hackers are continuously testing our application and infrastructure to validate our security controls. These researchers test every release and product change before it gets to customers. 

Cloudflare application protection - All connections to Evisort are monitored and secured via Cloudflare’s industry leading set of edge security tools. This lets Evisort monitor for, and helps prevent, malicious visitors by applying technologies such as DDoS prevention, web application firewalls (WAF), and malicious traffic scanning.

“Our high security measures not only protect our own interests, but they also provide peace of mind for our customers, who can trust that their information is secure in our hands,” Price said. “Our investment in robust security measures is a testament to our commitment to putting our customers' needs first.”

To learn more about how Evisort’s secure CLM platform works, visit our product overview page.